==================================================================== CERT-Renater Note d'Information No. 2016/VULN059 _____________________________________________________________________ DATE : 12/02/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Windows versions Vista, Server 2008, 7, 8.1, 10, Server 2012 running WebDAV. ====================================================================== KB3136041 https://technet.microsoft.com/en-us/library/security/MS16-016 _____________________________________________________________________ Microsoft Security Bulletin MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) Bulletin Number: MS16-016 Bulletin Title: Security Update for WebDAV to Address Elevation of Privilege Severity: Important KB Article: 3136041 Version: 1.0 Published Date: February 9, 2016 Executive Summary This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker uses the Microsoft Web Distributed Authoring and Versioning (WebDAV) client to send specifically crafted input to a server. This security update is rated Important for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, and Moderate for Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10. Affected Software Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2[1] Windows Server 2008 for x64-based Systems Service Pack 2[1] Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1[1] Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012[1] Windows Server 2012 R2[1] Windows RT 8.1[2] Windows 10 for 32-bit Systems[3] Windows 10 for x64-based Systems[3] Windows 10 Version 1511 for 32-bit Systems[3] Windows 10 Version 1511 for x64-based Systems[3] [1]Servers are affected only if Desktop Experience is installed. [2]This update is available via Windows Update only. [3]Windows 10 updates are cumulative. In addition to containing non-security updates, they also contain all of the security fixes for all of the Windows 10-affected vulnerabilities shipping with the monthly security release. The update is available via the Windows Update Catalog. Vulnerability Information WebDAV Elevation of Privilege Vulnerability - CVE-2016-0051 An elevation of privilege vulnerability exists in the Microsoft Web Distributed Authoring and Versioning (WebDAV) client when WebDAV improperly validates input. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated permissions. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. Workstations and servers are primarily vulnerable to this attack. The update addresses the vulnerability by correcting how WebDAV validates input. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited WebDAV Elevation of Privilege Vulnerability CVE-2016-0051 No No ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================