7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.971 High
EPSS
Percentile
99.8%
Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the Advanced Local Procedure Call (ALPC) interface, which can allow a local user to obtain SYSTEM privileges.
The Microsoft Windows task scheduler SchRpcSetSecurity API contains a vulnerability in the handling of ALPC, which can allow an authenticated user to overwrite the contents of a file that should be protected by filesystem ACLs. This can be leveraged to gain SYSTEM privileges. We have confirmed that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems. We have also confirmed compatibility with 32-bit Windows 10 with minor modifications to the public exploit code. Compatibility with other Windows versions is possible with further modifications.
This vulnerability is being exploited in the wild.
An authenticated local user may be able to gain elevated (SYSTEM) privileges.
Apply an update
This issue is addressed in the Microsoft update for CVE-2018-8440.
Deploy Microsoft Sysmon Detection Rules
Kevin Beaumont has provided guidance for creating rules to detect exploitation of this vulnerability.
Set ACLs on the**C:\Windows\Tasks**
** directory**
Karsten Nilsen has provided a mitigation for this vulnerability. Caution: This mitigation has not been approved by Microsoft. However, in our testing it does block exploits for this vulnerability. It also appears to let scheduled tasks to continue to run, and users can continue to create new scheduled tasks as necessary. However, this change will reportedly break things created by the legacy task scheduler interface. This can include things like SCCM and the associated SCEP updates. Please ensure that you have tested this mitigation to ensure that it does not cause unacceptable consequences in your environment.
To apply this mitigation, run the following commands in an elevated-privilege prompt,:
icacls c:\windows\tasks /remove:g "Authenticated Users"
icacls c:\windows\tasks /deny system:(OI)(CI)(WD,WDAC)
Note that when a fix is made available for this vulnerability, these changes should be undone. This can be done by executing the following commands:
icacls c:\windows\tasks /remove:d system
icacls c:\windows\tasks /grant:r "Authenticated Users":(RX,WD)
906424
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: August 27, 2018 Updated: September 11, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 6.8 | AV:L/AC:L/Au:S/C:C/I:C/A:C |
Temporal | 6.5 | E:F/RL:U/RC:C |
Environmental | 6.4 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
This issue was publicly disclosed by SandboxEscaper.
This document was written by Will Dormann.
CVE IDs: | CVE-2018-8440 |
---|---|
Date Public: | 2018-08-27 Date First Published: |
doublepulsar.com/task-scheduler-alpc-exploit-high-level-analysis-ff08cda6ad4f
github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar
msdn.microsoft.com/en-us/library/cc248452.aspx
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8440
twitter.com/karsten_nilsen/status/1034406706879578112
www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.971 High
EPSS
Percentile
99.8%