CVE-2020-17136: 
vulnerability analysis and mitigation

CVE-2020-17136 is a Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability that was disclosed on December 10, 2020. The vulnerability affects various versions of Microsoft Windows 10 and Windows Server operating systems. This vulnerability was assigned a CVSS v3.1 base score of 7.8 (High) (NVD).

The vulnerability exists in the cloud filter driver (cldflt.sys) which runs in kernel mode. The issue occurs when creating placeholder files through the CfCreatePlaceholders API, where several security checks are bypassed. Specifically, the FSCTL control code sent to the kernel mode filter driver creates placeholder files without specifying the IOFORCEACCESSCHECK or OBJFORCEACCESSCHECK flags, resulting in insufficient access validation. The vulnerability allows an attacker to exploit path handling issues and bypass directory access controls (AttackerKB).

When successfully exploited, this vulnerability allows an authenticated attacker to elevate their privileges and potentially gain unauthorized access to protected directories on the system. The vulnerability received a CVSS v3.1 base score of 7.8 (High), indicating significant potential impact on system security (NVD).

Microsoft addressed this vulnerability in December 2020 by updating the HsmpOpCreatePlaceholders() function in cldflt.sys to implement additional path validation checks and modify certain logic flows. After applying the patch, attempts to exploit the vulnerability result in a "The cloud operation is invalid" error message (AttackerKB).