CVE-2016-0070
published 2016-10-14CVE-2016-0070: The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and…
PriorityP338medium5.5CVSS 3.0
AVLACLPRNUIRSUCHINAN
EXPLOIT
EPSS
11.49%
95.5th percentile
The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows local users to gain privileges via a crafted application that makes an API call to access sensitive information in the registry, aka "Windows Kernel Local Elevation of Privilege Vulnerability."
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
CVSS provenance
nvdv3.05.5MEDIUMCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vendor_msrc5.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Windows Kernel Local Elevation of Privilege Vulnerability
vendor_msrc·2016-10-11·CVSS 5.5
CVE-2016-0070 [MEDIUM] Windows Kernel Local Elevation of Privilege Vulnerability
Windows Kernel Local Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the Windows Kernel API improperly allows a user to access sensitive registry information. An attacker who successfully exploited the vulnerability could gain access to user account information that is not intended for the user.
A locally authenticated attacker could exploit this vulnerability by running a specially crafted application.
The security update addresses the vulnerability by helping to ensure that the Windows Kernel API correctly restricts access to user account information.
Windows Registry: Windows Registry
Impact: Elevation of Privilege
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software R
Project0
The Windows Registry Adventure #3: Learning resources - Project Zero
project_zero·2024-06-01
CVE-2016-0070 The Windows Registry Adventure #3: Learning resources - Project Zero
Posted by Mateusz Jurczyk, Google Project
Zero
When tackling a new vulnerability research target, especially a closed-source one, I
prioritize gathering as much information about it as possible. This gets especially interesting when
it's a subsystem as old and fundamental as the Windows registry. In that case, tidbits of valuable data
can lurk in forgotten documentation, out-of-print books, and dusty open-source code – each potentially
offering a critical piece of the puzzle. Uncovering them takes some effort, but the payoff is often immense.
Scraps of information can contain hints as to how certain parts of the software are implemented, as well as
why – what were
the design decisions that lead to certain outcomes etc. When seeing the big picture, it becomes much easier
to reason abou
GHSA
GHSA-2rf7-pp2w-jfwg: The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
ghsa_unreviewed·2022-05-14
CVE-2016-0070 [MEDIUM] CWE-200 GHSA-2rf7-pp2w-jfwg: The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows local users to gain privileges via a crafted application that makes an API call to access sensitive information in the registry, aka "Windows Kernel Local Elevation of Privilege Vulnerability."
No detection rules found.
Fortinet
Microsoft Kernel Integer Overflow Vulnerability
blogs_fortinet·2016-10-31·CVSS 5.5
CVE-2016-0070 [MEDIUM] Microsoft Kernel Integer Overflow Vulnerability
FORTIGUARD LABS THREAT RESEARCH
Microsoft Kernel Integer Overflow Vulnerability
By Honggang Ren | October 31, 2016
Last month I discovered and reported an integer overflow vulnerability in the Windows Registry. Last Tuesday, October 25th, Microsoft released Security Bulletin MS16-124, which contains the patch for this vulnerability, and identifies it as CVE-2016-0070.
This vulnerability could lead to local privilege elevation, and is rated as “Important” by Microsoft. The vulnerability affects multiple Windows versions, and Microsoft has recommended installing this update immediately.
In this blog I will share the details of this vulnerability.
How to Reproduce
To reproduce the vulnerability, follow the steps below.
Sign into Windows 7 with any non-admin account.
Run regedit.exe in
Talos
Microsoft Patch Tuesday - October 2016
blogs_talos·2016-10-11·CVSS 5.5
[MEDIUM] Microsoft Patch Tuesday - October 2016
Patch Tuesday has once again arrived! Microsoft's monthly release of security bulletins to address vulnerabilities provides fixes for 37 newly disclosed security flaws. Today's release sees a total of 10 bulletins with five of the bulletins rated critical and address vulnerabilities in Edge, Graphics Component, Internet Explorer, Video Control, and Adobe Flash Player. Four bulletins are rated important and address flaws in Office, Windows Diagnostic Hub, Windows Kernel-Mode Drivers, and Windows Registry. One bulletin is rated moderate and addresses a flaw in Microsoft Internet Messaging API.
## Bulletins Rated Critical The following bulletins are rated critical: MS16-118, MS16-119, MS16-120, MS16-122, MS16-127
MS16-118 and MS16-119 are this month's bulletins for Internet Explorer and Edg
Talos
Microsoft Patch Tuesday - October 2016
blogs_talos·2016-10-11·CVSS 5.5
[MEDIUM] Microsoft Patch Tuesday - October 2016
## Microsoft Patch Tuesday - October 2016
Patch Tuesday has once again arrived! Microsoft's monthly release of security bulletins to address vulnerabilities provides fixes for 37 newly disclosed security flaws. Today's release sees a total of 10 bulletins with five of the bulletins rated critical and address vulnerabilities in Edge, Graphics Component, Internet Explorer, Video Control, and Adobe Flash Player. Four bulletins are rated important and address flaws in Office, Windows Diagnostic Hub, Windows Kernel-Mode Drivers, and Windows Registry. One bulletin is rated moderate and addresses a flaw in Microsoft Internet Messaging API.
## Bulletins Rated Critical The following bulletins are rated critical: MS16-118, MS16-119, MS16-120, MS16-122, MS16-127
MS16-118 and MS16-119 are this mont
Bugzilla
CVE-2016-1906 Kubernetes api server: build config to a strategy that isn't allowed by policy
bugzilla·2016-01-12·CVSS 9.8
CVE-2016-1906 [CRITICAL] CVE-2016-1906 Kubernetes api server: build config to a strategy that isn't allowed by policy
CVE-2016-1906 Kubernetes api server: build config to a strategy that isn't allowed by policy
Kubernetes api server: build config to a strategy that isn't allowed by policy
External reference:
https://github.com/openshift/origin/issues/6556
https://github.com/openshift/origin/pull/6576
Discussion:
*** Bug 1298128 has been marked as a duplicate of this bug. ***
---
This issue has been addressed in the following products:
RHEL 7 Version of OpenShift Enterprise 3.1
Via RHSA-2016:0070 https://access.redhat.com/errata/RHSA-2016:0070
---
This issue has been addressed in the following products:
RHEL 7 Version of OpenShift Enterprise 3.0
Via RHSA-2016:0351 https://access.redhat.com/errata/RHSA-2016:0351
Bugzilla
CVE-2016-1905 Kubernetes api server: patch operation should use patched object to check admission control
bugzilla·2016-01-12·CVSS 7.7
CVE-2016-1905 [HIGH] CVE-2016-1905 Kubernetes api server: patch operation should use patched object to check admission control
CVE-2016-1905 Kubernetes api server: patch operation should use patched object to check admission control
Kubernetes api server: patch operation should use patched object to check
admission control
External reference:
https://github.com/kubernetes/kubernetes/issues/19479
Discussion:
Upstream patch:
https://github.com/deads2k/kubernetes/commit/d1e258afcf837cf70522c2950bb0aef593da9c3e
---
*** Bug 1298116 has been marked as a duplicate of this bug. ***
---
This issue has been addressed in the following products:
RHEL 7 Version of OpenShift Enterprise 3.1
Via RHSA-2016:0070 https://access.redhat.com/errata/RHSA-2016:0070
---
This issue has been addressed in the following products:
RHEL 7 Version of OpenShift Enterprise 3.0
Via RHSA-2016:0351 https://access.redhat.com/errata/RHSA
Bugzilla
CVE-2015-5323 jenkins: API tokens of other users available to admins (SECURITY-200)
bugzilla·2015-11-16·CVSS 6.5
CVE-2015-5323 [MEDIUM] CVE-2015-5323 jenkins: API tokens of other users available to admins (SECURITY-200)
CVE-2015-5323 jenkins: API tokens of other users available to admins (SECURITY-200)
The following flaw was found in Jenkins:
API tokens of other users were exposed to admins by default. On instances that don't implicitly grant RunScripts permission to admins, this allowed admins to run scripts with another user's credentials.
