ID CVE-2018-0823 Type cve Reporter NVD Modified 2018-10-30T12:27:59
Description
The Named Pipe File System in Windows 10 version 1709 and Windows Server, version 1709 allows an elevation of privilege vulnerability due to the way the Named Pipe File System handles objects, aka "Named Pipe File System Elevation of Privilege Vulnerability".
{"id": "CVE-2018-0823", "bulletinFamily": "NVD", "title": "CVE-2018-0823", "description": "The Named Pipe File System in Windows 10 version 1709 and Windows Server, version 1709 allows an elevation of privilege vulnerability due to the way the Named Pipe File System handles objects, aka \"Named Pipe File System Elevation of Privilege Vulnerability\".", "published": "2018-02-14T21:29:01", "modified": "2018-10-30T12:27:59", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0823", "reporter": "NVD", "references": ["https://www.exploit-db.com/exploits/44148/", "http://www.securitytracker.com/id/1040379", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0823", "http://www.securityfocus.com/bid/102919"], "cvelist": ["CVE-2018-0823"], "type": "cve", "lastseen": "2018-11-01T05:17:31", "history": [{"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": [], "cvelist": ["CVE-2018-0823"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The Named Pipe File System in Windows 10 version 1709 and Windows Server, version 1709 allows an elevation of privilege vulnerability due to the way the Named Pipe File System handles objects, aka \"Named Pipe File System Elevation of Privilege Vulnerability\".", "edition": 1, "enchantments": {"score": {"modified": "2018-02-15T15:28:24", "value": 5.0}}, "hash": "afa4976671a683c9b8b51a0918d9fece7f9ae94b157b086a845e928ef6ea6d66", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "c57afa2e62b119dea3622752c44ac54a", "key": "description"}, {"hash": "dd19db5b065bc278a30d9822326b5b0c", "key": "cvelist"}, {"hash": "59a6c6c21e77c64fbd5d22b31c5caf1c", "key": "references"}, {"hash": "6965be19d0817d76236caaa6b333348e", "key": "published"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "3de237727b3df8274e86da4e9ead0b4a", "key": "title"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "64bbfd32d3913b72d00b6bfe5d760965", "key": "href"}, {"hash": "6965be19d0817d76236caaa6b333348e", "key": "modified"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0823", "id": "CVE-2018-0823", "lastseen": "2018-02-15T15:28:24", "modified": "2018-02-14T21:29:01", "objectVersion": "1.3", "published": "2018-02-14T21:29:01", "references": ["https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0823"], "reporter": "NVD", "scanner": [], "title": "CVE-2018-0823", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 1, "lastseen": "2018-02-15T15:28:24"}, {"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/o:microsoft:windows_server_1709:-", "cpe:/o:microsoft:windows_10:1709"], "cvelist": ["CVE-2018-0823"], "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "The Named Pipe File System in Windows 10 version 1709 and Windows Server, version 1709 allows an elevation of privilege vulnerability due to the way the Named Pipe File System handles objects, aka \"Named Pipe File System Elevation of Privilege Vulnerability\".", "edition": 4, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "hash": "36fba622da9c5d2660e8748062f42b7bae932245f1c765ea2526d44948e10428", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "c57afa2e62b119dea3622752c44ac54a", "key": "description"}, {"hash": "40526c62f653aefd5c8ff78a0963aa5f", "key": "cpe"}, {"hash": "dd19db5b065bc278a30d9822326b5b0c", "key": "cvelist"}, {"hash": "6965be19d0817d76236caaa6b333348e", "key": "published"}, {"hash": "b5663802287f7a831112ee8dec0147a2", "key": "cvss"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "3de237727b3df8274e86da4e9ead0b4a", "key": "title"}, {"hash": "c6c547bcce80e7d5056bbb772e338a2a", "key": "references"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "64bbfd32d3913b72d00b6bfe5d760965", "key": "href"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "ba7782aba67ba35d47f08242d08bf911", "key": "modified"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0823", "id": "CVE-2018-0823", "lastseen": "2018-03-15T11:00:48", "modified": "2018-03-14T14:39:59", "objectVersion": "1.3", "published": "2018-02-14T21:29:01", "references": ["https://www.exploit-db.com/exploits/44148/", "http://www.securitytracker.com/id/1040379", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0823", "http://www.securityfocus.com/bid/102919"], "reporter": "NVD", "scanner": [], "title": "CVE-2018-0823", "type": "cve", "viewCount": 3}, "differentElements": ["modified", "cpe"], "edition": 4, "lastseen": "2018-03-15T11:00:48"}, {"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": [], "cvelist": ["CVE-2018-0823"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The Named Pipe File System in Windows 10 version 1709 and Windows Server, version 1709 allows an elevation of privilege vulnerability due to the way the Named Pipe File System handles objects, aka \"Named Pipe File System Elevation of Privilege Vulnerability\".", "edition": 3, "enchantments": {"score": {"modified": "2018-02-23T11:56:48", "value": 5.0}}, "hash": "18edbb02513c11d35c06815a8d924f7686614f1066a263085960fab2e92533b9", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "c57afa2e62b119dea3622752c44ac54a", "key": "description"}, {"hash": "dd19db5b065bc278a30d9822326b5b0c", "key": "cvelist"}, {"hash": "6965be19d0817d76236caaa6b333348e", "key": "published"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "3de237727b3df8274e86da4e9ead0b4a", "key": "title"}, {"hash": "c6c547bcce80e7d5056bbb772e338a2a", "key": "references"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "64bbfd32d3913b72d00b6bfe5d760965", "key": "href"}, {"hash": "bf7ad0719614cab65cc6312e6d73d46b", "key": "modified"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0823", "id": "CVE-2018-0823", "lastseen": "2018-02-23T11:56:48", "modified": "2018-02-22T21:29:02", "objectVersion": "1.3", "published": "2018-02-14T21:29:01", "references": ["https://www.exploit-db.com/exploits/44148/", "http://www.securitytracker.com/id/1040379", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0823", "http://www.securityfocus.com/bid/102919"], "reporter": "NVD", "scanner": [], "title": "CVE-2018-0823", "type": "cve", "viewCount": 0}, "differentElements": ["cvss", "modified", "cpe"], "edition": 3, "lastseen": "2018-02-23T11:56:48"}, {"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": [], "cvelist": ["CVE-2018-0823"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The Named Pipe File System in Windows 10 version 1709 and Windows Server, version 1709 allows an elevation of privilege vulnerability due to the way the Named Pipe File System handles objects, aka \"Named Pipe File System Elevation of Privilege Vulnerability\".", "edition": 2, "enchantments": {"score": {"modified": "2018-02-16T11:28:46", "value": 