==================================================================== CERT-Renater Note d'Information No. 2015/VULN077 _____________________________________________________________________ DATE : 13/05/2015 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Windows version Server 2003, Vista, Server 2008, 7, 8, 8.1, Server 2012, RT, RT 8.1 running Windows Kernel-Mode Drivers. ====================================================================== KB3057191 https://technet.microsoft.com/en-us/library/security/MS15-051 ______________________________________________________________________ MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) Bulletin Number: MS15-051 Bulletin Title: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege Severity: Important KB Article: 3057191 Version: 1.0 Published Date: May 12, 2015 Executive Summary This security update resolves vulnerabilities in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if an attacker can run arbitrary code in kernel mode. An attacker can then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability cannot be exploited remotely or by anonymous users. This security update is rated Important for all supported editions of Windows. For more information, see the Affected Software section. Affected Software Windows Server 2003 Service Pack 2 Windows Server 2003 R2 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 R2 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 Windows Server 2012 R2 Windows RT[1] Windows RT 8.1[1] Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 (Server Core installation) Windows Server 2012 R2 (Server Core installation) [1]This update is available via Windows Update only. Vulnerability Information Microsoft Windows Kernel Memory Disclosure Vulnerabilities Information disclosure vulnerabilities exist when the Windows kernel-mode driver leaks private address information during a function call, which could allow the disclosure of kernel memory contents revealing information about the system to an attacker. The information disclosure vulnerabilities by themselves do not allow arbitrary code execution. However, an attacker could use them in conjunction with another vulnerability to bypass security features, such as Address Space Layout Randomization (ASLR). Microsoft received information about these vulnerabilities through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that these vulnerabilities had been publicly used to attack customers. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Microsoft Windows Kernel Memory Disclosure Vulnerability CVE-2015-1676 Microsoft Windows Kernel Memory Disclosure Vulnerability CVE-2015-1677 Microsoft Windows Kernel Memory Disclosure Vulnerability CVE-2015-1678 Microsoft Windows Kernel Memory Disclosure Vulnerability CVE-2015-1679 Microsoft Windows Kernel Memory Disclosure Vulnerability CVE-2015-1680 Win32k Elevation of Privilege Vulnerability - CVE-2015-1701 An elevation of privilege vulnerability exists when Windows kernel-mode drivers improperly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory. Win32k.sys is a kernel-mode device driver and the kernel part of the Windows subsystem. It contains the window manager, which controls window displays; manages screen output; collects input from the keyboard, mouse, and other devices; and passes user messages to applications. It also contains the Graphics Device Interface (GDI), which is a library of functions for graphics output devices. Finally, it serves as a wrapper for DirectX support that is implemented in another driver (dxgkrnl.sys). The Windows kernel is the core of the operating system. It provides system-level services, such as device management and memory management, allocates processor time to processes, and manages error handling. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take complete control over an affected system. This vulnerability has been publicly disclosed. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability. ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================