cbcvebase.
CVE-2018-1038
published 2018-04-02

CVE-2018-1038: The Windows kernel in Windows 7 SP1 and Windows Server 2008 R2 SP1 allows an elevation of privilege vulnerability due to the way it handles objects in memory…

PriorityP277high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.91%
94.6th percentile
The Windows kernel in Windows 7 SP1 and Windows Server 2008 R2 SP1 allows an elevation of privilege vulnerability due to the way it handles objects in memory, aka "Windows Kernel Elevation of Privilege Vulnerability."

Affected

6 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoft_corporationwindows
msrcwindows_7_for_32-bit_systems_service_pack_1
msrcwindows_7_for_x64-based_systems_service_pack_1
msrcwindows_server_2008_r2_for_itanium-based_systems_service_pack_1
msrcwindows_server_2008_r2_for_x64-based_systems_service_pack_1

Detection & IOCsextracted from sources · hover to see the quote

filenamentoskrnl.exe
commandcmd.exe spawned from C:\windows\system32 via CreateProcessA after token swap
processTotalMeltdownP
  • Detect vulnerable systems by checking for the presence of the vulnerable version of ntoskrnl.exe using authenticated scanning or an endpoint agent (Qualys QID 91440).
  • The PoC exploit reads the physical memory map from the registry key HKLM\Hardware\ResourceMap\System Resources\Physical Memory (.Translated value) to enumerate physical memory regions — monitor for unusual user-mode registry reads of this key.
  • The exploit accesses the PML4 self-reference virtual address 0xFFFFF6FB7DBED000 directly from user mode — any user-mode access to this address range on Windows 7 x64 / Server 2008 R2 x64 is a strong indicator of exploitation.
  • The exploit performs a SYSTEM token steal by locating EPROCESS structures in physical memory and overwriting the token pointer at offset 0x208 — look for unexpected privilege escalation to SYSTEM from a non-privileged process.
  • The vulnerability only affects Windows 7 x64 and Windows Server 2008 R2 x64 systems that have installed any servicing update released during or after January 2018 but before KB4100480.
  • Public PoC exploit code exists (Exploit-DB 44581 / 'TotalMeltdown'); opportunistic actors could weaponize it in a multi-stage attack — prioritize detection on internet-exposed or shared Windows 7 / Server 2008 R2 x64 assets.
  • ·The vulnerability was introduced by the January 2018 Meltdown mitigations and only affects systems where those (or later) updates were installed. Systems that never installed any January 2018 or later updates are not affected by CVE-2018-1038 (though they remain exposed to Meltdown).
  • ·Exploitation requires the attacker to already be logged on to the system; this is a local privilege escalation, not a remote code execution vulnerability.

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.