ID CVE-2019-1167 Type cve Reporter cve@mitre.org Modified 2020-08-24T17:37:00
Description
A security feature bypass vulnerability exists in Windows Defender Application Control (WDAC) which could allow an attacker to bypass WDAC enforcement, aka 'Windows Defender Application Control Security Feature Bypass Vulnerability'.
{"openvas": [{"lastseen": "2019-07-30T13:49:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-1167"], "description": "This host is missing an important security\n update for PowerShell Core according to Microsoft security advisory\n CVE-2019-1167.", "modified": "2019-07-30T00:00:00", "published": "2019-07-17T00:00:00", "id": "OPENVAS:1361412562310815419", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815419", "type": "openvas", "title": "PowerShell Windows Defender Application Control Security Feature Bypass Vulnerability (Windows)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:microsoft:powershell\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815419\");\n script_version(\"2019-07-30T07:04:43+0000\");\n script_cve_id(\"CVE-2019-1167\");\n script_tag(name:\"cvss_base\", value:\"1.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-07-30 07:04:43 +0000 (Tue, 30 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-07-17 12:25:47 +0530 (Wed, 17 Jul 2019)\");\n script_name(\"PowerShell Windows Defender Application Control Security Feature Bypass Vulnerability (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update for PowerShell Core according to Microsoft security advisory\n CVE-2019-1167.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an error in Windows\n Defender Application Control (WDAC) which causes improper functioning of\n PowerShell in Constrained Language Mode.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to bypass security and access resources in an unintended way.\");\n\n script_tag(name:\"affected\", value:\"PowerShell Core versions 6.1 prior to 6.1.5\n and 6.2 prior to 6.2.2 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Update PowerShell Core to version 6.1.5 or\n 6.2.2 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://github.com/PowerShell/PowerShell#get-powershell\");\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1167\");\n script_xref(name:\"URL\", value:\"https://github.com/PowerShell/PowerShell/security/advisories/GHSA-5frh-8cmj-gc59\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_powershell_core_detect_win.nasl\");\n script_mandatory_keys(\"PowerShell/Win/Ver\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\npsVer = infos['version'];\npsPath = infos['location'];\n\nif(psVer =~ \"^6\\.1\\.\" && version_is_less(version:psVer, test_version:\"6.1.5\")){\n fix = \"6.1.5\";\n}\nelse if(psVer =~ \"^6\\.2\\.\" && version_is_less(version:psVer, test_version:\"6.2.2\")){\n fix = \"6.2.2\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:psVer, fixed_version:fix, install_path:psPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}], "kaspersky": [{"lastseen": "2020-09-02T11:53:03", "bulletinFamily": "info", "cvelist": ["CVE-2019-1167"], "description": "### *Detect date*:\n07/16/2019\n\n### *Severity*:\nHigh\n\n### *Description*:\nA security feature bypass vulnerability was found in Windows Defender Application Control Malicious users can exploit this vulnerability to bypass security restrictions.\n\n### *Affected products*:\nPowerShell Core 6.1 \nPowerShell Core 6.2\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2019-1167](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1167>) \n\n\n### *Impacts*:\nSB \n\n### *Related products*:\n[Windows Defender](<https://threats.kaspersky.com/en/product/Windows-Defender/>)\n\n### *CVE-IDS*:\n[CVE-2019-1167](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1167>)0.0Unknown\n\n### *Microsoft official advisories*:", "edition": 1, "modified": "2020-05-22T00:00:00", "published": "2019-07-16T00:00:00", "id": "KLA11525", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11525", "title": "\r KLA11525SB vulnerability in Microsoft Developer Tools ", "type": "kaspersky", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}], "github": [{"lastseen": "2020-12-24T13:32:49", "bulletinFamily": "software", "cvelist": ["CVE-2019-1167"], "description": "## Microsoft Security Advisory CVE-2019-1167: Windows Defender Application Control Security Feature Bypass Vulnerability\r\n\r\n# Microsoft Security Advisory CVE-2019-1167: Windows Defender Application Control Security Feature Bypass Vulnerability\r\n\r\n## Executive Summary\r\n\r\nA security feature bypass vulnerability exists in Windows Defender Application Control (WDAC) which could allow an attacker to bypass WDAC enforcement.