Published: 11/02/2015 Updated: 12/10/2018
CVSS v2 Base Score: 1.9 | Impact Score: 2.9 | Exploitability Score: 3.4

Vulnerability Summary

The CryptProtectMemory function in cng.sys (aka the Cryptography Next Generation driver) in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1, when the CRYPTPROTECTMEMORY_SAME_LOGON option is used, does not check an impersonation token's level, which allows local users to bypass intended decryption restrictions by leveraging a service that (1) has a named-pipe planting vulnerability or (2) uses world-readable shared memory for encrypted data, aka "CNG Security Feature Bypass Vulnerability" or MSRC ID 20707.

Vector: AV:L/AC:M/Au:N/C:P/I:N/A:N
Access Complexity: MEDIUM
Authentication: NONE
Access Vector: LOCAL
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Affected Products


Administrators are advised to apply the appropriate updates.

Administrators are advised to allow only trusted users to have network access.

Administrators may consider using the Microsoft Baseline Security Analyzer (MBSA) scan tool to identify common security misconfigurations and missing security updates on system endpoints.

Administrators may consider configuring the Microsoft Enhanced Mitigation Experience Toolkit (EMET) to work with the affected software.

Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.

Users are advised not to visit websites or follow links that have suspicious characteristics or cannot be verified as safe.

Administrators are advised to use an unprivileged account when browsing the Internet.

Administrators are advised to monitor critical systems.


To exploit the vulnerability, the attacker may provide a link that directs a user to a malicious site or provide a crafted file intended to submit malicious input to the affected software to a user. The attacker could then use misleading language or instructions to persuade the user to follow the link or open the file.

Microsoft has resolved the vulnerability by correcting the way the affected software enforces impersonation-level security restrictions.

The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities that Microsoft disclosed in the February 2015 security bulletin release. This Cisco bulletin, which assists administrators in identifying or mitigating these vulnerabilities using Cisco devices, is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin Release for February 2015

EDB Exploits