Multiple Vulnerabilities in Microsoft Windows and Windows Server Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2019-002

DATE(S) ISSUED:

01/07/2019

OVERVIEW:

Multiple vulnerabilities have been discovered in Microsoft Windows and Windows Server, the most severe of which could allow for code execution. Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining local system account privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

• • Windows 10 Version 1607 for 32-bit Systems and x64-based Systems
• • Windows 10 Version 1709 for 32-bit Systems, 64-based Systems, and ARM64-based Systems
• • Windows 10 Version 1803 for 32-bit Systems, ARM64-based Systems, and x64-based Systems
• • Windows 10 Version 1809 for 32-bit Systems, ARM64-based Systems, and x64-based Systems
• • Windows Server 2012 R2 and Server Core installation
• • Windows Server 2016 and Server Core installation
• • Windows Server 2019 and Server Core installation
• • Windows Server, versions 1709 and 1803 (Server Core Installation for both versions)
• • Windows 10 for 32-bit Systems and x64-based Systems
• • Windows 10 Version 1703 for 32-bit Systems and x64-based Systems
• • Windows 7 for 32-bit Systems Service Pack 1 and x64-based Systems Service Pack 1
• • Windows 8.1 for 32-bit systems and x64-based systems
• • Windows RT 8.1
• • Windows Server 2008 for 32-bit Systems Service Pack 2 and Server Core installation
• • Windows Server 2008 for Itanium-Based Systems Service Pack 2, x64-based Systems Service Pack 2, and Server Core installation
• • Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1, x64-based Systems Service Pack 1, and Server Core installation
• • Windows Server 2012 and Server Core installation

RISK:

TECHNICAL SUMMARY:

Vulnerabilities have been discovered in Microsoft Windows and Windows Server, which could allow for arbitrary code execution:

• A vulnerability exists in the Microsoft Windows Kernel Transaction Manager (KTM) that could allow for local privilege escalation due to failing to properly handle memory objects. This vulnerability can also be used to escape the sandbox of modern web browsers such as Edge and Chrome. (CVE-2018-8611)
• A heap overflow vulnerability exists in Microsoft DNS servers that could allow unauthenticated remote attackers to run arbitrary code as the local system account. (CVE-2018-8626)

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining local system account privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMENDATIONS:

We recommend the following actions be taken:

• Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing
• Run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack.
• Remind all users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
• Inform and educate users regarding threats posed by hypertext links contained in emails or attachments especially from untrusted sources
• Apply the Principle of Least Privilege to all systems and services.

REFERENCES: