CVE-2020-1313
published 2020-06-09CVE-2020-1313: An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations, aka 'Windows Update…
PriorityP258high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
39.97%
98.4th percentile
An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations, aka 'Windows Update Orchestrator Service Elevation of Privilege Vulnerability'.
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10_version_1903_for_32-bit_systems | — | — |
| microsoft | windows_10_version_1903_for_arm64-based_systems | — | — |
| microsoft | windows_10_version_1903_for_x64-based_systems | — | — |
| microsoft | windows_10_version_1909_for_32-bit_systems | — | — |
| microsoft | windows_10_version_1909_for_arm64-based_systems | — | — |
| microsoft | windows_10_version_1909_for_x64-based_systems | — | — |
| microsoft | windows_10_version_2004_for_32-bit_systems | — | — |
| microsoft | windows_10_version_2004_for_arm64-based_systems | — | — |
| microsoft | windows_10_version_2004_for_x64-based_systems | — | — |
| microsoft | windows_server_2016 | — | — |
| microsoft | windows_server_2016 | — | — |
| microsoft | windows_server_2016 | — | — |
| msrc | windows_10_version_1903_for_32-bit_systems | — | — |
| msrc | windows_10_version_1903_for_arm64-based_systems | — | — |
| msrc | windows_10_version_1903_for_x64-based_systems | — | — |
| msrc | windows_10_version_1909_for_32-bit_systems | — | — |
| msrc | windows_10_version_1909_for_arm64-based_systems | — | — |
| msrc | windows_10_version_1909_for_x64-based_systems | — | — |
| msrc | windows_10_version_2004_for_32-bit_systems | — | — |
| msrc | windows_10_version_2004_for_arm64-based_systems | — | — |
| msrc | windows_10_version_2004_for_x64-based_systems | — | — |
| msrc | windows_server_version_1903 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit abuses the UniversalOrchestrator ScheduleWork API call, which does not verify the caller's token before scheduling a job to run as SYSTEM. Monitor for unexpected use of this API by non-privileged processes. ↗
- →A Metasploit module exists for this vulnerability (cve_2020_1313_system_orchestrator.rb). Hunt for execution of this module or payloads spawned by the Windows Update Orchestrator Service (UsoSvc/usosvc.exe) that are not legitimate update binaries. ↗
- →Monitor for processes spawned in an elevated (SYSTEM) context by the Windows Update Orchestrator Service that originate from unexpected or user-writable paths, as the exploit schedules arbitrary jobs to run as SYSTEM within the next 24 hours. ↗
- →Alert on specially crafted applications running on victim systems that interact with the Windows Update Orchestrator Service, particularly those invoking ScheduleWork without legitimate update context. ↗
- ·The payload execution timing is non-deterministic — it will fire as SYSTEM at some point within 24 hours of scheduling, making immediate post-exploitation detection harder. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hcfw-mr8f-6c3h: An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations, aka 'Windows Update Or
ghsa_unreviewed·2022-05-24
CVE-2020-1313 [MEDIUM] CWE-269 GHSA-hcfw-mr8f-6c3h: An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations, aka 'Windows Update Or
An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations, aka 'Windows Update Orchestrator Service Elevation of Privilege Vulnerability'.
Microsoft
Windows Update Orchestrator Service Elevation of Privilege Vulnerability
vendor_msrc·2020-06-09·CVSS 7.8
CVE-2020-1313 [HIGH] Windows Update Orchestrator Service Elevation of Privilege Vulnerability
Windows Update Orchestrator Service Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context.
An attacker could exploit this vulnerability by running a specially crafted application on the victim system.
The update addresses the vulnerability by correcting the way the Windows Update Orchestrator Service handles file operations.
Microsoft Windows: Microsoft Windows
Microsoft: Microsoft
Impact: Elevation of Privilege
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely;DOS:N/
No detection rules found.
http://packetstormsecurity.com/files/159305/Microsoft-Windows-Update-Orchestrator-Unchecked-ScheduleWork-Call.htmlhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1313http://packetstormsecurity.com/files/159305/Microsoft-Windows-Update-Orchestrator-Unchecked-ScheduleWork-Call.htmlhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1313
2020-06-09
Published