CVE-2020-16910

Windows Security Feature Bypass Vulnerability

Severity Score

6.2

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A security feature bypass vulnerability exists when Microsoft Windows fails to handle file creation permissions, which could allow an attacker to create files in a protected Unified Extensible Firmware Interface (UEFI) location.
To exploit this vulnerability, an attacker could run a specially crafted application to bypass Unified Extensible Firmware Interface (UEFI) variable security in Windows.
The security update addresses the vulnerability by correcting security feature behavior to enforce permissions.

Se presenta una vulnerabilidad de omisión de la característica de seguridad cuando Microsoft Windows presenta un fallo al manejar permisos de creación de archivos, lo que podría permitir a un atacante crear archivos en una ubicación protegida de Unified Extensible Firmware Interface (UEFI). Para explotar esta vulnerabilidad, un atacante podría correr una aplicación especialmente diseñada para omitir la seguridad variable de Unified Extensible Firmware Interface (UEFI) en Windows. La actualización de seguridad aborda la vulnerabilidad mediante la corrección del comportamiento de la característica de seguridad para hacer cumplir los permisos, también se conoce como "Windows Security Feature Bypass Vulnerability"

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-08-04 CVE Reserved
2020-10-16 CVE Published
2024-03-21 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-281: Improper Preservation of Permissions

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16910	2023-12-31

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Microsoft Search vendor "Microsoft"		Windows 10 Search vendor "Microsoft" for product "Windows 10"				-		-		Affected
Microsoft Search vendor "Microsoft"		Windows 10 Search vendor "Microsoft" for product "Windows 10"				1607 Search vendor "Microsoft" for product "Windows 10" and version "1607"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 10 Search vendor "Microsoft" for product "Windows 10"				1709 Search vendor "Microsoft" for product "Windows 10" and version "1709"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 10 Search vendor "Microsoft" for product "Windows 10"				1803 Search vendor "Microsoft" for product "Windows 10" and version "1803"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 10 Search vendor "Microsoft" for product "Windows 10"				1809 Search vendor "Microsoft" for product "Windows 10" and version "1809"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 10 Search vendor "Microsoft" for product "Windows 10"				1903 Search vendor "Microsoft" for product "Windows 10" and version "1903"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 10 Search vendor "Microsoft" for product "Windows 10"				1909 Search vendor "Microsoft" for product "Windows 10" and version "1909"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 10 Search vendor "Microsoft" for product "Windows 10"				2004 Search vendor "Microsoft" for product "Windows 10" and version "2004"		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2016 Search vendor "Microsoft" for product "Windows Server 2016"				-		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2016 Search vendor "Microsoft" for product "Windows Server 2016"				1903 Search vendor "Microsoft" for product "Windows Server 2016" and version "1903"		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2016 Search vendor "Microsoft" for product "Windows Server 2016"				1909 Search vendor "Microsoft" for product "Windows Server 2016" and version "1909"		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2016 Search vendor "Microsoft" for product "Windows Server 2016"				2004 Search vendor "Microsoft" for product "Windows Server 2016" and version "2004"		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2019 Search vendor "Microsoft" for product "Windows Server 2019"				-		-		Affected