5.0}}, "hash": "b59022474d4d604fdf031469f57a652e12ac1c951b777e3b032c77f88fcf1876", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "c57afa2e62b119dea3622752c44ac54a", "key": "description"}, {"hash": "dd19db5b065bc278a30d9822326b5b0c", "key": "cvelist"}, {"hash": "6965be19d0817d76236caaa6b333348e", "key": "published"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "3de237727b3df8274e86da4e9ead0b4a", "key": "title"}, {"hash": "2624b13f5463f6fc510bb3a22cd74bbe", "key": "modified"}, {"hash": "6b4c324ba846749ecc0fcd65b0196d21", "key": "references"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "64bbfd32d3913b72d00b6bfe5d760965", "key": "href"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0823", "id": "CVE-2018-0823", "lastseen": "2018-02-16T11:28:46", "modified": "2018-02-15T21:29:04", "objectVersion": "1.3", "published": "2018-02-14T21:29:01", "references": ["http://www.securitytracker.com/id/1040379", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0823", "http://www.securityfocus.com/bid/102919"], "reporter": "NVD", "scanner": [], "title": "CVE-2018-0823", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 2, "lastseen": "2018-02-16T11:28:46"}], "edition": 5, "hashmap": [{"key": "assessment", "hash": "6d3f4796275bb54c21a33b82f399cc6d"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "0e1760db4c53eaa86f53db1a094c7d74"}, {"key": "cvelist", "hash": "dd19db5b065bc278a30d9822326b5b0c"}, {"key": "cvss", "hash": "b5663802287f7a831112ee8dec0147a2"}, {"key": "description", "hash": "c57afa2e62b119dea3622752c44ac54a"}, {"key": "href", "hash": "64bbfd32d3913b72d00b6bfe5d760965"}, {"key": "modified", "hash": "63757c70a9e908806578e9bea8a6bbbd"}, {"key": "published", "hash": "6965be19d0817d76236caaa6b333348e"}, {"key": "references", "hash": "c6c547bcce80e7d5056bbb772e338a2a"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "3de237727b3df8274e86da4e9ead0b4a"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "fdc35c70a119cc3377a2ee9b5e6e51527ebcaee6b84e684035e5df002c135cd5", "viewCount": 6, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "seebug", "idList": ["SSV:97142"]}, {"type": "symantec", "idList": ["SMNTC-102919"]}, {"type": "zdt", "idList": ["1337DAY-ID-29853"]}, {"type": "exploitdb", "idList": ["EDB-ID:44148"]}, {"type": "kaspersky", "idList": ["KLA11195"]}, {"type": "nessus", "idList": ["SMB_NT_MS18_FEB_4074588.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310812915"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:21BA30CBDC926C9B95A04B76A54421A4"]}, {"type": "talosblog", "idList": ["TALOSBLOG:87FD21E52374BD7C5F7C108EBB2E50F5"]}], "modified": "2018-11-01T05:17:31"}, "vulnersScore": 4.3}, "objectVersion": "1.3", "cpe": ["cpe:/o:microsoft:windows_server_2016:1709", "cpe:/o:microsoft:windows_10:1709"], "assessment": {"href": "", "name": "", "system": ""}, "scanner": []}
{"seebug": [{"lastseen": "2018-02-25T19:54:25", "bulletinFamily": "exploit", "description": "Windows: NPFS Symlink Security Feature Bypass/Elevation of Privilege/Dangerous Behavior\r\n\r\nPlatform: Windows 10 1709 (functionality not present prior to this version)\r\n\r\nClass: Security Feature Bypass/Elevation of Privilege/Dangerous Behavior\r\n\r\nSummary: It\u2019s possible to create NPFS symlinks as a low IL or normal user and the implementation doesn\u2019t behave in a similar manner to other types of Windows symlinks leading to dangerous behavior or EoP.\r\n\r\nDescription:\r\n\r\nWindows 10 1709 introduced a new symlink feature to NPFS which is accessible from a FSCTL. From what I can see the implementation has a number of security issues which concern me:\r\n\r\n* 1) Creation of symbolic links is only limited to a user which can open the root named pipe device. I.e. \\Device\\NamedPipe. This users which can open the device includes restricted tokens with the RESTRICTED SID and Low IL tokens.\r\n* 2) Accessing a symlink results in the NPFS driver synthesizing a NTFS symlink reparse point which is passed back to the object manager. This allows the symlink to reparse to different devices. This is presumably by design but it\u2019s dangerous behavior.\r\n* 3) Opening a symlink doesn\u2019t respect the FILE_OPEN_REPARSE_POINT which could lead to some unusual behavior.\r\n\r\nThe fact that you can create the symlink as a lower privileged user is bad enough, although I don\u2019t believe it can be done from an AC so maybe you don\u2019t care about it. But the other two issues are examples of dangerous behavior `which _will_ come` back to bite you at some point in the future.\r\n\r\nLet\u2019s take point 2 as an example, up to this point NPFS hasn\u2019t had the concept of symbolic links. Sure you could drop an appropriate object manager symlink somewhere and get a caller to follow it but you\u2019d need to be able to influence the callers path or their DOS device directory. With this if a privileged caller is expecting to open a named pipe, say \\\\.\\pipe\\ABC then ABC could actually be a symbolic link to a normal file. If the caller then just writes data to the pipe expecting it to be a stream they could actually be writing data into a file which might result in EoP. Basically I see it\u2019s a case of when not if that a EoP bug is found which abuses this behavior. \r\n\r\nAlso, there\u2019s no way I know of for detecting you\u2019re opening a symbolic link. For example if you open the target with the FILE_OPEN_REPARSE_POINT flag it continues to do the reparse operation. Due to creating a normal NTFS symbolic link this might also have weird behavior when a remote system accessed a named pipe, although I\u2019ve not tested that. \r\n\r\nOverall I think the behavior of the implementation has the potential for malicious use and should be limited to privileged users. I don\u2019t know it\u2019s original purpose, perhaps it\u2019s related to Silos (there is a flag to make a global symlink) or it\u2019s to make it easier to implement named pipes in WSL, I don\u2019t know. If the purpose is just to symlink between named pipes then perhaps only allow a caller to specify the name relative to the NPFS device rather than allowing a full object path.\r\n\r\nProof of Concept:\r\n\r\nI\u2019ve provided a PoC as a C# project. The PoC will create a symlink called ABC which points to notepad.exe. It will check the file file it opens via the symlink matches the file opened directly.\r\n\r\n* 1) Compile the C# project. It will need to grab the NtApiDotNet from NuGet to work.\r\n* 2) Run the poc as Low IL (using say psexec).\r\n\r\nExpected Result:\r\nThe creation of the symlink should fail with an error.\r\n\r\nObserved Result:\r\nThe symlink is created, is valid and the poc printed \u2018Success\u2019 as it\u2019s opened the copy of notepad.exe via the symlink.\r\n\r\n[poc.zip](https://bugs.chromium.org/p/project-zero/issues/attachment?aid=310808&signed_aid=TOkMtt03qDzMT41SCzwPSQ==)", "modified": "2018-02-24T00:00:00", "published": "2018-02-24T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-97142", "id": "SSV:97142", "title": "Windows: NPFS Symlink Security Feature Bypass/Elevation of Privilege/Dangerous Behavior(CVE-2018-0823)", "type": "seebug", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": ""}], "symantec": [{"lastseen": "2018-03-14T22:39:53", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft Windows is prone to a local privilege-escalation vulnerability. A local attacker can exploit this issue to run processes with elevated privileges.\n\n### Technologies Affected\n\n * Microsoft Windows 10 version 1709 for 32-bit Systems \n * Microsoft Windows 10 version 1709 for x64-based Systems \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nEnsure that only trusted users have local, interactive access to affected computers.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2018-02-13T00:00:00", "published": "2018-02-13T00:00:00", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/102919", "id": "SMNTC-102919", "type": "symantec", "title": "Microsoft Windows Named Pipe File System CVE-2018-0823 Local Privilege Escalation Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-03-28T09:21:08", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2018-02-20T00:00:00", "published": "2018-02-20T00:00:00", "href": "https://0day.today/exploit/description/29853", "id": "1337DAY-ID-29853", "type": "zdt", "title": "Microsoft Windows - NPFS Symlink Security Feature Bypass/Elevation of Privilege/Dangerous Behavior E", "sourceData": "Windows: NPFS Symlink Security Feature Bypass/Elevation of Privilege/Dangerous Behavior\r\nPlatform: Windows 10 1709 (functionality not present prior to this version)\r\nClass: Security Feature Bypass/Elevation of Privilege/Dangerous Behavior\r\n \r\nSummary: It\u2019s possible to create NPFS symlinks as a low IL or normal user and the implementation doesn\u2019t behave in a similar manner to other types of Windows symlinks leading to dangerous behavior or EoP.\r\n \r\nDescription:\r\n \r\nWindows 10 1709 introduced a new symlink feature to NPFS which is accessible from a FSCTL. From what I can see the implementation has a number of security issues which concern me:\r\n \r\n1) Creation of symbolic links is only limited to a user which can open the root named pipe device. I.e. \\Device\\NamedPipe. This users which can open the device includes restricted tokens with the RESTRICTED SID and Low IL tokens.\r\n2) Accessing a symlink results in the NPFS driver synthesizing a NTFS symlink reparse point which is passed back to the object manager. This allows the symlink to reparse to different devices. This is presumably by design but it\u2019s dangerous behavior.\r\n3) Opening a symlink doesn\u2019t respect the FILE_OPEN_REPARSE_POINT which could lead to some unusual behavior.\r\n \r\nThe fact that you can create the symlink as a lower privileged user is bad enough, although I don\u2019t believe it can be done from an AC so maybe you don\u2019t care about it. But the other two issues are examples of dangerous behavior which _will_ come back to bite you at some point in the future.\r\n \r\nLet\u2019s take point 2 as an example, up to this point NPFS hasn\u2019t had the concept of symbolic links. Sure you could drop an appropriate object manager symlink somewhere and get a caller to follow it but you\u2019d need to be able to influence the callers path or their DOS device directory. With this if a privileged caller is expecting to open a named pipe, say \\\\.\\pipe\\ABC then ABC could actually be a symbolic link to a normal file. If the caller then just writes data to the pipe expecting it to be a stream they could actually be writing data into a file which might result in EoP. Basically I see it\u2019s a case of when not if that a EoP bug is found which abuses this behavior. \r\n \r\nAlso, there\u2019s no way I know of for detecting you\u2019re opening a symbolic link. For example if you open the target with the FILE_OPEN_REPARSE_POINT flag it continues to do the reparse operation. Due to creating a normal NTFS symbolic link this might also have weird behavior when a remote system accessed a named pipe, although I\u2019ve not tested that. \r\n \r\nOverall I think the behavior of the implementation has the potential for malicious use and should be limited to privileged users. I don\u2019t know it\u2019s original purpose, perhaps it\u2019s related to Silos (there is a flag to make a global symlink) or it\u2019s to make it easier to implement named pipes in WSL, I don\u2019t know. If the purpose is just to symlink between named pipes then perhaps only allow a caller to specify the name relative to the NPFS device rather than allowing a full object path.\r\n \r\nProof of Concept:\r\n \r\nI\u2019ve provided a PoC as a C# project. The PoC will create a symlink called ABC which points to notepad.exe. It will check the file file it opens via the symlink matches the file opened directly.\r\n \r\n1) Compile the C# project. It will need to grab the NtApiDotNet from NuGet to work.\r\n2) Run the poc as Low IL (using say psexec).\r\n \r\nExpected Result:\r\nThe creation of the symlink should fail with an error.\r\n \r\nObserved Result:\r\nThe symlink is created, is valid and the poc printed \u2018Success\u2019 as it\u2019s opened the copy of notepad.exe via the symlink.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44148.zip\n\n# 0day.today [2018-03-28] #", "sourceHref": "https://0day.today/exploit/29853", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2018-02-20T19:20:19", "bulletinFamily": "exploit", "description": "Microsoft Windows - NPFS Symlink Security Feature Bypass/Elevation of Privilege/Dangerous Behavior. CVE-2018-0823. Local exploit for Windows platform. Tags: ...", "modified": "2018-02-20T00:00:00", "published": "2018-02-20T00:00:00", "id": "EDB-ID:44148", "href": "https://www.exploit-db.com/exploits/44148/", "type": "exploitdb", "title": "Microsoft Windows - NPFS Symlink Security Feature Bypass/Elevation of Privilege/Dangerous Behavior", "sourceData": "Windows: NPFS Symlink Security Feature Bypass/Elevation of Privilege/Dangerous Behavior\r\nPlatform: Windows 10 1709 (functionality not present prior to this version)\r\nClass: Security Feature Bypass/Elevation of Privilege/Dangerous Behavior\r\n\r\nSummary: It\u2019s possible to create NPFS symlinks as a low IL or normal user and the implementation doesn\u2019t behave in a similar manner to other types of Windows symlinks leading to dangerous behavior or EoP.\r\n\r\nDescription:\r\n\r\nWindows 10 1709 introduced a new symlink feature to NPFS which is accessible from a FSCTL. From what I can see the implementation has a number of security issues which concern me:\r\n\r\n1) Creation of symbolic links is only limited to a user which can open the root named pipe device. I.e. \\Device\\NamedPipe. This users which can open the device includes restricted tokens with the RESTRICTED SID and Low IL tokens.