Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
kasperskyKaspersky LabKLA10979
HistoryMar 14, 2017 - 12:00 a.m.

KLA10979 Multiple vulnerabilities in Microsoft Windows

2017-03-1400:00:00
Kaspersky Lab
threats.kaspersky.com
516

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

9.3 High

AI Score

Confidence

High

0.974 High

EPSS

Percentile

99.9%

JSON

Multiple serious vulnerabilities have been found in Microsoft Windows. Malicious users can exploit these vulnerabilities to bypass security restrictions, execute arbitrary code, gain privileges, obtain sensitive information and cause a denial of service.

Below is a complete list of vulnerabilities:

  1. An improper validation of certain elements of a signed PowerShell script in Device Guard can be exploited remotely to bypass security restrictions;
  2. An incorrect handling of certain requests sent by a malicious SMB server to the client can be exploited remotely via injected HTML header links, redirectors and some other methods causing the SMB client to connect to a malicious SMB server and cause a denial of service;
  3. An improper validation of input before loading DLL files can be exploited remotely to execute arbitrary code;
  4. A failure in handling requests in dnsclient can be exploited remotely via making a user visit an untrusted webpage (if the target is workstation) or sending a DNS query to a malicious server (if the target is a server) to obtain sensitive information;
  5. An improper client authentication in Helppane.exe can be exploited remotely to gain privileges and execute arbitrary code;
  6. An integer overflow vulnerability in the iSNS Server service can be exploited remotely via connecting to the iSNS Server with a specially designed apllication and sending malicious requests using it to execute arbitrary code in the context of the SYSTEM account.

Technical details

Vulnerability (2) is related to the implementations of the Microsoft Server Message Block 2.0 and 3.0 (SMBv2/SMBv3) client.

Vulnerability (3) can be exploited by an attacker who has an access to the local system and has an ability to run a malicious application.

Vulnerability (5) can be exploited in case a DCOM object in Helppane.exe is configured to run as the interactive user.

Vulnerability (6) occurs when iSNS Server service fails to validate input from the client in a proper way.

Original advisories

MS17-012

CVE-2017-0051

CVE-2017-0021

CVE-2017-0095

CVE-2017-0096

CVE-2017-0097

CVE-2017-0098

CVE-2017-0099

CVE-2017-0109

CVE-2017-0074

CVE-2017-0075

CVE-2017-0076

CVE-2017-0055

CVE-2017-0102

CVE-2017-0103

CVE-2017-0101

CVE-2017-0050

CVE-2017-0056

CVE-2017-0024

CVE-2017-0026

CVE-2017-0078

CVE-2017-0079

CVE-2017-0080

CVE-2017-0081

CVE-2017-0082

CVE-2017-0043

CVE-2017-0045

CVE-2017-0022

CVE-2017-0143

CVE-2017-0144

CVE-2017-0145

CVE-2017-0146

CVE-2017-0147

CVE-2017-0148

CVE-2017-0014

CVE-2017-0060

CVE-2017-0061

CVE-2017-0062

CVE-2017-0063

CVE-2017-0025

CVE-2017-0073

CVE-2017-0108

CVE-2017-0038

CVE-2017-0001

CVE-2017-0005

CVE-2017-0047

CVE-2017-0072

CVE-2017-0083

CVE-2017-0084

CVE-2017-0085

CVE-2017-0086

CVE-2017-0087

CVE-2017-0088

CVE-2017-0089

CVE-2017-0090

CVE-2017-0091

CVE-2017-0092

CVE-2017-0111

CVE-2017-0112

CVE-2017-0113

CVE-2017-0114

CVE-2017-0115

CVE-2017-0116

CVE-2017-0117

CVE-2017-0118

CVE-2017-0119

CVE-2017-0120

CVE-2017-0121

CVE-2017-0122

CVE-2017-0123

CVE-2017-0124

CVE-2017-0125

CVE-2017-0126

CVE-2017-0127

CVE-2017-0128

CVE-2017-0130

CVE-2017-0008

CVE-2017-0057

CVE-2017-0100

CVE-2017-0104

CVE-2017-0007

CVE-2017-0016

CVE-2017-0039

Exploitation

This vulnerability can be exploited by the following malware:

https://threats.kaspersky.com/en/threat/Intrusion.Win.EternalRomance/

https://threats.kaspersky.com/en/threat/Intrusion.Win.CVE-2017-0147.sa.leak/

Public exploits exist for this vulnerability.

