14 Dec 2018

Blogs

Windows DNS Server Privilege Escalation vulnerability (CVE-2018-8626) leading to Remote Code execution alleged to have Proof of Concept exploit

INTRODUCTION

AUSCERT recently published an ASB addressing Microsoft’s security updates for the month of December. 

Among the vulnerabilities addressed was a Critical vulnerability in the DNS Server implementation in the following Windows platforms:

“Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1709 for 32-bit Systems
Windows 10 Version 1709 for 64-based Systems
Windows 10 Version 1709 for ARM64-based Systems
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server, version 1709 (Server Core Installation)
Windows Server, version 1803 (Server Core Installation)” [1]

Security updates fixing the vulnerability have been provided by Microsoft.

 

VULNERABILITY DESCRIPTION

In their vulnerability description, Microsoft states:

“A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.

To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.” [1]

Failed exploitation attempts will lead to denial of service conditions.

 

NVD CVSS3 Vector: 

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

NVD CVSS3 Base Score:

9.8 (Critical)

 

PROOF OF CONCEPT EXPLOIT

Although the NVD CVSS3 vector above indicates a proof of concept exploit exists for this vulnerability, AUSCERT has not been able to access it or find any threat indicators related to it. We will continue to update this blog as more information becomes available.

 

References

1. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8626