\r\n2) Accessing a symlink results in the NPFS driver synthesizing a NTFS symlink reparse point which is passed back to the object manager. This allows the symlink to reparse to different devices. This is presumably by design but it\u2019s dangerous behavior.\r\n3) Opening a symlink doesn\u2019t respect the FILE_OPEN_REPARSE_POINT which could lead to some unusual behavior.\r\n\r\nThe fact that you can create the symlink as a lower privileged user is bad enough, although I don\u2019t believe it can be done from an AC so maybe you don\u2019t care about it. But the other two issues are examples of dangerous behavior which _will_ come back to bite you at some point in the future.\r\n\r\nLet\u2019s take point 2 as an example, up to this point NPFS hasn\u2019t had the concept of symbolic links. Sure you could drop an appropriate object manager symlink somewhere and get a caller to follow it but you\u2019d need to be able to influence the callers path or their DOS device directory. With this if a privileged caller is expecting to open a named pipe, say \\\\.\\pipe\\ABC then ABC could actually be a symbolic link to a normal file. If the caller then just writes data to the pipe expecting it to be a stream they could actually be writing data into a file which might result in EoP. Basically I see it\u2019s a case of when not if that a EoP bug is found which abuses this behavior. \r\n\r\nAlso, there\u2019s no way I know of for detecting you\u2019re opening a symbolic link. For example if you open the target with the FILE_OPEN_REPARSE_POINT flag it continues to do the reparse operation. Due to creating a normal NTFS symbolic link this might also have weird behavior when a remote system accessed a named pipe, although I\u2019ve not tested that. \r\n\r\nOverall I think the behavior of the implementation has the potential for malicious use and should be limited to privileged users. I don\u2019t know it\u2019s original purpose, perhaps it\u2019s related to Silos (there is a flag to make a global symlink) or it\u2019s to make it easier to implement named pipes in WSL, I don\u2019t know. If the purpose is just to symlink between named pipes then perhaps only allow a caller to specify the name relative to the NPFS device rather than allowing a full object path.\r\n\r\nProof of Concept:\r\n\r\nI\u2019ve provided a PoC as a C# project. The PoC will create a symlink called ABC which points to notepad.exe. It will check the file file it opens via the symlink matches the file opened directly.\r\n\r\n1) Compile the C# project. It will need to grab the NtApiDotNet from NuGet to work.\r\n2) Run the poc as Low IL (using say psexec).\r\n\r\nExpected Result:\r\nThe creation of the symlink should fail with an error.\r\n\r\nObserved Result:\r\nThe symlink is created, is valid and the poc printed \u2018Success\u2019 as it\u2019s opened the copy of notepad.exe via the symlink.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44148.zip", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/44148/"}], "kaspersky": [{"lastseen": "2019-03-21T00:15:13", "bulletinFamily": "info", "description": "### *Detect date*:\n02/13/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Windows. Malicious users can exploit these vulnerabilities to gain privileges, bypass security restrictions, obtain sensitive information, cause denial of service and execute arbitrary code. Below is a complete list of vulnerabilities:\n\n### *Affected products*:\nWindows Server, version 1709 (Server Core Installation) \nWindows 10 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows 10 Version 1511 for 32-bit Systems \nWindows 10 Version 1511 for x64-based Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 1703 for 32-bit Systems \nWindows 10 Version 1703 for x64-based Systems \nWindows 10 Version 1709 for 32-bit Systems \nWindows 10 Version 1709 for 64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 8.1 for 32-bit systems \nWindows 8.1 for x64-based systems \nWindows RT 8.1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2012 \nWindows Server 2012 (Server Core installation) \nWindows Server 2012 R2 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2016 \nWindows Server 2016 (Server Core installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2018-0742](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0742>) \n[CVE-2018-0755](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0755>) \n[CVE-2018-0756](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0756>) \n[CVE-2018-0757](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0757>) \n[CVE-2018-0760](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0760>) \n[CVE-2018-0761](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0761>) \n[CVE-2018-0809](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0809>) \n[CVE-2018-0810](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0810>) \n[CVE-2018-0820](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0820>) \n[CVE-2018-0821](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0821>) \n[CVE-2018-0822](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0822>) \n[CVE-2018-0823](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0823>) \n[CVE-2018-0825](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0825>) \n[CVE-2018-0826](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0826>) \n[CVE-2018-0827](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0827>) \n[CVE-2018-0828](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0828>) \n[CVE-2018-0829](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0829>) \n[CVE-2018-0830](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0830>) \n[CVE-2018-0831](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0831>) \n[CVE-2018-0832](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0832>) \n[CVE-2018-0833](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0833>) \n[CVE-2018-0842](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0842>) \n[CVE-2018-0843](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0843>) \n[CVE-2018-0844](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0844>) \n[CVE-2018-0846](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0846>) \n[CVE-2018-0847](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0847>) \n[CVE-2018-0855](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0855>) \n[ADV180005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180005>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2018-0742](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0742>)4.6Critical \n[CVE-2018-0755](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0755>)2.1Critical \n[CVE-2018-0756](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0756>)4.6Critical \n[CVE-2018-0757](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0757>)1.9Critical \n[CVE-2018-0760](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0760>)2.1Critical \n[CVE-2018-0761](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0761>)2.1Critical \n[CVE-2018-0809](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0809>)6.9Critical \n[CVE-2018-0810](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0810>)1.9Critical \n[CVE-2018-0820](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0820>)4.6Critical \n[CVE-2018-0821](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0821>)4.4Critical \n[CVE-2018-0822](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0822>)4.4Critical \n[CVE-2018-0823](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0823>)4.4Critical \n[CVE-2018-0825](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0825>)7.6Critical \n[CVE-2018-0826](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0826>)4.4Critical \n[CVE-2018-0827](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0827>)4.6Critical \n[CVE-2018-0828](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0828>)4.6Critical \n[CVE-2018-0829](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0829>)1.9Critical \n[CVE-2018-0830](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0830>)1.9Critical \n[CVE-2018-0831](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0831>)4.6Critical \n[CVE-2018-0832](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0832>)1.9Critical \n[CVE-2018-0833](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0833>)6.3Critical \n[CVE-2018-0842](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0842>)6.9Critical \n[CVE-2018-0843](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0843>)1.9Critical \n[CVE-2018-0844](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0844>)4.6Critical \n[CVE-2018-0846](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0846>)4.6Critical \n[CVE-2018-0847](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0847>)4.3Critical \n[CVE-2018-0855](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0855>)4.3Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4074591](<http://support.microsoft.com/kb/4074591>) \n[4074590](<http://support.microsoft.com/kb/4074590>) \n[4074598](<http://support.microsoft.com/kb/4074598>) \n[4074587](<http://support.microsoft.com/kb/4074587>) \n[4074594](<http://support.microsoft.com/kb/4074594>) \n[4074597](<http://support.microsoft.com/kb/4074597>) \n[4074593](<http://support.microsoft.com/kb/4074593>) \n[4074589](<http://support.microsoft.com/kb/4074589>) \n[4074596](<http://support.microsoft.com/kb/4074596>) \n[4074592](<http://support.microsoft.com/kb/4074592>) \n[4074588](<http://support.microsoft.com/kb/4074588>) \n[4074603](<http://support.microsoft.com/kb/4074603>) \n[4073080](<http://support.microsoft.com/kb/4073080>) \n[4074851](<http://support.microsoft.com/kb/4074851>) \n[4058165](<http://support.microsoft.com/kb/4058165>) \n[4074836](<http://support.microsoft.com/kb/4074836>) \n[4073079](<http://support.microsoft.com/kb/4073079>) \n[4034044](<http://support.microsoft.com/kb/4034044>)", "modified": "2019-03-07T00:00:00", "published": "2018-02-13T00:00:00", "id": "KLA11195", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11195", "title": "\r KLA11195Multiple serious vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:36:38", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4074588. It is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2018-0866)\n\n - A security feature bypass vulnerability exists in Windows Scripting Host which could allow an attacker to bypass Device Guard. An attacker who successfully exploited this vulnerability could circumvent a User Mode Code Integrity (UMCI) policy on the machine.\n (CVE-2018-0827)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0834, CVE-2018-0835, CVE-2018-0836, CVE-2018-0837, CVE-2018-0838, CVE-2018-0856, CVE-2018-0857, CVE-2018-0859, CVE-2018-0860)\n\n - An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0763)\n\n - An information disclosure vulnerability exists when the Windows kernel fails to properly initialize a memory address. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-0843)\n\n - An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited the vulnerability could retrieve the memory address of a kernel object. (CVE-2018-0832)\n\n - An information disclosure vulnerability exists when VBScript improperly discloses the contents of its memory, which could provide an attacker with information to further compromise the users computer or data.\n (CVE-2018-0847)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-0757, CVE-2018-0829, CVE-2018-0830)\n\n - A remote code execution vulnerability exists in StructuredQuery when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2018-0825)\n\n - An elevation of privilege vulnerability exists when Storage Services improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-0826)\n\n - An elevation of privilege vulnerability exists when NTFS improperly handles objects. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-0822)\n\n - An elevation of privilege vulnerability exists when AppContainer improperly implements constrained impersonation. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-0821)\n\n - A remote code execution vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could take control of an affected system. (CVE-2018-0842)\n\n - An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-0844, CVE-2018-0846)\n\n - An elevation of privilege vulnerability exist when Named Pipe File System improperly handles objects. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-0823)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0809)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2018-0742, CVE-2018-0756, CVE-2018-0820, CVE-2018-0831)\n\n - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2018-0840)", "modified": "2018-11-05T00:00:00", "id": "SMB_NT_MS18_FEB_4074588.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=106795", "published": "2018-02-13T00:00:00", "title": "KB4074588: Windows 10 Version 1709 and Windows Server Version 1709 February 2018 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(106795);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/11/05 8:48:40\");\n\n script_cve_id(\n \"CVE-2018-0742\",\n \"CVE-2018-0756\",\n \"CVE-2018-0757\",\n \"CVE-2018-0763\",\n \"CVE-2018-0809\",\n \"CVE-2018-0820\",\n \"CVE-2018-0821\",\n \"CVE-2018-0822\",\n \"CVE-2018-0823\",\n \"CVE-2018-0825\",\n \"CVE-2018-0826\",\n \"CVE-2018-0827\",\n \"CVE-2018-0829\",\n \"CVE-2018-0830\",\n \"CVE-2018-0831\",\n \"CVE-2018-0832\",\n \"CVE-2018-0834\",\n \"CVE-2018-0835\",\n \"CVE-2018-0836\",\n \"CVE-2018-0837\",\n \"CVE-2018-0838\",\n \"CVE-2018-0840\",\n \"CVE-2018-0842\",\n \"CVE-2018-0843\",\n \"CVE-2018-0844\",\n \"CVE-2018-0846\",\n \"CVE-2018-0847\",\n \"CVE-2018-0856\",\n \"CVE-2018-0857\",\n \"CVE-2018-0859\",\n \"CVE-2018-0860\",\n \"CVE-2018-0866\"\n );\n script_xref(name:\"MSKB\", value:\"4074588\");\n script_xref(name:\"MSFT\", value:\"MS18-4074588\");\n\n script_name(english:\"KB4074588: Windows 10 Version 1709 and Windows Server Version 1709 February 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4074588. \nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-0866)\n\n - A security feature bypass vulnerability exists in\n Windows Scripting Host which could allow an attacker to\n bypass Device Guard. An attacker who successfully\n exploited this vulnerability could circumvent a User\n Mode Code Integrity (UMCI) policy on the machine.