Related products

Microsoft-Windows-Vista-4

Microsoft-Windows-Server-2012

Microsoft-Windows-7

Microsoft-Windows-Server-2008

Windows-RT

Microsoft-Windows-10

CVE list

CVE-2017-0051 high

CVE-2017-0021 critical

CVE-2017-0095 critical

CVE-2017-0096 warning

CVE-2017-0097 high

CVE-2017-0098 high

CVE-2017-0099 high

CVE-2017-0109 critical

CVE-2017-0074 high

CVE-2017-0075 critical

CVE-2017-0076 high

CVE-2017-0055 high

CVE-2017-0102 critical

CVE-2017-0103 high

CVE-2017-0101 critical

CVE-2017-0050 critical

CVE-2017-0056 critical

CVE-2017-0024 critical

CVE-2017-0026 critical

CVE-2017-0078 critical

CVE-2017-0079 critical

CVE-2017-0080 critical

CVE-2017-0081 critical

CVE-2017-0082 critical

CVE-2017-0043 high

CVE-2017-0045 high

CVE-2017-0022 warning

CVE-2017-0143 critical

CVE-2017-0144 critical

CVE-2017-0145 critical

CVE-2017-0146 critical

CVE-2017-0147 high

CVE-2017-0148 critical

CVE-2017-0014 critical

CVE-2017-0060 high

CVE-2017-0061 high

CVE-2017-0062 warning

CVE-2017-0063 high

CVE-2017-0025 critical

CVE-2017-0073 warning

CVE-2017-0108 critical

CVE-2017-0038 high

CVE-2017-0001 critical

CVE-2017-0005 high

CVE-2017-0047 critical

CVE-2017-0072 critical

CVE-2017-0083 critical

CVE-2017-0084 critical

CVE-2017-0085 warning

CVE-2017-0086 critical

CVE-2017-0087 critical

CVE-2017-0088 critical

CVE-2017-0089 critical

CVE-2017-0090 critical

CVE-2017-0091 warning

CVE-2017-0092 warning

CVE-2017-0111 warning

CVE-2017-0112 warning

CVE-2017-0113 warning

CVE-2017-0114 warning

CVE-2017-0115 warning

CVE-2017-0116 warning

CVE-2017-0117 warning

CVE-2017-0118 warning

CVE-2017-0119 warning

CVE-2017-0120 warning

CVE-2017-0121 warning

CVE-2017-0122 warning

CVE-2017-0123 warning

CVE-2017-0124 warning

CVE-2017-0125 warning

CVE-2017-0126 warning

CVE-2017-0127 warning

CVE-2017-0128 warning

CVE-2017-0130 critical

CVE-2017-0008 warning

CVE-2017-0057 warning

CVE-2017-0100 critical

CVE-2017-0104 critical

CVE-2017-0007 high

CVE-2017-0016 high

CVE-2017-0039 critical

KB list

4012217

4012215

4012216

4012606

4013198

4013429

3211306

4012212

4012214

4012213

4012598

4012583

3217587

4012021

4012373

4012497

4017018

4012584

3218362

3205715

4011981

3217882

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Impacts

  • ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

  • OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

  • DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

  • SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

  • PE

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.

Affected Products

  • Microsoft Windows Vista Service Pack 2Microsoft Windows 7 Service Pack 1Microsoft Windows 8.1Microsoft Windows RT 8.1Microsoft Windows 10Microsoft Windows Server 2008 Service Pack 2Microsoft Windows Server 2008 R2 Service Pack 1Microsoft Windows Server 2012Microsoft Windows Server 2012 R2

References

Related

mskb 14
nessus 5
kaspersky 5
cve 37
prion 37
cvelist 37
nvd 37
openvas 7
zdt 6
googleprojectzero 1
rapid7community 7
packetstorm 4
seebug 1
f5 1
mskb
mskb
March 2017 Security Only Quality Update for Windows Server 2012
2017-03-14 07:00:00
March 2017 Security Only Quality Update for Windows 7 SP1 and Windows Server 2008 R2 SP1
2017-03-14 07:00:00
March 2017 Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2
2017-03-14 07:00:00
nessus
nessus
MS17-011: Security Update for Microsoft Uniscribe (4013076)
2017-03-14 00:00:00
MS17-013: Security Update for Microsoft Graphics Component (4013075)
2017-03-17 00:00:00
MS17-008: Security Update for Windows Hyper-V (4013082)
2017-03-15 00:00:00
kaspersky
kaspersky
KLA10978 Multiple vulnerabilities in Windows Uniscribe
2017-03-14 00:00:00
KLA11902 Multiple vulnerabilities in Microsoft Products (ESU)
2017-03-14 00:00:00
KLA10975 Multiple vulnerabilities in Microsoft Windows
2017-03-14 00:00:00
cve
cve
CVE-2017-0121
2017-03-17 00:59:03
CVE-2017-0122
2017-03-17 00:59:03
CVE-2017-0113
2017-03-17 00:59:03
prion
prion
Information disclosure
2017-03-17 00:59:00
Information disclosure
2017-03-17 00:59:00
Information disclosure
2017-03-17 00:59:00
cvelist
cvelist
CVE-2017-0091
2017-03-17 00:00:00
CVE-2017-0111
2017-03-17 00:00:00
CVE-2017-0115
2017-03-17 00:00:00
nvd
nvd
CVE-2017-0085
2017-03-17 00:59:02
CVE-2017-0092
2017-03-17 00:59:02
CVE-2017-0113
2017-03-17 00:59:03
openvas
openvas
Microsoft Uniscribe Multiple Vulnerabilities (4013076)
2017-03-15 00:00:00
Microsoft Graphics Component Multiple Vulnerabilities (4013075)
2017-03-15 00:00:00
Microsoft Windows Hyper-V Multiple Vulnerabilities (4013082)
2017-03-15 00:00:00
zdt
zdt
Microsoft Windows - Uniscribe Font Processing Multiple Heap-Based Out-of-Bounds and Wild Reads (MS17
2017-03-20 00:00:00
DOUBLEPULSAR - Payload Execution and Neutralization Exploit
2019-10-04 00:00:00
SMB DOUBLEPULSAR Remote Code Execution Exploit
2020-02-04 00:00:00
googleprojectzero
googleprojectzero
Notes on Windows Uniscribe Fuzzing
2017-04-10 00:00:00
rapid7community
rapid7community
Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose
2017-05-16 17:51:28
Protecting against DoublePulsar infection with InsightVM and Nexpose
2017-06-23 21:23:11
Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose
2017-06-07 14:57:05
packetstorm
packetstorm
DOUBLEPULSAR Payload Execution / Neutralization
2019-10-01 00:00:00
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
2017-05-17 00:00:00
SMB DOUBLEPULSAR Remote Code Execution
2020-02-04 00:00:00
seebug
seebug
ETERNALBLUE - Remote RCE via SMB & NBT (Windows XP to Windows 2012)
2017-04-15 00:00:00
f5
f5
K57181937 : Multiple Microsoft SMB (Wannacry/Wannacrypt/Petya/Goldeneye) vulnerabilities
2017-05-16 00:00:00

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

9.3 High

AI Score

Confidence

High

0.974 High

EPSS

Percentile

99.9%

JSON
Related for KLA10979
mskb14nessus5kaspersky5cve37prion37cvelist37nvd37openvas7zdt6googleprojectzero1rapid7community7packetstorm4seebug1f51