CVE-2017-8686
published 2017-09-13CVE-2017-8686: The Windows Server DHCP service in Windows Server 2012 Gold and R2, and Windows Server 2016 allows an attacker to either run arbitrary code on the DHCP…
PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
27.50%
97.8th percentile
The Windows Server DHCP service in Windows Server 2012 Gold and R2, and Windows Server 2016 allows an attacker to either run arbitrary code on the DHCP failover server or cause the DHCP service to become nonresponsive, due to a memory corruption vulnerability in the Windows Server DHCP service, aka "Windows DHCP Server Remote Code Execution Vulnerability".
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2012 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Target service is Windows Server DHCP — attack requires DHCP failover mode to be enabled; monitor for specially crafted packets sent to DHCP failover servers ↗
- →Trigger condition is memory corruption in the DHCP service via malformed network packets; anomalous or malformed DHCP packets directed at failover-configured servers should be flagged ↗
- →Affected component is explicitly 'Windows DHCP Server' on Windows Server 2012 Gold, R2, and Windows Server 2016 — scope detection/alerting to these OS versions running the DHCP Server role ↗
- →Observable impact includes DHCP service becoming nonresponsive — sudden DHCP service crashes or hangs on failover-configured servers may indicate exploitation attempts ↗
- ·Exploitation is only possible when the DHCP server is configured in failover mode — servers NOT in failover mode are not affected and do not require the same urgency of patching ↗
- ·Microsoft assessed exploitation as 'Less Likely' for both latest and older software releases at time of disclosure, and confirmed no known active exploitation or public exploit code ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Windows DHCP Server Remote Code Execution Vulnerability
vendor_msrc·2017-09-12·CVSS 9.8
CVE-2017-8686 [CRITICAL] Windows DHCP Server Remote Code Execution Vulnerability
Windows DHCP Server Remote Code Execution Vulnerability
Description: A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server. An attacker who successfully exploited the vulnerability could either run arbitrary code on the DHCP failover server or cause the DHCP service to become nonresponsive.
To exploit the vulnerability, an attacker could send a specially crafted packet to a DHCP server. However, the DHCP server must be set to failover mode for the attack to succeed.
The security update addresses the vulnerability by correcting how DHCP failover servers handle network packets.
Windows DHCP Server: Windows DHCP Server
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploit
GHSA
GHSA-27h2-vr79-q7cq: The Windows Server DHCP service in Windows Server 2012 Gold and R2, and Windows Server 2016 allows an attacker to either run arbitrary code on the DHC
ghsa_unreviewed·2022-05-17
CVE-2017-8686 [CRITICAL] CWE-119 GHSA-27h2-vr79-q7cq: The Windows Server DHCP service in Windows Server 2012 Gold and R2, and Windows Server 2016 allows an attacker to either run arbitrary code on the DHC
The Windows Server DHCP service in Windows Server 2012 Gold and R2, and Windows Server 2016 allows an attacker to either run arbitrary code on the DHCP failover server or cause the DHCP service to become nonresponsive, due to a memory corruption vulnerability in the Windows Server DHCP service, aka "Windows DHCP Server Remote Code Execution Vulnerability".
No detection rules found.
No public exploits indexed.
Talos
Microsoft Patch Tuesday - September 2017
blogs_talos·2017-09-12·CVSS 8.1
[HIGH] Microsoft Patch Tuesday - September 2017
## Microsoft Patch Tuesday - September 2017
Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 81 new vulnerabilities with 27 of them rated critical, 52 rated important, and 2 rated moderate. These vulnerabilities impact Edge, Hyper-V, Internet Explorer, Office, Remote Desktop Protocol, Sharepoint, Windows Graphic Display Interface, Windows Kernel Mode Drivers, and more. In addition, Microsoft is also releasing an update for Adobe Flash Player embedded in Edge and Internet Explorer.
Note that the Bluetooth vulnerabilities known as "BlueBorne" that affected Windows have been patched in this latest release. For more information, please refer to CVE-2017-8628.
Qualys
September Patch Tuesday: 27 Critical Vulnerabilities from Microsoft, plus Critical Adobe Patches
blogs_qualys·2017-09-12·CVSS 8.1
[HIGH] September Patch Tuesday: 27 Critical Vulnerabilities from Microsoft, plus Critical Adobe Patches
Today Microsoft released a fairly large batch of patches covering 81 vulnerabilities as part of September’s Patch Tuesday update, with 38 of them impacting Windows. Patches covering 27 of these vulnerabilities are labeled as Critical, and 39 can result in Remote Code Execution (RCE). According to Microsoft, one critical vulnerability impacting HoloLens has a public exploit, and there are active malware campaigns exploiting a .NET vulnerability. Microsoft has also patched the BlueBorne vulnerability that could allow an attacker to perform a man-in-the-middle attack against a Windows system.
Top priority for patching should go to CVE-2017-0161 , an RCE vulnerability in NetBIOS that impacts both servers and workstations. For users of Microsoft’s DHCP server, priority should also be given to
Talos
Microsoft Patch Tuesday - September 2017
blogs_talos·2017-09-12·CVSS 8.1
[HIGH] Microsoft Patch Tuesday - September 2017
Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 81 new vulnerabilities with 27 of them rated critical, 52 rated important, and 2 rated moderate. These vulnerabilities impact Edge, Hyper-V, Internet Explorer, Office, Remote Desktop Protocol, Sharepoint, Windows Graphic Display Interface, Windows Kernel Mode Drivers, and more. In addition, Microsoft is also releasing an update for Adobe Flash Player embedded in Edge and Internet Explorer.
Note that the Bluetooth vulnerabilities known as "BlueBorne" that affected Windows have been patched in this latest release. For more information, please refer to CVE-2017-8628.
## Vulnerabilities Rated CriticalThe followi
Qualys
September Patch Tuesday: 27 Critical Vulnerabilities from Microsoft, plus Critical Adobe Patches | Qualys
blogs_qualys·2017-09-12·CVSS 8.1
[HIGH] September Patch Tuesday: 27 Critical Vulnerabilities from Microsoft, plus Critical Adobe Patches | Qualys
Today Microsoft released a fairly large batch of patches covering 81 vulnerabilities as part of September’s Patch Tuesday update, with 38 of them impacting Windows. Patches covering 27 of these vulnerabilities are labeled as Critical, and 39 can result in Remote Code Execution (RCE). According to Microsoft, one critical vulnerability impacting HoloLens has a public exploit, and there are active malware campaigns exploiting a .NET vulnerability. Microsoft has also patched the BlueBorne vulnerability that could allow an attacker to perform a man-in-the-middle attack against a Windows system.
Top priority for patching should go to CVE-2017-0161, an RCE vulnerability in NetBIOS that impacts both servers and workstations. For users of Microsoft’s DHCP server, priority should also be given to C
Bugzilla
CVE-2016-8685 CVE-2016-8686 CVE-2016-8694 CVE-2016-8695 CVE-2016-8696 CVE-2016-8697 CVE-2016-8698 CVE-2016-8699 CVE-2016-8700 CVE-2016-8701 CVE-2016-8702 CVE-2016-8703 CVE-2017-7263 potrace: Multiple
bugzilla·2016-10-17·CVSS 5.5
CVE-2016-8685 [MEDIUM] CVE-2016-8685 CVE-2016-8686 CVE-2016-8694 CVE-2016-8695 CVE-2016-8696 CVE-2016-8697 CVE-2016-8698 CVE-2016-8699 CVE-2016-8700 CVE-2016-8701 CVE-2016-8702 CVE-2016-8703 CVE-2017-7263 potrace: Multiple
CVE-2016-8685 CVE-2016-8686 CVE-2016-8694 CVE-2016-8695 CVE-2016-8696 CVE-2016-8697 CVE-2016-8698 CVE-2016-8699 CVE-2016-8700 CVE-2016-8701 CVE-2016-8702 CVE-2016-8703 CVE-2017-7263 potrace: Multiple security issues
Multiple issues in potrace were assigned CVEs on oss-security.
References:
http://seclists.org/oss-sec/2016/q4/153
https://blogs.gentoo.org/ago/2016/08/08/potrace-multiple-three-null-pointer-dereference-in-bm_readbody_bmp-bitmap_io-c/
AddressSanitizer: SEGV on unknown address 0x4f027b in bm_readbody_bmp /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:717:4
Use CVE-2016-8694.
AddressSanitizer: SEGV on unknown address 0x4f0957 in bm_readbody_bmp /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:744:4
Use CVE-2016-8695.
http://www.securityfocus.com/bid/100730http://www.securitytracker.com/id/1039337https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8686http://www.securityfocus.com/bid/100730http://www.securitytracker.com/id/1039337https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8686
2017-09-13
Published