|CERT-In Vulnerability Note
Multiple vulnerabilities in Microsoft Windows
Original Issue Date:March 15, 2017
Severity Rating: HIGH
- Windows Vista Service Pack 2
- Windows Vista x64 Edition Service Pack 2
- Windows Server 2008 for 32-bit and x64-based Systems Service Pack 2
- Windows Server 2008 for Itanium-based Systems Service Pack 2
- Windows 7 for 32-bit and x64-based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based and Itanium-based Systems Service Pack 1
- Windows 8.1 for 32-bit and x64-based Systems
- Windows Server 2012 and 2012 R2
- Windows RT 8.1
- Windows 10 for 32-bit and x64-based Systems
- Windows 10 Version 1511 for 32-bit and x64-based Systems
- Windows 10 Version 1607 for 32-bit and x64-based Systems
- Windows Server 2016 for x64-based Systems
- Windows Server 2008 for 32-bit and x64-based Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
- Windows Server 2012 and 2012 R2 (Server Core installation)
- Windows Server 2016 for x64-based Systems (Server Core installation)
Multiple vulnerabilities have been reported in Microsoft windows, which could allow a remote or local attacker to access sensitive information, cause memory corruption, bypass security restrictions, gain elevated privileges and cause Denial of Service (DoS) Conditions.
1. Device Guard security restriction bypass vulnerability
A security restriction bypass vulnerability exists in Windows Device Guard feature due to improper validation of certain elements in a signed PowerShell script. A local attacker could exploit this vulnerability to modify the contents of PowerShell script without invalidating the signature associated with the file. Successful exploitation of this vulnerability could allow the local attacker to execute malicious script to perform unauthorized actions, which could be used to launch further attacks.
2. SMBv2/SMBv3 Null Dereference Denial of Service Vulnerability
A Denial of Service vulnerability exists in Microsoft Server Message Block 2.0 and 3.0 (SMBv2/SMBv3) client implementation due to improper handling of Server Message Block (SMB) network traffic by an affected client system. A remote attacker could use methods such as redirectors, injected HTML header links, etc to trick a targeted user on a Windows client system to connect to an attacker controlled SMB server and end malicious network requests to the targeted system. Successful exploitation of this vulnerability could allow the remote attacker to crash vulnerable Windows client system and cause a Denial of Service (DoS) condition.
Note: An exploit of this vulnerability is publicly available.
3. Windows DLL Loading Remote Code Execution Vulnerability
A remote code execution vulnerability exists due to insufficient validation of user-supplied input by Microsoft Windows before loading certain dynamic link library (DLL) files. A remote attacker could exploit this vulnerability by tricking a targeted user to open a crafted malicious application. Successful exploitation of this vulnerability could allow the remote attacker to gain access of an affected system with the privileges of the user.
4. Windows DNS Query Information Disclosure Vulnerability
An information disclosure vulnerability exists in Windows dns client due to improper handling of requests. A remote attacker could exploit this vulnerability by enticing a targeted user to open a specially crafted malicious webpage and when a server is targeted, then the remote attacker could trick the server into sending a DNS query to a malicious DNS server. Successful exploitation of this vulnerability could allow the remote attacker to access sensitive information, which could be used to conduct further attacks or compromise the targeted system.
5. Windows HelpPane Privilege Escalation Vulnerability
A Privilege Escalation vulnerability exists in Windows due to improper authentication of affected client systems when a Distributed Component Object Model (DCOM) object in Helppane.exe is configured to run as the interactive user. An attacker could exploit this vulnerability by executing a specially crafted arbitrary application once another user logged in to the same system via Terminal Services or Fast User Switching. Successful exploitation of this vulnerability could allow a local attacker to gain elevated privileges on the target system.
Note: To exploit this vulnerability, the attacker must first log in to the targeted system. An exploit of this vulnerability is available in the wild, and is being used in targeted attacks.
6. iSNS Server Memory Corruption Vulnerability
A remote code execution vulnerability exists in Windows due to improper validation of the client input by iSNS Server service. A remote attacker could exploit this vulnerability by creating a specially crafted application that connects to the iSNS Server and issues malicious requests to it. Successful exploitation of this vulnerability could allow a remote attacker to trigger an integer overflow condition, which could be further used to execute arbitrary code in the security context of the SYSTEM account.
- Use Microsoft Office File Block policy to prevent Office from opening RTF documents from unknown or untrusted sources.
- Set the killbit for IMJPTIP.
Apply appropriate updates as mentioned in the Microsoft Security Bulletin
The information provided herein is on "as is" basis, without warranty of any kind.
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003