CVE-2017-0007
published 2017-03-17CVE-2017-0007: Device Guard in Microsoft Windows 10 Gold, 1511, 1607, and Windows Server 2016 allows remote attackers to modify PowerShell script without invalidating…
PriorityP433medium5.5CVSS 3.0
AVLACLPRLUINSUCNIHAN
EPSS
11.26%
95.4th percentile
Device Guard in Microsoft Windows 10 Gold, 1511, 1607, and Windows Server 2016 allows remote attackers to modify PowerShell script without invalidating associated signatures, aka "PowerShell Security Feature Bypass Vulnerability."
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft_corporation | device_guard | — | — |
| msrc | windows_10_for_32-bit_systems | — | — |
| msrc | windows_10_for_x64-based_systems | — | — |
| msrc | windows_10_version_1511_for_32-bit_systems | — | — |
| msrc | windows_10_version_1511_for_x64-based_systems | — | — |
| msrc | windows_10_version_1607_for_32-bit_systems | — | — |
| msrc | windows_10_version_1607_for_x64-based_systems | — | — |
| msrc | windows_server_2016 | — | — |
CVSS provenance
nvdv3.05.5MEDIUMCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:N/I:P/A:N
vendor_msrc5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Device Guard Security Feature Bypass Vulnerability
vendor_msrc·2017-03-14·CVSS 5.5
CVE-2017-0007 [MEDIUM] Device Guard Security Feature Bypass Vulnerability
Device Guard Security Feature Bypass Vulnerability
Description: A security feature bypass exists when Device Guard does not properly validate certain elements of a signed PowerShell script. An attacker who successfully exploited this vulnerability could modify the contents of a PowerShell script without invalidating the signature associated with the file. Because Device Guard relies on the signature to determine the script is non-malicious, Device Guard could then allow a malicious script to execute.
In an attack scenario, an attacker could modify the contents of a PowerShell script without invalidating the signature associated with the file.
The update addresses the vulnerability by correcting how Device Guard validates certain elements of signed PowerShell scripts.
Microsoft PowerShell
GHSA
GHSA-g66p-2m7v-98p3: Device Guard in Microsoft Windows 10 Gold, 1511, 1607, and Windows Server 2016 allows remote attackers to modify PowerShell script without invalidatin
ghsa_unreviewed·2022-05-17
CVE-2017-0007 [MEDIUM] CWE-20 GHSA-g66p-2m7v-98p3: Device Guard in Microsoft Windows 10 Gold, 1511, 1607, and Windows Server 2016 allows remote attackers to modify PowerShell script without invalidatin
Device Guard in Microsoft Windows 10 Gold, 1511, 1607, and Windows Server 2016 allows remote attackers to modify PowerShell script without invalidating associated signatures, aka "PowerShell Security Feature Bypass Vulnerability."
Kernel
bpf: fix incorrect tracking of register size truncation
kernel_security·2017-12-18·CVSS 7.8
CVE-2017-16996 [HIGH] bpf: fix incorrect tracking of register size truncation
bpf: fix incorrect tracking of register size truncation
Properly handle register truncation to a smaller size.
The old code first mirrors the clearing of the high 32 bits in the bitwise
tristate representation, which is correct. But then, it computes the new
arithmetic bounds as the intersection between the old arithmetic bounds and
the bounds resulting from the bitwise tristate representation. Therefore,
when coerce_reg_to_32() is called on a number with bounds
[0xffff'fff8, 0x1'0000'0007], the verifier computes
[0xffff'fff8, 0xffff'ffff] as bounds of the truncated number.
This is incorrect: The truncated number could also be in the range [0, 7],
and no meaningful arithmetic bounds can be computed in that case apart from
the obvious [0, 0xffff'ffff].
Starting with v4.14, this is exploi
No detection rules found.
No public exploits indexed.
http://www.securityfocus.com/bid/96018http://www.securitytracker.com/id/1038001https://enigma0x3.net/2017/04/03/defeating-device-guard-a-look-into-cve-2017-0007/https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0007http://www.securityfocus.com/bid/96018http://www.securitytracker.com/id/1038001https://enigma0x3.net/2017/04/03/defeating-device-guard-a-look-into-cve-2017-0007/https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0007
2017-03-17
Published