CVE-2020-1459: Windows ARM Information Disclosure Vulnerability

Overview

Severity

Medium (CVSS 5.5)

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2020-Aug

Released

2020-08-11

EPSS Score

7.15% (percentile: 91.6%)

Description

An information disclosure vulnerability exists on ARM implementations that use speculative execution in control flow via a side-channel analysis, aka "straight-line speculation." To exploit this vulnerability, an attacker with local privileges would need to run a specially crafted application. The security update addresses the vulnerability by bypassing the speculative execution.

FAQ

What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

Affected Products (4)

Windows

• Windows 10 Version 1809 for ARM64-based Systems
• Windows 10 Version 1909 for ARM64-based Systems
• Windows 10 Version 1903 for ARM64-based Systems
• Windows 10 Version 2004 for ARM64-based Systems

Security Updates (3)

• 4565349
• 4565351
• 4566782

Acknowledgments

Anthony Steinhauser, Google's Safeside project, https://github.com/google/safeside

Revision History

• 2020-08-11: Information published.