Multivendor Vulnerability Alert
Microsoft Windows Kernel Buffer Overflow Vulnerability
Click Icon to Copy Verbose Score
AV:L/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C
-
A vulnerability in the Microsoft Windows kernel-mode driver (KMD) could allow a local attacker to elevate privileges.
The vulnerability is due to improper memory operations performed by the affected software when handling crafted input. An attacker could exploit this vulnerability by accessing the system with valid credentials and executing a program designed to submit malicious input to the affected software. A successful exploit could allow the attacker to elevate privileges and completely compromise the targeted system.
Microsoft has confirmed the vulnerability in a security bulletin and released software updates.
-
The following Microsoft products are affected:
- Windows Server 2003 and 2003 x64 Edition SP2
- Windows Server 2003 with SP2 for Itanium-based Systems
- Windows Vista and Vista x64 Edition SP2
- Windows Server 2008 for 32-bit Systems and x64-based Systems SP2
- Windows Server 2008 for Itanium-based Systems SP2
- Windows 7 for 32-bit and x64-based Systems SP1
- Windows Server 2008 R2 for Itanium-based Systems and x64-based Systems SP1
- Windows 8 and 8.1 for 32-bit and x64-based Systems
- Windows Server 2012 and Windows Server 2012 R2
- Windows RT and Windows RT 8.1
-
The vulnerability is due to insufficient validation of user input by the KMD, which can cause a memory operations error.
A local attacker could exploit this vulnerability by accessing the system with valid credentials and executing a program designed to submit malicious input to the affected software. When the input is processed, a buffer overflow could allow privilege elevation. A successful exploit could allow the attacker to elevate privileges and completely compromise the targeted system.
-
To exploit this vulnerability, an attacker requires authenticated access to the targeted system. Authenticated access may require the attacker to access trusted, internal networks. These requirements could limit the likelihood of a successful exploit.
Microsoft has resolved the vulnerability by correcting how the KMD validates user input.
Safeguards
Safeguards
-
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Administrators are advised to apply Snort SID 34784 to help prevent attacks that attempt to exploit the vulnerability.
Administrators are advised to monitor affected systems.
-
Microsoft has released a security bulletin at the following link: MS15-061
-
Microsoft customers can obtain updates directly by using the links in the security bulletin. These updates are also distributed by Windows automatic update features and available on the Microsoft Update service. Microsoft Windows Server Update Services (WSUS), Systems Management Server, and System Center Configuration Manager can assist administrators in deploying software updates.
-
Related Resources:
-
Cisco Intrusion Prevention System (IPS) 6.0 Signature ID Signature Name Release Latest Release Date 6557/0 Microsoft Windows Kernel Local Privilege Escalation S1015 04/05/2018
-
Show LessVersion Description Section Date 2 IntelliShield has updated this alert to include Snort signature information. 2015-June-15 14:37 GMT 1 Microsoft Windows kernel-mode driver contains a vulnerability that could allow a local attacker to elevate privileges on a targeted system. Updates are available. 2015-June-09 17:29 GMT
-
The security vulnerability applies to the following combinations of products.
Primary Products Microsoft, Inc. Windows 7 for 32-bit systems (SP1) | for x64-based systems (SP1) Windows 8 for 32-bit systems (Base) | for x64-based systems (Base) Windows 8.1 for 32-bit Systems (Base) | for x64-based Systems (Base) Windows RT Original Release (Base) | 8.1 (Base) Windows Server 2008 Datacenter Edition (SP2) | Datacenter Edition, 64-bit (SP2) | Itanium-Based Systems Edition (SP2) | Enterprise Edition (SP2) | Enterprise Edition, 64-bit (SP2) | Essential Business Server Standard (SP2) | Essential Business Server Premium (SP2) | Essential Business Server Premium, 64-bit (SP2) | Standard Edition (SP2) | Standard Edition, 64-bit (SP2) | Web Server (SP2) | Web Server, 64-bit (SP2) Windows Server 2008 R2 x64-Based Systems Edition (SP1) | Itanium-Based Systems Edition (SP1) Windows Server 2012 Original Release (Base) Windows Server 2012 R2 Original Release (Base) Windows Vista Home Basic (SP2) | Home Premium (SP2) | Business (SP2) | Enterprise (SP2) | Ultimate (SP2) | Home Basic x64 Edition (SP2) | Home Premium x64 Edition (SP2) | Business x64 Edition (SP2) | Enterprise x64 Edition (SP2) | Ultimate x64 Edition (SP2) Associated Products
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
FIXED SOFTWARE INFORMATION AND LINKS PROVIDED BY SUPPLIERS AND VENDORS ARE FOR REFERENCE ONLY. USERS SHOULD CONTACT THEIR SUPPLIER OR VENDOR FOR UPDATED SOFTWARE.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products
Cisco Multivendor Vulnerability Alerts respond to vulnerabilities identified in third-party vendors' products. These alerts contain information compiled from diverse sources and provide comprehensive technical descriptions, objective analytical assessments, workarounds and practical safeguards, and links to vendor advisories and patches.
If a third-party software vulnerability is determined to affect a Cisco product, the vulnerability will be disclosed according to the Cisco Security Vulnerability Policy.
-
Related Resources: