CERTVU:101048Microsoft .NET framework SOAP Moniker PrintClientProxy remote code execution vulnerability
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.972 High
EPSS
Percentile
99.8%
Overview
The Microsoft .NET framework fails to properly parse WSDL content, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description
The PrintClientProxy method in the WSDL-parsing component of the Microsoft .NET framework fails to properly handle linefeed characters. If an attacker can trigger the .NET framework to trigger a specially-crafted WSDL file, this can result in arbitrary code execution.
This vulnerability is currently being exploited in the wild, by way of an RTF file with an embedded Soap Moniker object that triggers a remote WSDL file to be retrieved and parsed. Other attack vectors may be possible.
Impact
By causing the .NET framework to parse a specially-crafted WSDL file with the SOAP Moniker, an unauthenticated remote attacker may be able to execute arbitrary code on a vulnerable system. Current exploits achieve this by convincing a user to open a RTF document.
Solution
Apply an update
This issue is addressed in CVE-2017-8759 | .NET Framework Remote Code Execution Vulnerability
Enable Protected View for RTF documents in Microsoft Word
Exploits in the wild utilize RTF documents. These public exploits are blocked if Protected Mode is enabled for RTF documents in Microsoft Word. Refer to File Block Settings in the Microsoft Office Trust Center. For example, the following registry values can be used to block the opening of RTF documents in Word 2016:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\FileBlock]
"RtfFiles"=dword:00000002
For other versions of Office, the path above will need to be modified to match the version number associated with the installed version of Office.
Vendor Information
101048
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Microsoft Corporation Affected
Updated: September 13, 2017
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Temporal | 6.5 | E:H/RL:OF/RC:C |
| Environmental | 6.5 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
References
- <https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>
- <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>
Acknowledgements
This issue was discovered by Genwei Jiang and Dhanesh Kizhakkinan of FireEye, Inc.
This document was written by Will Dormann.
Other Information
| CVE IDs: | CVE-2017-8759 |
|---|---|
| Date Public: | 2017-09-12 Date First Published: |
Related
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.972 High
EPSS
Percentile
99.8%