CVE-2020-17103

Name of the Vulnerable Software and Affected Versions Windows (affected versions not specified)

Description An elevation of privilege issue exists in the Windows Cloud Files Mini Filter Driver (cldflt.sys), which is used for cloud storage integration and OneDrive Files On-Demand. The flaw stems from insecure privilege management, allowing a low-privileged attacker to escalate their privileges to NT AUTHORITYSYSTEM. Technical exploitation involves modifying the windir environment variable in the registry to redirect the execution of wermgr.exe within a privileged scheduled task. This can lead to full host takeover, disabling of security software, credential theft via LSASS dumps, and lateral movement within an Active Directory infrastructure.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. Monitor for the creation of unknown services, scheduled tasks, or drivers. Monitor for the execution of system binaries or masquerading files from non-standard directories. Monitor for the creation of symbolic links in HKEY USERS.DEFAULTSoftwarePoliciesMicrosoftCloudFilesBlockedApps.