Security Feature Bypass in Microsoft MSR JavaScript Cryptography Library



Published: 2020-04-14
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-1026
CWE-ID CWE-254
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
MSR JavaScript Cryptography Library
Universal components / Libraries / Libraries used by multiple products

Vendor Microsoft

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Security Features

EUVDB-ID: #VU26887

Risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-1026

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

This vulnerability allows a local user to bypass security rescritions feature.

The vulnerability exists in the MSR JavaScript Cryptography Library due to multiple bugs in the library’s Elliptic Curve Cryptography (ECC) implementation. A remote attacker can gain information about a server’s private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

MSR JavaScript Cryptography Library: All versions


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###