Summary

If NVDA crashes on the lock screen, it will restart insecurely, unaware that Windows is locked.
The newly started instance of NVDA then does not prevent actions that pose a risk to users.
For example, a NVDA python console becomes accessible via the lock screen.

There is also a race condition where if a user starts NVDA and then immediately locks Windows.
The newly started instance of NVDA then does not prevent actions that pose a risk to users.
For example, a NVDA python console becomes accessible via the lock screen.

This is due to a bug where NVDA assumed Windows is unlocked when starting.

Patch commit(s)

9215690

Limitations

It is very rare for NVDA to crash on the lock screen.
Currently, the only known cause of a crash on the lock screen is via a defective add-on.

The other way to cause this is the unusual event of a user starting NVDA then immediately locking Windows.

The lock screen must be enabled.
This is the default in Windows.
Refer to workarounds section for disabling the lock screen.

Technical details

In 2022.2.1 code was introduced to change how NVDA tracked whether or not Windows is locked, instead using Windows session tracking. GHSA-rmq3-vvhq-gp32

A race condition exists between NVDA starting and Windows locking.
The current code assumption is that NVDA starts while Windows is unlocked.
Without having registered the session tracking event, NVDA is unaware that Windows is locked.
The session tracking methods need to initialize the session state by querying the session directly.
If NVDA starts after Windows locks, NVDA will be running insecurely.

For example, press ctrl+alt+n then Windows+L immediately.
Alternatively, NVDA crashing on the lock screen, which causes a restart on the lock screen.

This mean NVDA is running insecurely, e.g. a NVDA python console can be opened from the lock screen.
According to Windows documentation, there is no reliable way to determine if Windows is currently locked.

Proof of concept

Crash NVDA on the lock screen

1. Crash NVDA via an add-on
2. Press NVDA+n, and activate the speech viewer.
3. From here, alt+tab back into the speech viewer.
4. Press NVDA+n, and activate the NVDA python console.

Race condition when locking Windows

1. Start NVDA ctrl+alt+n
2. Press Windows+L immediately
3. Press NVDA+n, and activate the NVDA python console.

Indicators of compromise

Unknown

Workarounds

You can prevent this issue when using older NVDA versions by disabling the lock screen. Disabling the Windows lock screen will cause locking the computer to go straight to the secure sign-in screen. To do this:

Using Windows Home

1. Open the run dialog with Windows+R
2. Enter and run: regedit (may require administrative access)
3. Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization:
   • "Personalization" may need to be created as a folder in "Windows".
4. Open the context menu with shift+f10 on the “Personalization” folder.
5. Create a new DWORD (32-bit) value from the menu.
   • Set the name to NoLockScreen
   • Set the value data to 1

Using Windows Professional

1. Open the run dialog with Windows+R
2. Enter and run: gpedit.msc (may require administrative access)
3. Using the “Local Group Policy Editor” window
   • Navigate to Local Computer Policy, Computer Configuration, Administrative Templates, Control Panel, Personalization, Do Not Display the Lock Screen
   • Enable "Do Not Display the Lock Screen"
4. Confirm with Windows+L that the lock screen is skipped and Windows goes directly to the secure sign-on screen.

Timeline

• Reported mid September 2022 by @tspivey
• Additional related report late September 2022 by @CyrilleB79
• Released in 2022.3.1 on October 17 2022

For more information

If you have any questions or comments about this advisory:

• Email us at [email protected]