CVE-2020-17087 Overview
CVE-2020-17087 is a Windows Kernel Local Elevation of Privilege vulnerability affecting the Windows Kernel Cryptography Driver (cng.sys). This vulnerability allows an authenticated local attacker to escalate privileges to SYSTEM level by exploiting an improper buffer size calculation in the kernel cryptographic driver. The vulnerability exists due to an integer truncation error (CWE-131: Improper Calculation of Buffer Size) when processing certain IOCTL requests.
Critical Impact
This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating confirmed active exploitation in the wild. When chained with other vulnerabilities, it enables complete system compromise from an initial low-privileged foothold.
Affected Products
- Microsoft Windows 7 SP1
- Microsoft Windows 8.1 and Windows RT 8.1
- Microsoft Windows 10 (versions 1507, 1607, 1803, 1809, 1903, 1909, 2004, 20H2)
- Microsoft Windows Server 2008 SP2 and R2 SP2
- Microsoft Windows Server 2012 and R2
- Microsoft Windows Server 2016 (including versions 1903, 1909, 2004, 20H2)
- Microsoft Windows Server 2019
Discovery Timeline
- November 11, 2020 - CVE-2020-17087 published to NVD
- October 29, 2025 - Last updated in NVD database
Technical Details for CVE-2020-17087
Vulnerability Analysis
The vulnerability resides in the Windows Kernel Cryptography Driver (cng.sys), specifically in the cng!CfgAdtpFormatPropertyBlock function. The flaw occurs due to a 16-bit integer truncation issue when calculating buffer sizes for cryptographic operations. When a user-mode application sends a specially crafted IOCTL to the cng.sys driver, the improper size calculation leads to a pool buffer overflow condition.
The vulnerability allows an attacker with low privileges on a local system to execute arbitrary code in kernel mode. By carefully crafting the input data, an attacker can trigger the buffer overflow to corrupt adjacent kernel pool memory, potentially overwriting critical data structures. This corruption can be leveraged to achieve arbitrary code execution with SYSTEM privileges.
Root Cause
The root cause is classified as CWE-131 (Improper Calculation of Buffer Size). The cng.sys driver performs a size calculation using a 16-bit integer that can be truncated when processing large input values. This truncation results in an undersized buffer allocation, while subsequent operations use the original, larger size value, causing a heap-based buffer overflow in the Windows kernel pool.
Attack Vector
The attack requires local access to the target system with low-level user privileges. The attacker must be able to execute code locally to send malicious IOCTL requests to the vulnerable driver. The exploitation does not require user interaction and can be triggered programmatically.
The attack flow typically involves:
- An attacker gains initial access to a Windows system with a low-privileged account
- The attacker crafts a malicious IOCTL request with specific parameters designed to trigger the integer truncation
- The request is sent to the cng.sys driver through the DeviceIoControl API
- The undersized buffer allocation combined with oversized data write causes kernel pool corruption
- Through heap spray techniques and controlled memory layout, the attacker gains arbitrary code execution in kernel mode
- The attacker obtains SYSTEM-level privileges on the compromised system
Detection Methods for CVE-2020-17087
Indicators of Compromise
- Unusual IOCTL requests targeting the \Device\CNG device object
- Abnormal process behavior following cryptographic API calls, particularly from untrusted applications
- System crashes (BSOD) with stop codes related to kernel pool corruption or cng.sys
- Unexpected privilege escalation events where low-privileged processes spawn SYSTEM-level child processes
Detection Strategies
- Monitor for suspicious DeviceIoControl calls targeting cng.sys with abnormal buffer sizes
- Implement kernel-level monitoring for pool corruption patterns associated with this vulnerability
- Deploy endpoint detection solutions capable of detecting kernel exploitation techniques
- Use Windows Event Tracing (ETW) to monitor cryptographic driver activity
Monitoring Recommendations
- Enable and monitor Windows Security Event logs for privilege escalation events (Event ID 4672, 4673)
- Configure endpoint detection and response (EDR) tools to alert on suspicious kernel driver interactions
- Monitor for processes making unusual cryptographic API calls followed by privilege changes
- Implement behavioral analysis to detect exploitation chains combining this vulnerability with initial access vectors
How to Mitigate CVE-2020-17087
Immediate Actions Required
- Apply the Microsoft security update immediately to all affected Windows systems
- Prioritize patching for internet-facing systems and high-value assets due to confirmed active exploitation
- Review systems for signs of compromise given this vulnerability's inclusion in CISA's KEV catalog
- Implement application whitelisting to prevent unauthorized code execution that could leverage this vulnerability
Patch Information
Microsoft has released security updates addressing this vulnerability. Patches are available through the Microsoft Security Response Center (MSRC) advisory. Organizations should apply the appropriate updates for their Windows versions through Windows Update, WSUS, or SCCM.
Given this vulnerability is listed in the CISA Known Exploited Vulnerabilities Catalog, federal agencies and organizations following CISA guidance are required to remediate this vulnerability according to mandated timelines.
Workarounds
- Limit local access to systems by enforcing strict user account policies and least privilege principles
- Implement network segmentation to contain potential lateral movement if exploitation occurs
- Deploy application control solutions to prevent execution of untrusted code that could exploit this vulnerability
- Monitor and restrict access to cryptographic APIs for non-essential applications
# Verify patch installation status
wmic qfe list | findstr /i "KB4586781 KB4586786 KB4586787"
# Check cng.sys driver version (patched versions will have updated timestamps)
dir C:\Windows\System32\drivers\cng.sys
# Enable advanced audit logging for privilege escalation detection
auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
