Windows 10 LSASS Flaw patched by Microsoft is still vulnerable says researcher


Google researcher who found the Windows 8.1/10/Server LSASS Flaw says that Microsoft’s August 2020 patch Tuesday doesn’t fix the vulnerability

In May 2020, Google Project Zero security researcher James Forshaw found a highly critical vulnerability in the way Windows systems handle privileges. Forshaw discovered that nearly all Windows operating systems including Windows 8.1, Windows 10, and Windows Server versions are vulnerable to an elevation of privilege vulnerability in the Windows Local Security Authority Subsystem Service (LSASS).

The vulnerability identified by Forshaw was issued a unique identifier, CVE-2020-1509 and has a CVSS score of 8.8/10.  Potential hackers could exploit the vulnerability through specially crafted authentication requests to gain escalated privileges within the Windows system. However, for successful exploitation, the hacker needs to have previously obtained Windows credentials for the local network. “LSASS doesn’t correctly enforce the Enterprise Authentication Capability which allows any AppContainer to perform network authentication with the user’s credentials,” Project Zero security researcher James Forshaw noted in May.

Microsoft had acknowledged the severity of the LSASS vulnerability and addressed the issue through a fix issued through the August 2020 Patch Tuesday update released on 11th August 2020.  Microsoft on its security bulletin says that the patches released through the August 2020 Patch Tuesday fix the issue and there is no further need for mitigation.

However, Forshaw disagrees. In a tweet, Forshaw said that the patch issued by Microsoft for CVE-2020-1509 is incomplete and Windows 8.1/10/Server run systems are vulnerable to the LSASS flaw.

Forshaw says that the Windows operating system run PC/laptops/servers are still vulnerable as long as a configured proxy is present on the system.

Forshaws says that the Proof-of-Concept exploit build by him in May can still be used. Only, potential hackers could have to manually add a proxy server in the settings and the code can be executed with specific arguments. “The issue is the DsCrackSpn2 call which was highlighted as incorrect has not been fixed. This allows you to specify an SPN which will both satisfy the proxy check and SPN check-in CIFS etc. This isn’t as general as the original bug as the system needs to have a configured proxy, however in enterprise environments that’s likely a given and where this issue is the most serious.” Forshaw says.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments