|CERT-In Vulnerability Note
Microsoft Windows Pragmatic General Multicast Protocol (PGM) Privilege Escalation Vulnerability
Original Issue Date:December 09, 2015
Severity Rating: MEDIUM
- Windows Vista SP2 and x64 Edition SP2
- Windows Server 2008 for 32-bit, x64-based and Itanium-based systems SP2
- Windows 7 for 32-bit and x64-based systems Service pack 1
- Windows Server 2008 R2 x64-based and Itanium-based systems Service Pack 1
- Windows 8 for 32-bit and x64-based systems
- Windows 8.1 for 32-bit and x64-based systems
- Windows Server 2012 and Windows Server 2012 R2
- Windows RT and Windows RT 8.1
- Windows 10 for 32-bit and x64-based systems
- Windows 10 version 1511 for 32-bit and x64-based systems
- Windows Server 2008 for 32-bit and x64-based systems Service Pack 2 (Server Core Installation)
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
- Windows Server 2012 (Server Core installation)
- Windows Server 2012 R2 (Server Core installation)
A vulnerability has been reported in the Windows Pragmatic General Multicast (PGM) protocol that could allow a local attacker to execute code with elevated privileges on the targeted system.
A privilege escalation vulnerability exists in Windows Pragmatic General Multicast (PGM) protocol due to improper referencing of memory objects that results in a race condition if the attacker tries to access the memory objects that have already been freed.
An authenticated local attacker could exploit this vulnerability by executing a specially crafted application that is designed to induce a race condition. Successful exploitation could allow the attacker to execute arbitrary code with elevated privileges.
Note: Microsoft Message Queuing (MSMQ) must be installed and PGM specifically enabled for a system to be vulnerable.
Apply appropriate patches as mentioned in Microsoft Security Bulletin
The information provided herein is on "as is" basis, without warranty of any kind.
Email: firstname.lastname@example.org Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003