|CERT-In Vulnerability Note
Microsoft Windows ASLR Vulnerability
Original Issue Date:November 24, 2017
Severity Rating: HIGH
A vulnerability has been reported in the implementation of Address Space Layout Randomization (ASLR) that affects Windows 8, Windows 8.1 and Windows 10. The vulnerability could allow a remote attacker to take control of an affected system.
Microsoft Windows 8 introduced a change in how system-wide mandatory ASLR is implemented. It does so by randomizing where programs execute in memory locations. Instead of executing at predictable memory locations that an attacker can anticipate, ASLR randomizes the process.
This change requires system-wide bottom-up ASLR to be enabled for mandatory ASLR to receive entropy. However, a flaw has been found with ASLR that results in programs being relocated to predictable address every time.
Windows 8 and newer systems that have system-wide ASLR enabled via EMET (Enhanced Mitigation Experience Toolkit), or Windows Defender Exploit Guard will have non-DYNAMICBASE applications relocated to a predictable location, thus voiding any benefit of mandatory ASLR. This can make exploitation of some classes of vulnerabilities easier and create an opportunity for an attacker to pull off a memory-based attack.
Successful exploitation of this vulnerability could allow the attacker to compromise the targeted system completely.
Enable system-wide bottom-up ASLR on systems that have system-wide mandatory ASLR
To enable both bottom-up ASLR and mandatory ASLR on a system-wide basis on a Windows 8 or newer system, the following registry value should be imported:
Windows Registry Editor Version 5.00
Note: Importing this registry value will overwrite any existing system-wide mitigations specified by this registry value. The bottom-up ASLR setting specifically is the second 01 in the binary string, while the mandatory ASLR setting is the first 01. Also note that in the past, enabling system-wide mandatory ASLR could cause problems if older AMD/ATI video card drivers are in use. This issue was addressed in the Catalyst 12.6 drivers released in June, 2012.
The information provided herein is on "as is" basis, without warranty of any kind.
Email: email@example.com Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003