Inadequate Encryption Strength in WindowsHello - CVE-2020-11005
Published: April 21, 2020
Vulnerability identifier: #VU27046
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-11005
CWE-ID: CWE-326
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: SeppPenner
Affected software:
WindowsHello
WindowsHello
Detailed vulnerability description
The vulnerability allows a local attacker to gain access to sensitve information on the target system.
The vulnerability exists due to weak hashing algorithm and insecure permissions. If the library is used to encrypt text and write the output to a txt file, a local attacker can use another executable to decrypt the text using the static method "NCryptDecrypt" from this same library without the need to use Windows Hello Authentication again.
How to mitigate CVE-2020-11005
Install updates from vendor's website.