\r\nAn attacker who successfully exploited this vulnerability could circumvent PowerShell Core Constrained Language Mode on the machine.\r\n\r\n To exploit the vulnerability,\r\nan attacker would first have access to the local machine where PowerShell is running in Constrained Language mode.\r\nBy doing that an attacker could leverage script debugging to abuse signed modules in an unintended way.\r\n\r\nThe update addresses the vulnerability by correcting how PowerShell functions in Constrained Language Mode.\r\nSystem administrators are advised to update PowerShell Core to an unaffected version (see [affected software](#user-content-affected-software).)\r\n\r\n## Discussion\r\n\r\nPlease use PowerShell/PowerShell#TBD for discussion of this advisory.\r\n\r\n## <a name=\"affected-software\">Affected Software</a>\r\n\r\nThe vulnerability affects PowerShell Core prior to the following versions:\r\n\r\n| PowerShell Core Version | Fixed in |\r\n|-------------------------|-------------------|\r\n| 6.1 | 6.1.5 |\r\n| 6.2 | 6.2.2 |\r\n\r\n## Advisory FAQ\r\n\r\n### How do I know if I am affected?\r\n\r\nIf all of the following are true:\r\n\r\n1. Run `pwsh -v`, then, check the version in the table in [Affected Software](#user-content-affected-software) to see if your version of PowerShell Core is affected.\r\n1. If you are running a version of PowerShell Core where the executable is not `pwsh` or `pwsh.exe`, then you are affected. This only existed for preview version of `6.0`.\r\n\r\n### How do I update to an unaffected version?\r\n\r\nFollow the instructions at [Installing PowerShell Core](https://docs.microsoft.com/en-us/powershell/scripting/setup/installing-powershell?view=powershell-6) to install the latest version of PowerShell Core.\r\n\r\n## Other Information\r\n\r\n### Reporting Security Issues\r\n\r\nIf you have found a potential security issue in PowerShell Core,\r\nplease email details to secure@microsoft.com.\r\n\r\n### Support\r\n\r\nYou can ask questions about this issue on GitHub in the PowerShell organization.\r\nThis is located at https://github.com/PowerShell/.\r\nThe Announcements repo (https://github.com/PowerShell/Announcements)\r\nwill contain this bulletin as an issue and will include a link to a discussion issue where you can ask questions.\r\n\r\n### What if the update breaks my script or module?\r\n\r\nYou can uninstall the newer version of PowerShell Core and install the previous version of PowerShell Core.\r\nThis should be treated as a temporary measure.\r\nTherefore, the script or module should be updated to work with the patched version of PowerShell Core.\r\n\r\n### Acknowledgments\r\n\r\nMicrosoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure.\r\n\r\nSee [acknowledgments](https://portal.msrc.microsoft.com/en-us/security-guidance/acknowledgments) for more information.\r\n\r\n### External Links\r\n\r\n[CVE-2019-1167](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1167)\r\n\r\n### Revisions\r\n\r\nV1.0 (July 16, 2019): Advisory published.\r\n\r\n*Version 1.0*\r\n*Last Updated 2019-07-16*\r\n\r\n", "edition": 3, "modified": "2019-07-17T19:14:18", "published": "2019-07-17T19:14:18", "id": "GHSA-5FRH-8CMJ-GC59", "href": "https://github.com/advisories/GHSA-5frh-8cmj-gc59", "title": "High severity vulnerability that affects System.Management.Automation", "type": "github", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}], "mscve": [{"lastseen": "2020-08-07T11:45:31", "bulletinFamily": "microsoft", "cvelist": ["CVE-2019-1167"], "description": "A security feature bypass vulnerability exists in Windows Defender Application Control (WDAC) which could allow an attacker to bypass WDAC enforcement. An attacker who successfully exploited this vulnerability could circumvent PowerShell Core Constrained Language Mode on the machine.\n\nTo exploit the vulnerability, an attacker would first have administrator access to the local machine where PowerShell is running in Constrained Language mode. By doing that an attacker could access resources in an unintended way.\n\nThe update addresses the vulnerability by correcting how PowerShell functions in Constrained Language Mode.\n", "edition": 2, "modified": "2019-07-16T07:00:00", "id": "MS:CVE-2019-1167", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1167", "published": "2019-07-16T07:00:00", "title": "Windows Defender Application Control Security Feature Bypass Vulnerability", "type": "mscve", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}]}