Microsoft Windows Kernel 'cng.sys' CVE-2015-0010 Security Bypass Vulnerability

{"viewCount": 1, "id": "SMNTC-72461", "hash": "5747126c9e2b568b998744fac4c47cd747578252515685710c01d2b2d74fb749", "references": [], "href": "https://www.symantec.com/security_response/vulnerability.jsp?bid=72461", "history": [], "edition": 1, "description": "### Description\n\nMicrosoft Windows Kernel is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks. \n\n### Technologies Affected\n\n * Microsoft Windows 7 for 32-bit Systems SP1\n * Microsoft Windows 7 for x64-based Systems SP1\n * Microsoft Windows 8 for 32-bit Systems\n * Microsoft Windows 8 for x64-based Systems\n * Microsoft Windows 8.1 for 32-bit Systems\n * Microsoft Windows 8.1 for x64-based Systems\n * Microsoft Windows RT\n * Microsoft Windows RT 8.1\n * Microsoft Windows Server 2003 Itanium SP2\n * Microsoft Windows Server 2003 SP2\n * Microsoft Windows Server 2003 x64 SP2\n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1\n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1\n * Microsoft Windows Server 2008 for 32-bit Systems SP2\n * Microsoft Windows Server 2008 for Itanium-based Systems SP2\n * Microsoft Windows Server 2008 for x64-based Systems SP2\n * Microsoft Windows Server 2012\n * Microsoft Windows Server 2012 R2\n * Microsoft Windows Vista Service Pack 2\n * Microsoft Windows Vista x64 Edition Service Pack 2\n\n### Recommendations\n\n#### Block external access at the network boundary, unless external parties require service.\n\nFilter access to the affected computer at the network boundary if global access isn't required. Restricting access to only trusted computers and networks might greatly reduce the likelihood of exploits.\n\n#### Deploy network intrusion detection systems to monitor network traffic for malicious activity.\n\nDeploy NIDS to monitor network traffic for anomalous or suspicious activity. Monitor logs generated by NIDS and by the server itself for evidence of attacks against the server. \n\n#### Permit privileged access for trusted individuals only.\n\nPermitting access to vulnerable applications for trusted individuals only can reduce the risk of an exploit. \n\nUpdates are available. Please see the references or vendor advisory for more information. \n", "cvelist": ["CVE-2015-0010"], "affectedSoftware": [{"operator": "eq", "name": "Microsoft Windows RT", "version": "any"}, {"operator": "eq", "name": "Microsoft Windows Server", "version": "2012"}, {"operator": "eq", "name": "Microsoft Windows Server 2008 R2 for Itanium-based Systems", "version": "SP1"}, {"operator": "eq", "name": "Microsoft Windows Server 2012", "version": "R2"}, {"operator": "eq", "name": "Microsoft Windows Server 2008 for 32-bit Systems", "version": "SP2"}, {"operator": "eq", "name": "Microsoft Windows 7 for x64-based Systems", "version": "SP1"}, {"operator": "eq", "name": "Microsoft Windows Server", "version": "2003 SP2"}, {"operator": "eq", "name": "Microsoft Windows", "version": "Vista SP2"}, {"operator": "eq", "name": "Microsoft Windows Server 2008 R2 for x64-based Systems", "version": "SP1"}, {"operator": "eq", "name": "Microsoft Windows Server 2008 for x64-based Systems", "version": "SP2"}, {"operator": "eq", "name": "Microsoft Windows Vista x64 Edition", "version": "SP2"}, {"operator": "eq", "name": "Microsoft Windows RT", "version": "8.1"}, {"operator": "eq", "name": "Microsoft Windows 7 for 32-bit Systems", "version": "SP1"}, {"operator": "eq", "name": "Microsoft Windows Server 2008 for Itanium-based Systems", "version": "SP2"}, {"operator": "eq", "name": "Microsoft Windows Server 2003 Itanium", "version": "SP2"}, {"operator": "eq", "name": "Microsoft Windows Server 2003", "version": "x64 SP2"}], "modified": "2015-02-10T00:00:00", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "bulletinFamily": "software", "title": "Microsoft Windows Kernel 'cng.sys' CVE-2015-0010 Security Bypass Vulnerability", "objectVersion": "1.2", "reporter": "Symantec Security Response", "lastseen": "2016-09-04T11:43:31", "type": "symantec", "published": "2015-02-10T00:00:00", "enchantments": {"vulnersScore": 1.9}}

