#VU26887 Security Features


Published: 2020-04-14

Vulnerability identifier: #VU26887

Vulnerability risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-1026

CWE-ID: CWE-254

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
MSR JavaScript Cryptography Library
Universal components / Libraries / Libraries used by multiple products

Vendor: Microsoft

Description

This vulnerability allows a local user to bypass security rescritions feature.

The vulnerability exists in the MSR JavaScript Cryptography Library due to multiple bugs in the library’s Elliptic Curve Cryptography (ECC) implementation. A remote attacker can gain information about a server’s private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

MSR JavaScript Cryptography Library: All versions


CPE

External links
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability