CVE-2017-11830
published 2017-11-15CVE-2017-11830: Device Guard in Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016, and Windows Server, version 1709 allows an attacker to make an unsigned file…
PriorityP432medium5.3CVSS 3.0
AVLACLPRLUINSUCLILAL
EXPLOIT
EPSS
2.57%
83.2th percentile
Device Guard in Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016, and Windows Server, version 1709 allows an attacker to make an unsigned file appear to be signed, due to a security feature bypass, aka "Device Guard Security Feature Bypass Vulnerability".
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_server | — | — |
| microsoft_corporation | device_guard | — | — |
| msrc | windows_10_for_32-bit_systems | — | — |
| msrc | windows_10_for_x64-based_systems | — | — |
| msrc | windows_10_version_1511_for_32-bit_systems | — | — |
| msrc | windows_10_version_1511_for_x64-based_systems | — | — |
| msrc | windows_10_version_1607_for_32-bit_systems | — | — |
| msrc | windows_10_version_1607_for_x64-based_systems | — | — |
| msrc | windows_10_version_1703_for_32-bit_systems | — | — |
| msrc | windows_10_version_1703_for_x64-based_systems | — | — |
| msrc | windows_10_version_1709_for_32-bit_systems | — | — |
| msrc | windows_10_version_1709_for_x64-based_systems | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_server_version_1709 | — | — |
CVSS provenance
nvdv3.05.3MEDIUMCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vendor_msrc5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Device Guard Security Feature Bypass Vulnerability
vendor_msrc·2017-11-14·CVSS 5.3
CVE-2017-11830 [MEDIUM] Device Guard Security Feature Bypass Vulnerability
Device Guard Security Feature Bypass Vulnerability
Description: A security feature bypass exists when Device Guard incorrectly validates an untrusted file. An attacker who successfully exploited this vulnerability could make an unsigned file appear to be signed. Because Device Guard relies on the signature to determine the file is non-malicious, Device Guard could then allow a malicious file to execute.
In an attack scenario, an attacker could make an untrusted file appear to be a trusted file.
The update addresses the vulnerability by correcting how Device Guard handles untrusted files.
Device Guard: Device Guard
Impact: Security Feature Bypass
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less L
GHSA
GHSA-39hh-f7r8-595f: Device Guard in Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016, and Windows Server, version 1709 allows an attacker to make an unsig
ghsa_unreviewed·2022-05-13
CVE-2017-11830 [MEDIUM] CWE-367 GHSA-39hh-f7r8-595f: Device Guard in Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016, and Windows Server, version 1709 allows an attacker to make an unsig
Device Guard in Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016, and Windows Server, version 1709 allows an attacker to make an unsigned file appear to be signed, due to a security feature bypass, aka "Device Guard Security Feature Bypass Vulnerability".
No detection rules found.
Exploit-DB
Microsoft Windows - 'CiSetFileCache' WDAC Security Feature Bypass TOCTOU
exploitdb·2018-09-19·CVSS 5.3
CVE-2018-8449 [MEDIUM] Microsoft Windows - 'CiSetFileCache' WDAC Security Feature Bypass TOCTOU
Microsoft Windows - 'CiSetFileCache' WDAC Security Feature Bypass TOCTOU
---
Windows: CiSetFileCache TOCTOU CVE-2017-11830 Variant WDAC Security Feature Bypass
Platform: Windows 10 1803, 1709 (should include S-Mode but not tested)
Class: Security Feature Bypass
Summary:
While the TOCTOU attack against cache signing has been mitigated through NtSetCachedSigningLevel it’s possible to reach the same code via NtCreateSection leading to circumventing WDAC policies and CIG/PPL.
Description:
I'm reporting this as you've fixed the previous issues (cases 43036 and 40101) so I'm making an assumption you'd also fix this one. The previous issues allowed a unprivileged caller to exploit a race condition in the CiSetFileCache kernel function by calling NtSetCachedSigningLevel. These issues should no
Exploit-DB
Microsoft Windows - 'CiSetFileCache' TOCTOU Incomplete Fix
exploitdb·2018-04-16·CVSS 5.3
CVE-2018-0966 [MEDIUM] Microsoft Windows - 'CiSetFileCache' TOCTOU Incomplete Fix
Microsoft Windows - 'CiSetFileCache' TOCTOU Incomplete Fix
---
Windows: CiSetFileCache TOCTOU CVE-2017-11830 Incomplete Fix
Platform: Windows 10 1709 (including Win10S)
Class: Security Feature Bypass
Summary:
The fix for CVE-2017-11830 is insufficient to prevent a normal user application adding a cached signing level to an unsigned file by exploiting a TOCTOU in CI leading to circumventing Device Guard policies.
Description:
The previous issue I reported was due to not checking for write access on the target file handle when setting the cache. This allows a user application to abuse a TOCTOU and rewrite the file after the hash has been generated for the file. The only changed code seems to be below:
FILE_OBJECT target_file;
ObReferenceObjectByHandle(FileHandle, 0, *IoFileObjectType, &
Exploit-DB
Microsoft Windows 10 - CiSetFileCache TOCTOU Security Feature Bypass
exploitdb·2017-11-20
CVE-2017-11830 Microsoft Windows 10 - CiSetFileCache TOCTOU Security Feature Bypass
Microsoft Windows 10 - CiSetFileCache TOCTOU Security Feature Bypass
---
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1332
Windows: CiSetFileCache TOCTOU Security Feature Bypass
Platform: Windows 10 10586/14393/10S not tested 8.1 Update 2 or Windows 7
Class: Security Feature Bypass
Summary:
It’s possible to add a cached signing level to an unsigned file by exploiting a TOCTOU in CI leading to to circumventing Device Guard policies and possibly PPL signing levels.
Description:
Windows Code Integrity has the concept of caching signing level decisions made on individual files. This is done by storing an extended attribute with the name $KERNEL.PURGE.ESBCACHE and filling it with related binary information. As the EA name is a kernel EA it means it can’t be set by use
Qualys
November Patch Tuesday: 53 Vulnerabilities and a Massive Adobe Update
blogs_qualys·2017-11-14·CVSS 7.5
[HIGH] November Patch Tuesday: 53 Vulnerabilities and a Massive Adobe Update
This November Patch Tuesday is moderate in volume and severity. Microsoft released patches to address 53 unique vulnerabilities, with 25 focused on Remote Code Execution fixes. Windows OS receives 14 patches, while the lion’s share is focused on Browsers, Microsoft Office, and Adobe. According to Microsoft, there do not appear to be any actively attacked vulnerabilities in the wild in this patch release.
Interestingly enough, none of the Windows OS patches are listed as Critical this month, but we do recommend focusing on CVE-2017-11830 and CVE-2017-11847 , as they address a Security Feature Bypass, and a Privilege Elevation respectively.
It should also be noted that CVE-2017-11848 , CVE-2017-11827 , CVE-2017-11883 , CVE-2017-8700 have public exploits, but they do not appear to be used i
Talos
Microsoft Patch Tuesday - November 2017
blogs_talos·2017-11-14·CVSS 7.5
CVE-2017-16367 [HIGH] Microsoft Patch Tuesday - November 2017
Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 53 new vulnerabilities with 19 of them rated critical, 31 of them rated important and 3 of them rated moderate. These vulnerabilities impact Microsoft Edge, Internet Explorer, Microsoft Scripting Engine, and more.
In addition, an update for Adobe Reader was released which addresses CVE-2017-16367 / TALOS-2017-0356 - Adobe Acrobat Reader DC PDF Structured Hierarchy ActualText Structure Element Code Execution Vulnerability which was discovered by Aleksandar Nikolic of Cisco Talos. This vulnerability manifests as a type confusion vulnerability in the PDF parsing functionality for documents containing marked stru
Qualys
November Patch Tuesday: 53 Vulnerabilities and a Massive Adobe Update | Qualys
blogs_qualys·2017-11-14·CVSS 7.5
[HIGH] November Patch Tuesday: 53 Vulnerabilities and a Massive Adobe Update | Qualys
This November Patch Tuesday is moderate in volume and severity. Microsoft released patches to address 53 unique vulnerabilities, with 25 focused on Remote Code Execution fixes. Windows OS receives 14 patches, while the lion’s share is focused on Browsers, Microsoft Office, and Adobe. According to Microsoft, there do not appear to be any actively attacked vulnerabilities in the wild in this patch release.
Interestingly enough, none of the Windows OS patches are listed as Critical this month, but we do recommend focusing on CVE-2017-11830 and CVE-2017-11847, as they address a Security Feature Bypass, and a Privilege Elevation respectively.
It should also be noted that CVE-2017-11848, CVE-2017-11827, CVE-2017-11883, CVE-2017-8700 have public exploits, but they do not appear to be used in an
http://www.securityfocus.com/bid/101714http://www.securitytracker.com/id/1039790https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11830https://www.exploit-db.com/exploits/43162/http://www.securityfocus.com/bid/101714http://www.securitytracker.com/id/1039790https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11830https://www.exploit-db.com/exploits/43162/
2017-11-15
Published