Description Preview
Overview
CVE-2020-0951 is a security feature bypass vulnerability affecting Windows Defender Application Control (WDAC), which is designed to control which applications and code can run on Windows systems. This vulnerability allows attackers with administrator privileges to bypass WDAC restrictions specifically for PowerShell commands. The vulnerability undermines the security controls that WDAC is meant to enforce, potentially allowing the execution of malicious PowerShell code that would otherwise be blocked. The risk is limited by the requirement that an attacker must already have administrator access to the affected system, but once this access is obtained, the security controls that would normally prevent certain types of code execution can be circumvented.
Remediation
Microsoft has released a security update that addresses this vulnerability by correcting how PowerShell commands are validated when WDAC protection is enabled. Organizations should:
- Apply the latest Microsoft security updates to all affected systems.
- Ensure that Windows Defender Application Control policies are properly configured after applying the update.
- Follow the principle of least privilege by limiting administrator access to systems.
- Monitor PowerShell activity on critical systems for suspicious commands.
- Consider implementing additional security controls such as advanced logging for PowerShell activities.
References
- Microsoft Security Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0951
- Microsoft Security Response Center: https://msrc.microsoft.com/
- Windows Defender Application Control documentation: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- ManufacturingManufacturing: Medium
- Public AdministrationPublic Administration: Medium
- Health Care & Social AssistanceHealth Care & Social Assistance: Medium
- Educational ServicesEducational Services: Medium
- Finance and InsuranceFinance and Insurance: Medium
- Transportation & WarehousingTransportation & Warehousing: Medium
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services: Medium
- Retail TradeRetail Trade: Medium
- Arts, Entertainment & RecreationArts, Entertainment & Recreation: Low
- Other Services (except Public Administration)Other Services (except Public Administration): Low
- UtilitiesUtilities: Low
- InformationInformation: Low
- Management of Companies & EnterprisesManagement of Companies & Enterprises: Low
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting: Low
- Accommodation & Food ServicesAccommodation & Food Services: Low
- MiningMining: Low
- Real Estate Rental & LeasingReal Estate Rental & Leasing: Low
- ConstructionConstruction: Low
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services: Low
- Wholesale TradeWholesale Trade: Low
