cbcvebase.
CVE-2017-0213
published 2017-05-12

CVE-2017-0213: Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1…

PriorityP187high7.3CVSS 3.1
AVLACLPRLUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
84.14%
99.7th percentile
Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation privilege vulnerability when an attacker runs a specially crafted application, aka "Windows COM Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-0214.

Affected

18 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
microsoft_corporationwindows_com
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_10_version_1703
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

hashd6a956684e7b3dc1e7c420b8ff2f8f3367f68cc5a7c440a8a2d8f78f1a59c859
hashab2c3f3e1750b92273772624d2bbf1827bb066ac4b6e5fe7843c884f4d1dfae9
hashb6663af099538a396775273d79cb6fff99a18e2de2a8a2a106de8212cc44f3e2
hashedaddb4671a5ff6cc46b94b0d7fafefe6c623802b462c72cf039c8047ac35328
hash1318f8a4566a50537f579d24fd1aabcf7e22e89bc75ffd13b3088fc6e80e9a2a
hashc86df3a8c050f430982dc8d4f4cc172ccc37478d1ba2646dc205bffe073484d1
hashb72beb391c75af52c6fb62561f26214b682f12d95660b128d9e21e18e3bff246
hash46f7b205b0a143b60deb5ad38c042702ddaa18d0ee2954d3380ee302ed1484bc
hashf4277284fa71e81586e67fb5fe464c8cdacc0a2f588e3b80a814b41504a37156
hash438f11a883070214ad063ddf043460ca54863c1f7bf1db64b6d0d474331c94f8
hash2bcd2afd6bd3051681ee269beaf46cd20cc1a121e0c2328126e1b63fab6632f2
hashc5c2c382bb3fa555e2c311f8f53a99d62c576dfeeb8aff6ad46f73d8a0d2dd13
hash4e8e84ad831cf251366b609720d6e3c6523fdd66ea0f989acb5d62e62e418cdf
hash60620c93071bf5c5f2a024588f8e1d8a0a710d37fd12169cf7526e737934e449
hash4a63daa8477d16abfcf564aa8ef1f4f68c5e4dbc09f65bd6ebb2f43d8a24ba3d
hash2036f30ed21663586e62e67efec30c37bb91fb8bc9e1983f69f98f19242ed5cc
hashe7d3ab7cd88592858aaeeaeca61a486352d7ccecfb124bfa6a3725dc682a8201
hashce33096639fb5c51684e9e3a7c7c7161884ecad29e8d6ad602fd8be42076b8d4
hash98d91b550f5c6bfc2b7767985071d1dfa2e39780dc41b9d9d07e5117d58a8686
hash0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36
hash6fd4ec6611bf7e691be80483bcf860e827d513df45e20d78f29cf4638b6c20e8
hash4f0268288fb680fbabc48b09a87e828a6e18782516fa9b9bfc23acc2727f6ba9
hashf043f7156e1d678ac2c852c8f364aae93d895cae934d1ec42af13d175465913e
hashcf5ec678a2f836f859eb983eb633d529c25771b3b7505e74aa695b7ca00f9fa8
hash3bc8ce79ee7043c9ad70698e3fc2013806244dc5112c8c8d465e96757b57b1e1
hashe1957024039b0e48a15c27448f19d4df4f0e4666f9ac34e7f4d42dd3c32e15ed
otherMS.Windows.COM.Type.Confusion.Privilege.Escalation
  • CVE-2017-0213 is exploited for local privilege escalation via Windows COM Aggregate Marshaler type confusion; monitor for exploitation of BITS SetNotifyInterface with mismatched IID/OBJREF streams, and for type library loading under impersonation context.
  • APT33 has used a publicly available exploit for CVE-2017-0213 for local privilege escalation; hunt for exploit binaries associated with this CVE on endpoints.
  • Monitor Windows Event Log for Event ID 7031 (service terminated unexpectedly), which may indicate Ragnar Locker terminating services as part of post-exploitation following CVE-2017-0213 privilege escalation.
  • Alert on vssadmin.exe invocations that delete shadow copies, a post-exploitation step observed after CVE-2017-0213 privilege escalation in Ragnar Locker attacks.
  • The PoC exploit for CVE-2017-0213 abuses BITS SetNotifyInterface; monitor for unusual BITS service activity and type library loading from non-standard paths while impersonating low-privileged users.
  • Network traffic to TOR nodes following initial compromise may indicate post-exploitation C2 activity in campaigns leveraging CVE-2017-0213.
  • ·Type libraries are not loaded using the flag added after CVE-2015-1644 which prevents DLLs being loaded from the impersonated device map, leaving the type library loading vector open in the CVE-2017-0213 exploit chain.

CVSS provenance

nvdv3.17.3HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
nvdv2.01.9LOWAV:L/AC:M/Au:N/C:N/I:P/A:N
vulncheck7.3HIGH
cisa7.3HIGH
vendor_msrc6.7MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.