\n (CVE-2018-0827)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0834,\n CVE-2018-0835, CVE-2018-0836, CVE-2018-0837,\n CVE-2018-0838, CVE-2018-0856, CVE-2018-0857,\n CVE-2018-0859, CVE-2018-0860)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-0763)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-0843)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2018-0832)\n\n - An information disclosure vulnerability exists when\n VBScript improperly discloses the contents of its\n memory, which could provide an attacker with information\n to further compromise the users computer or data.\n (CVE-2018-0847)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-0757, CVE-2018-0829, CVE-2018-0830)\n\n - A remote code execution vulnerability exists in\n StructuredQuery when the software fails to properly\n handle objects in memory. An attacker who successfully\n exploited the vulnerability could run arbitrary code in\n the context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2018-0825)\n\n - An elevation of privilege vulnerability exists when\n Storage Services improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2018-0826)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly handles objects. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-0822)\n\n - An elevation of privilege vulnerability exists when\n AppContainer improperly implements constrained\n impersonation. An attacker who successfully exploited\n this vulnerability could run processes in an elevated\n context. (CVE-2018-0821)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-0842)\n\n - An elevation of privilege vulnerability exists when the\n Windows Common Log File System (CLFS) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-0844, CVE-2018-0846)\n\n - An elevation of privilege vulnerability exist when Named\n Pipe File System improperly handles objects. An attacker\n who successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-0823)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2018-0809)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-0742, CVE-2018-0756, CVE-2018-0820,\n CVE-2018-0831)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-0840)\");\n # https://support.microsoft.com/en-us/help/4074588/windows-10-update-kb4074588\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?13cfb4a5\");\n script_set_attribute(attribute:\"solution\", value:\n \"Apply Cumulative Update KB4074588.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"manual\");\n script_set_attribute(attribute:\"cvss_score_rationale\", value:\"Score based on analysis of the vendor advisory.\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/02/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-02\";\nkbs = make_list('4074588');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"16299\",\n rollup_date:\"02_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4074588])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-05-06T14:26:11", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4074588", "modified": "2019-05-03T00:00:00", "published": "2018-02-14T00:00:00", "id": "OPENVAS:1361412562310812915", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812915", "title": "Microsoft Windows Multiple Vulnerabilities (KB4074588)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4074588)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812915\");\n script_version(\"2019-05-03T10:54:50+0000\");\n script_cve_id(\"CVE-2018-0742\", \"CVE-2018-0756\", \"CVE-2018-0757\", \"CVE-2018-0763\",\n \"CVE-2018-0809\", \"CVE-2018-0820\", \"CVE-2018-0821\", \"CVE-2018-0822\",\n \"CVE-2018-0823\", \"CVE-2018-0825\", \"CVE-2018-0826\", \"CVE-2018-0827\",\n \"CVE-2018-0829\", \"CVE-2018-0830\", \"CVE-2018-0831\", \"CVE-2018-0832\",\n \"CVE-2018-0834\", \"CVE-2018-0835\", \"CVE-2018-0836\", \"CVE-2018-0837\",\n \"CVE-2018-0838\", \"CVE-2018-0840\", \"CVE-2018-0842\", \"CVE-2018-0843\",\n \"CVE-2018-0844\", \"CVE-2018-0846\", \"CVE-2018-0847\", \"CVE-2018-0856\",\n \"CVE-2018-0857\", \"CVE-2018-0859\", \"CVE-2018-0860\", \"CVE-2018-0866\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 10:54:50 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-02-14 13:19:41 +0530 (Wed, 14 Feb 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4074588)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4074588\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Multiple errors error in the way the scripting engine handles objects in\n memory in Microsoft browsers.\n\n - An error when the Windows kernel fails to properly handle objects in memory.\n\n - An error when the Windows kernel fails to properly initialize a memory address.\n\n - An error when the Windows Common Log File System (CLFS) driver improperly\n handles objects in memory.\n\n - An error when VBScript improperly discloses the contents of its memory, which\n could provide an attacker with information to further compromise the user\n computer or data.\n\n - An error when Storage Services improperly handles objects in memory.\n\n - An error in Windows Scripting Host which could allow an attacker to bypass\n Device Guard.\n\n - An error in StructuredQuery when the software fails to properly handle objects\n in memory.\n\n - An error when NTFS improperly handles objects.\n\n - An error when Named Pipe File System improperly handles objects.\n\n - An error when AppContainer improperly implements constrained impersonation.\n\n - An error as Microsoft has deprecated the Document Signing functionality in XPS\n Viewer.\n\n - An error in the Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space Layout Randomization\n (ASLR) bypass.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to gain the same user rights as the current user, run arbitrary code in kernel\n mode, obtain information to further compromise the user, run processes in an\n elevated context, circumvent a User Mode Code Integrity (UMCI) policy on the\n machine, spoof content, perform phishing attacks, or otherwise manipulate\n content of a document.\");\n\n script_tag(name:\"affected\", value:\"Windows 10 Version 1709 for 32-bit Systems\n\n Windows 10 Version 1709 for 64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4074588\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.16299.0\", test_version2:\"11.0.16299.247\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.16299.0 - 11.0.16299.247\");\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "trendmicroblog": [{"lastseen": "2018-02-16T14:10:04", "bulletinFamily": "blog", "description": "\n\nValentine\u2019s Day was earlier this week, and there was so much love in the air. There was also a lot of love in the Trend Micro world as our teams worked diligently to make sure our customers were protected from this month\u2019s bevy of critical vulnerabilities across several vendors. This week, we focus on Microsoft, who issued a whopping 50 security patches covering Internet Explorer (IE), Microsoft Edge, ChakraCore, Microsoft Windows and Microsoft Office. Eight of the CVEs came through the Zero Day Initiative program!