{"result": {"cve": [{"id": "CVE-2015-0010", "type": "cve", "title": "CVE-2015-0010", "description": "The CryptProtectMemory function in cng.sys (aka the Cryptography Next Generation driver) in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1, when the CRYPTPROTECTMEMORY_SAME_LOGON option is used, does not check an impersonation token's level, which allows local users to bypass intended decryption restrictions by leveraging a service that (1) has a named-pipe planting vulnerability or (2) uses world-readable shared memory for encrypted data, aka \"CNG Security Feature Bypass Vulnerability\" or MSRC ID 20707.", "published": "2015-02-10T22:00:31", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0010", "cvelist": ["CVE-2015-0010"], "lastseen": "2016-09-03T21:48:29"}], "kaspersky": [{"id": "KLA10474", "type": "kaspersky", "title": "\r KLA10474\nMultiple vulnerabilities in Microsoft products\t\t\t ", "description": "### *CVSS*:\n5.8\n\n### *Detect date*:\n02/10/2015\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple critical vulnerabilities have been found in Microsoft products. Malicious users can exploit these vulnerabilities to fain privileges, bypass security restrictions or cause denial of service.\n\n### *Affected products*:\nWindows Server 2003 x86, x64, Itanium Service Pack 2 \nWindows Vista x86, x64 Service Pack 2 \nWindows Server 2008 x86, x64, Itanium Service Pack 2 \nWindows 7 x86, x64 Service Pack 1 \nWindows 2008 R2 x64, Itanium Service Pack 1 \nWindows 8 x86, x64 \nWindows 8.1 x86, x64 \nWindows Server 2012 \nWindows Server 2012 R2 \nWindows RT \nWindows RT 8.1 \n\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[MS15-010](<https://technet.microsoft.com/en-us/library/security/MS15-010>) \n\n\n### *Impacts*:\nSB \n\n### *Related products*:\n[Windows RT](<https://threats.kaspersky.com/en/product/Windows-RT-2/>)\n\n### *CVE-IDS*:\n[CVE-2015-0057](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0057>) \n[CVE-2015-0059](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0059>) \n[CVE-2015-0058](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0058>) \n[CVE-2015-0003](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0003>) \n[CVE-2015-0010](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0010>) \n[CVE-2015-0060](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0060>) \n\n\n### *MS list*:\n[MS15-010](<https://technet.microsoft.com/en-us/library/security/MS15-010>)\n\n### *KB list*:\n[3037639](<http://support.microsoft.com/kb/3037639>) \n[3013455](<http://support.microsoft.com/kb/3013455>) \n[3036220](<http://support.microsoft.com/kb/3036220>) \n[3023562](<http://support.microsoft.com/kb/3023562>)", "published": "2015-02-10T00:00:00", "cvss": {"score": 5.8, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10474", "cvelist": ["CVE-2015-0003", "CVE-2015-0057", "CVE-2015-0059", "CVE-2015-0060", "CVE-2015-0010", "CVE-2015-0058"], "lastseen": "2017-05-01T09:33:28"}], "exploitdb": [{"id": "EDB-ID:37098", "type": "exploitdb", "title": "Microsoft Windows - Local Privilege Escalation MS15-010", "description": "Microsoft Windows - Local Privilege Escalation (MS15-010). CVE-2015-0003,CVE-2015-0010,CVE-2015-0057,CVE-2015-0058,CVE-2015-0059,CVE-2015-0060. Local exploit...", "published": "2015-05-25T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/37098/", "cvelist": ["CVE-2015-0003", "CVE-2015-0057", "CVE-2015-0059", "CVE-2015-0060", "CVE-2015-0010", "CVE-2015-0058"], "lastseen": "2016-02-04T05:05:02"}], "openvas": [{"id": "OPENVAS:1361412562310805337", "type": "openvas", "title": "MS Windows Kernel-Mode Driver RCE Vulnerabilities (3036220)", "description": "This host is missing an critical security\n update according to Microsoft Bulletin MS15-010.", "published": "2015-02-11T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805337", "cvelist": ["CVE-2015-0003", "CVE-2015-0057", "CVE-2015-0059", "CVE-2015-0060", "CVE-2015-0010", "CVE-2015-0058"], "lastseen": "2017-07-02T21:12:38"}], "nessus": [{"id": "SMB_NT_MS15-010.NASL", "type": "nessus", "title": "MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220)", "description": "The remote Windows host is missing a security patch. It is, therefore, affected by the following vulnerabilities :\n\n - A privilege escalation vulnerability exists in the Windows kernel-mode driver that is caused by improperly handling objects in memory. (CVE-2015-0003, CVE-2015-0057)\n\n - A security feature bypass vulnerability exists in the Cryptography Next Generation kernel-mode driver when failing to properly validate and enforce impersonation levels. (CVE-2015-0010)\n\n - A privilege escalation vulnerability exists in the Windows kernel-mode driver due to a double-free condition. (CVE-2015-0058)\n\n - A remote code execution vulnerability exists in the Windows kernel-mode driver that is caused when improperly handling TrueType fonts. (CVE-2015-0059)\n\n - A denial of service vulnerability exists in the Windows kernel-mode driver that is caused when the Windows font mapper attempts to scale a font.\n (CVE-2015-0060)", "published": "2015-02-10T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=81263", "cvelist": ["CVE-2015-0003", "CVE-2015-0057", "CVE-2015-0059", "CVE-2015-0060", "CVE-2015-0010", "CVE-2015-0058"], "lastseen": "2017-07-25T05:47:54"}]}}