MS Windows Error Reporting Local Privilege Escalation Vulnerability (CVE-2019-0863)

May 14, 2019

Summary

A zero-day elevation of privilege vulnerability exists in the way Microsoft Windows Error Reporting (WER) handles files. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

While details about the use of the exploit are not available, it has reportedly been used in limited attacks against specific targets. Successful exploitation has been observed in the wild. [2][3]

Impact

If exploited, an attacker could use this to execute arbitrary code with Administrator privileges. They would need to first gain access to run code on a target system, but malware often uses elevations like this one to go from user-to-admin code execution. [3]

Vulnerable

  • Microsoft Windows Server 2019
  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2008 R2 for x64-based Systems SP1
  • Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1
  • Microsoft Windows Server 1903
  • Microsoft Windows Server 1803
  • Microsoft Windows RT 8.1
  • Microsoft Windows 8.1 for x64-based Systems
  • Microsoft Windows 8.1 for 32-bit Systems
  • Microsoft Windows 7 for Itanium-based Systems SP1
  • Microsoft Windows 7 for 32-bit Systems SP1
  • Microsoft Windows 10 Version 1903 for x64-based Systems
  • Microsoft Windows 10 Version 1903 for ARM64-based Systems
  • Microsoft Windows 10 Version 1903 for 32-bit Systems
  • Microsoft Windows 10 Version 1809 for x64-based Systems
  • Microsoft Windows 10 Version 1809 for ARM64-based Systems
  • Microsoft Windows 10 Version 1809 for 32-bit Systems
  • Microsoft Windows 10 Version 1803 for x64-based Systems
  • Microsoft Windows 10 Version 1803 for ARM64-based Systems
  • Microsoft Windows 10 Version 1803 for 32-bit Systems
  • Microsoft Windows 10 version 1709 for x64-based Systems
  • Microsoft Windows 10 Version 1709 for ARM64-based Systems
  • Microsoft Windows 10 version 1709 for 32-bit Systems
  • Microsoft Windows 10 version 1703 for x64-based Systems
  • Microsoft Windows 10 version 1703 for 32-bit Systems
  • Microsoft Windows 10 Version 1607 for x64-based Systems
  • Microsoft Windows 10 Version 1607 for 32-bit Systems
  • Microsoft Windows 10 for x64-based Systems
  • Microsoft Windows 10 for 32-bit Systems
  • See Reference [1] for a full list of vulnerable products.

Recommendations

  • Update affected systems. 
  • We are not recommending emergency, out-of-band patching at this time as the exploit does not appear to have been publicly exposed, yet. However, given the severity, we recommend an aggressive patching schedule for this vulnerability (preferably within 7 days)

References