\n\n\n\nThere are some scary bugs out there! One of the interesting ones that Microsoft patched this month for Microsoft Outlook used the preview pane as an attack vector. That means an exploit of this vulnerability could allow code execution without even opening an email. You can get more information on this month\u2019s Microsoft updates from Dustin Childs\u2019 [February 2018 Security Update Review](<https://zerodayinitiative.com/blog/2018/2/13/the-february-2018-security-update-review>) from the Zero Day Initiative:\n\n**Microsoft Security Updates**\n\nThis week\u2019s Digital Vaccine\u00ae (DV) package includes coverage for Microsoft updates released on or before February 13, 2018. The following table maps Digital Vaccine filters to the Microsoft updates. Filters marked with * shipped prior to this week\u2019s DV package, providing preemptive protection for our customers.\n\n**CVE #** | **Digital Vaccine Filter #** | **Status** \n---|---|--- \nCVE-2018-0742 | 30334 | \nCVE-2018-0755 | *30237 | \nCVE-2018-0756 | 30336 | \nCVE-2018-0757 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0760 | *30241 | \nCVE-2018-0761 | *30239 | \nCVE-2018-0763 | *30275 | \nCVE-2018-0771 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0809 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0810 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0820 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0821 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0822 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0823 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0825 | 30341 | \nCVE-2018-0826 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0827 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0828 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0829 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0830 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0831 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0832 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0833 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0834 | 30345 | \nCVE-2018-0835 | 30349 | \nCVE-2018-0836 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0837 | 30351 | \nCVE-2018-0838 | 30362 | \nCVE-2018-0839 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0840 | 30365 | \nCVE-2018-0841 | 30388 | \nCVE-2018-0842 | 30367 | \nCVE-2018-0843 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0844 | 30366 | \nCVE-2018-0846 | 30368 | \nCVE-2018-0847 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0850 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0851 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0852 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0853 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0855 | *30242 | \nCVE-2018-0856 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0857 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0858 | 30331 | \nCVE-2018-0859 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0860 | 30342 | \nCVE-2018-0861 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0864 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0866 | 30410 | \nCVE-2018-0869 | | Vendor Deemed Reproducibility or Exploitation Unlikely \n \n**Offensivecon 2018**\n\nIf you happen to be reading this and you\u2019re in Berlin, Germany, three members of our Zero Day Initiative team (Brian Gorenc, Abdul-Aziz Hariri and Jasiel Spelman) will be speaking later today at Offensivecon 2018, an international security conference that brings the hacker community together for networking and sharing knowledge. Their session, **_\u201cL'art de l'\u00e9vasion: Modern VMWare Exploitation Techniques,\u201d_** will dive into modern exploitation techniques of VMware vulnerabilities and take an in-depth look at the available attack surfaces on a virtual machine. Learn more by clicking here: <https://www.offensivecon.org/speakers/2018/zdi-team.html>\n\n**Zero-Day Filters**\n\nThere are 13 new zero-day filters covering five vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website. You can also follow the Zero Day Initiative on Twitter [@thezdi](<https://twitter.com/thezdi>) and on their [blog](<https://www.zerodayinitiative.com/blog>).\n\n**_Adobe (5)_**\n\n| \n\n * 30359: ZDI-CAN-5381: Zero Day Initiative Vulnerability (Adobe Flash Player)\n * 30370: ZDI-CAN-5237: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 30371: ZDI-CAN-5238: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 30372: ZDI-CAN-5241: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 30373: ZDI-CAN-5291: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC) \n---|--- \n| \n \n**_Delta (1)_**\n\n| \n\n * 30391: ZDI-CAN-5389: Zero Day Initiative Vulnerability (Delta Industrial Automation TPEditor) \n---|--- \n| \n \n**_Foxit (3)_**\n\n| \n\n * 30355: ZDI-CAN-5376,5377: Zero Day Initiative Vulnerability (Foxit Reader)\n * 30358: ZDI-CAN-5379: Zero Day Initiative Vulnerability (Foxit Reader)\n * 30360: ZDI-CAN-5382: Zero Day Initiative Vulnerability (Foxit Reader) \n---|--- \n| \n \n**_Microsoft (1)_**\n\n| \n\n * 30357: ZDI-CAN-5378: Zero Day Initiative Vulnerability (Microsoft Windows) \n---|--- \n| \n \n**_OMRON (3)_**\n\n| \n\n * 30392: ZDI-CAN-5402: Zero Day Initiative Vulnerability (OMRON CX-One)\n * 30393: ZDI-CAN-5403: Zero Day Initiative Vulnerability (OMRON CX-One)\n * 30394: ZDI-CAN-5404: Zero Day Initiative Vulnerability (OMRON CX-One) \n---|--- \n| \n \n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<https://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-february-5-2018/>).", "modified": "2018-02-16T13:00:28", "published": "2018-02-16T13:00:28", "href": "https://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-february-12-2018/", "id": "TRENDMICROBLOG:21BA30CBDC926C9B95A04B76A54421A4", "type": "trendmicroblog", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of February 12, 2018", "cvss": {"score": 0.0, "vector": "NONE"}}], "talosblog": [{"lastseen": "2018-02-13T22:41:41", "bulletinFamily": "blog", "description": "Microsoft Patch Tuesday - February 2018 \n \nToday Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 54 new vulnerabilities with 14 of them rated critical, 38 of them rated important, and 2 of them rated Moderate. These vulnerabilities impact Outlook, Edge, Scripting Engine, App Container, Windows, and more. \n \n \n\n\n## Critical Vulnerabilities\n\n \nThis month, Microsoft is addressing 14 vulnerabilities that are rated \"critical.\" Talos believes one of these are notable and require prompt attention, detailed below. \n \n[CVE-2018-0852 - Microsoft Outlook Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0852>) \n \nA remote code execution vulnerability has been identified in Microsoft Outlook when the software fails to properly handle objects in memory. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the current user. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook software. \n \nOther vulnerabilities deemed Critical are listed below: \n \n\n\n * [CVE-2018-0763 - Microsoft Edge Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0763>)\n * [CVE-2018-0825 - StructuredQuery Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0825>)\n * [CVE-2018-0834 - Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0834>)\n * [CVE-2018-0835 - Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0835>)\n * [CVE-2018-0837 - Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0837>)\n * [CVE-2018-0838 - Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0838>)\n * [CVE-2018-0840 - Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0840>)\n * [CVE-2018-0856 - Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0856>)\n * [CVE-2018-0857 - Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0857>)\n * [CVE-2018-0858 - Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0858>)\n * [CVE-2018-0859 - Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0859>)\n * [CVE-2018-0860 - Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0860>)\n * [CVE-2018-0861 - Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0861>)\n \n \n\n\n## Important Vulnerabilities\n\n \nThis month, Microsoft is addressing 38 vulnerabilities that are rated \"important.\" Talos believes one of these vulnerabilities is notable and requires prompt attention. These are detailed below. \n \n[CVE-2018-0850 - Microsoft Outlook Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0850>) \n \nA elevation of privilege vulnerability has been identified in Microsoft Outlook that manifest when it initiates processing of incoming messages without sufficient validation of the formatting of the messages. An attacker who successfully exploited the vulnerability could attempt to force Outlook to load a local or remote message store (over SMB). To exploit the vulnerability, the attacker could send a specially crafted email to a victim. Outlook would then attempt to open a pre-configured message store contained in the email upon receipt of the email. \n \nOther vulnerabilities deemed Important are listed below: \n \n\n\n * [CVE-2018-0742 - Windows Kernel Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0742>)\n * [CVE-2018-0755 - Windows EOT Font Engine Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0755>)\n * [CVE-2018-0756 - Windows Kernel Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0756>)\n * [CVE-2018-0757 - Windows Kernel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0757>)\n * [CVE-2018-0760 - Windows EOT Font Engine Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0760>)\n * [CVE-2018-0761 - Windows EOT Font Engine Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0761>)\n * [CVE-2018-0809 - Windows Kernel Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0809>)\n * [CVE-2018-0810 - Windows Kernel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0810>)\n * [CVE-2018-0820 - Windows Kernel Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0820>)\n * [CVE-2018-0821 - Windows AppContainer Elevation Of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0821>)\n * [CVE-2018-0822 - Windows NTFS Global Reparse Point Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0822>)\n * [CVE-2018-0823 - Named Pipe File System Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0823>)\n * [CVE-2018-0826 - Windows Storage Services Elevation of Privilege Vulnerabil](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0826>)ity\n * [CVE-2018-0827 - Windows Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0827>)\n * [CVE-2018-0828 - Windows Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0828>)\n * [CVE-2018-0829 - Windows Kernel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0829>)\n * [CVE-2018-0830 - Windows Kernel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0830>)\n * [CVE-2018-0831 - Windows Kernel Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0831>)\n * [CVE-2018-0832 - Windows Kernel Information Disclosure Vulnerabilit](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0832>)y\n * [CVE-2018-0836 - Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0836>)\n * [CVE-2018-0839 - Microsoft Edge Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0839>)\n * [CVE-2018-0841 - Microsoft Excel Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0841>)\n * [CVE-2018-0842 - Windows Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0842>)\n * [CVE-2018-0843 - Windows Kernel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0843>)\n * [CVE-2018-0844 - Windows Common Log File System Driver Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0844>)\n * [CVE-2018-0845 - Microsoft Office Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0845>)\n * [CVE-2018-0846 - Windows Common Log File System Driver Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0846>)\n * [CVE-2018-0847 - Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0847>)\n * [CVE-2018-0848 - Microsoft Office Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0848>)\n * [CVE-2018-0849 - Microsoft Office Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0849>)\n * [CVE-2018-0851 - Microsoft Office Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0851>)\n * [CVE-2018-0853 - Microsoft Office Information Disclosure Vulnerab](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0853>)ility\n * [CVE-2018-0855 - Windows EOT Font Engine Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0855>)\n * [CVE-2018-0862 - Microsoft Office Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0862>)\n * [CVE-2018-0864 - Microsoft SharePoint Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0864>)\n * [CVE-2018-0866 - Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0866>)\n * [CVE-2018-0869 - Microsoft SharePoint Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0869>)\n\n## Coverage\n\n \nIn response to these vulnerability disclosures, Talos is releasing the following Snort rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. \n \nSnort Rules: \n \n\n\n * 45624-45637\n * 45649-45650\n * 45654-45657\n * 45659-45660\n * 45673-45674\n * 40691-40692 \n \n \n\n\n[](<http://feeds.feedburner.com/~ff/feedburner/Talos?a=Z6-ikSNdAT8:SG64K_b0iSk:yIl2AUoC8zA>)\n\n", "modified": "2018-02-13T21:26:06", "published": "2018-02-13T13:26:00", "id": "TALOSBLOG:87FD21E52374BD7C5F7C108EBB2E50F5", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/Z6-ikSNdAT8/ms-tuesday.html", "type": "talosblog", "title": "Microsoft Patch Tuesday - February 2018", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