In very specific circumstances, it allows admins to gain permissions they would not otherwise have.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11
Discussion:
Fixed in Fedora in:
jenkins-1.609.3-3.fc22
jenkins-1.625.2-2.fc23
jenkins-1.625.2-2.fc24
---
This issue has been addressed in the following products:
RHEL 7 Version of OpenShift Enterprise 3.1
Via RHSA-2016:0070 https://access.redhat.com/errata/
Bugzilla
CVE-2015-5326 jenkins: Stored XSS vulnerability in slave offline status message (SECURITY-214)
bugzilla·2015-11-16·CVSS 4.3
CVE-2015-5326 [MEDIUM] CVE-2015-5326 jenkins: Stored XSS vulnerability in slave offline status message (SECURITY-214)
CVE-2015-5326 jenkins: Stored XSS vulnerability in slave offline status message (SECURITY-214)
The following flaw was found in Jenkins:
Users with the permission to take slave nodes offline can enter arbitrary HTML that gets shown unescaped to users visiting the slave overview page.
This flaw allows admins and users with significant privileges to circumvent XSS protection.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11
Discussion:
Fixed in Fedora in:
jenkins-1.609.3-3.fc22
jenkins-1.625.2-2.fc23
jenkins-1.625.2-2.fc24
---
This issue has been addressed in the following products:
RHEL 7 Version of OpenShift Enterprise 3.1
Via RHSA-2016:0070 https://access.redhat.com/errata/RHSA-2016:0070
---
This issue has been addressed i
Bugzilla
CVE-2015-5317 jenkins: Project name disclosure via fingerprints (SECURITY-153)
bugzilla·2015-11-16·CVSS 7.5
CVE-2015-5317 [HIGH] CVE-2015-5317 jenkins: Project name disclosure via fingerprints (SECURITY-153)
CVE-2015-5317 jenkins: Project name disclosure via fingerprints (SECURITY-153)
The following flaw was found in Jenkins:
The Jenkins UI allowed users to see the names of jobs and builds otherwise inaccessible to them on the "Fingerprints" pages if those shared file fingerprints with fingerprinted files in accessible jobs.
Users have no control over which information they see, and the kind of information revealed is very limited.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11
Discussion:
Fixed in Fedora in:
jenkins-1.609.3-3.fc22
jenkins-1.625.2-2.fc23
jenkins-1.625.2-2.fc24
---
This issue has been addressed in the following products:
RHEL 7 Version of OpenShift Enterprise 3.1
Via RHSA-2016:0070 https://access.redhat.com/err
Bugzilla
CVE-2015-5322 jenkins: Local file inclusion vulnerability (SECURITY-195)
bugzilla·2015-11-16·CVSS 5.0
CVE-2015-5322 [MEDIUM] CVE-2015-5322 jenkins: Local file inclusion vulnerability (SECURITY-195)
CVE-2015-5322 jenkins: Local file inclusion vulnerability (SECURITY-195)
The following flaw was found in Jenkins:
Access to the /jnlpJars/ URL was not limited to the specific JAR files users needed to access, allowing browsing directories and downloading other files in the Jenkins servlet resources, such as web.xml.
The information gained is very limited, and it requires a specific setup to gain any non-public information this way.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11
Discussion:
Fixed in Fedora in:
jenkins-1.609.3-3.fc22
jenkins-1.625.2-2.fc23
jenkins-1.625.2-2.fc24
---
This issue has been addressed in the following products:
RHEL 7 Version of OpenShift Enterprise 3.1
Via RHSA-2016:0070 https://access.redhat.com
2016-10-14
Published