CVE-2018-1038
published 2018-04-02CVE-2018-1038: The Windows kernel in Windows 7 SP1 and Windows Server 2008 R2 SP1 allows an elevation of privilege vulnerability due to the way it handles objects in memory…
PriorityP277high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.91%
94.6th percentile
The Windows kernel in Windows 7 SP1 and Windows Server 2008 R2 SP1 allows an elevation of privilege vulnerability due to the way it handles objects in memory, aka "Windows Kernel Elevation of Privilege Vulnerability."
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft_corporation | windows | — | — |
| msrc | windows_7_for_32-bit_systems_service_pack_1 | — | — |
| msrc | windows_7_for_x64-based_systems_service_pack_1 | — | — |
| msrc | windows_server_2008_r2_for_itanium-based_systems_service_pack_1 | — | — |
| msrc | windows_server_2008_r2_for_x64-based_systems_service_pack_1 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect vulnerable systems by checking for the presence of the vulnerable version of ntoskrnl.exe using authenticated scanning or an endpoint agent (Qualys QID 91440). ↗
- →The PoC exploit reads the physical memory map from the registry key HKLM\Hardware\ResourceMap\System Resources\Physical Memory (.Translated value) to enumerate physical memory regions — monitor for unusual user-mode registry reads of this key. ↗
- →The exploit accesses the PML4 self-reference virtual address 0xFFFFF6FB7DBED000 directly from user mode — any user-mode access to this address range on Windows 7 x64 / Server 2008 R2 x64 is a strong indicator of exploitation. ↗
- →The exploit performs a SYSTEM token steal by locating EPROCESS structures in physical memory and overwriting the token pointer at offset 0x208 — look for unexpected privilege escalation to SYSTEM from a non-privileged process. ↗
- →The vulnerability only affects Windows 7 x64 and Windows Server 2008 R2 x64 systems that have installed any servicing update released during or after January 2018 but before KB4100480. ↗
- →Public PoC exploit code exists (Exploit-DB 44581 / 'TotalMeltdown'); opportunistic actors could weaponize it in a multi-stage attack — prioritize detection on internet-exposed or shared Windows 7 / Server 2008 R2 x64 assets. ↗
- ·The vulnerability was introduced by the January 2018 Meltdown mitigations and only affects systems where those (or later) updates were installed. Systems that never installed any January 2018 or later updates are not affected by CVE-2018-1038 (though they remain exposed to Meltdown). ↗
- ·Exploitation requires the attacker to already be logged on to the system; this is a local privilege escalation, not a remote code execution vulnerability. ↗
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Windows Kernel Elevation of Privilege Vulnerability
vendor_msrc·2018-03-13·CVSS 7.8
CVE-2018-1038 [HIGH] Windows Kernel Elevation of Privilege Vulnerability
Windows Kernel Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.
The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
FAQ: I am running Windows 7 or Windows Server 2008 R2 on my system. At what point do I need to install security upda
GHSA
GHSA-5539-34h9-rxqp: The Windows kernel in Windows 7 SP1 and Windows Server 2008 R2 SP1 allows an elevation of privilege vulnerability due to the way it handles objects in
ghsa_unreviewed·2022-05-13
CVE-2018-1038 [HIGH] GHSA-5539-34h9-rxqp: The Windows kernel in Windows 7 SP1 and Windows Server 2008 R2 SP1 allows an elevation of privilege vulnerability due to the way it handles objects in
The Windows kernel in Windows 7 SP1 and Windows Server 2008 R2 SP1 allows an elevation of privilege vulnerability due to the way it handles objects in memory, aka "Windows Kernel Elevation of Privilege Vulnerability."
Project0
Taking a page from the kernel's book: A TLB issue in mremap() - Project Zero
project_zero·2019-01-01·CVSS 7.0
CVE-2016-5195 [HIGH] Taking a page from the kernel's book: A TLB issue in mremap() - Project Zero
Posted by Jann Horn, Project Zero
This is a technical blog post about TLB flushing bugs in kernels, intended for people interested in kernel security and memory management.
Introduction: Bugs in Memory Management code
There have been some pretty scary bugs in memory management in the past, like:
-
CVE-2016-5195, a logic bug in the Linux kernel that permitted writing to shared read-only pages
-
CVE-2018-1038, a Windows bug that existed for about two months, where a bit was set incorrectly in a page table, permitting userspace to overwrite page tables
Memory management is one of the core functions that every kernel and hypervisor needs to implement; and the correctness of memory management code is very important to the security of the entire system. I hope that this post encourages
VulnCheck
Windows Kernel Elevation of Privilege
vulncheck·2018·CVSS 7.8
CVE-2018-1038 [HIGH] Windows Kernel Elevation of Privilege
Windows Kernel Elevation of Privilege
The Windows kernel in Windows 7 SP1 and Windows Server 2008 R2 SP1 allows an elevation of privilege vulnerability due to the way it handles objects in memory, aka "Windows Kernel Elevation of Privilege Vulnerability."
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cyber.gov.au/sites/default/files/2023-03/report_manic_menagerie.pdf
No detection rules found.
Trendmicro
Microsoft Fixes Vulnerabilities in Fonts and Keyboard
blogs_trendmicro·2018-04-11·CVSS 5.3
[MEDIUM] Microsoft Fixes Vulnerabilities in Fonts and Keyboard
Exploits & Vulnerabilities
## Microsoft Fixes Vulnerabilities in Fonts and Keyboard
Microsof's Patch Tuesday for April addressed security issues in Internet Explorer (IE), Edge, ChakraCore, Visual Studio, Microsoft Office and Office Services and Web Apps, and Malware Protection Engine.
By: IoT Reputation Service Team 2018/04/11 Read time: ( words)
Save to Folio
Microsoft has rolled out its Patch Tuesday for April to address security issues in Internet Explorer (IE), Edge, ChakraCore, Visual Studio, Microsoft Office and Office Services and Web Apps, and Malware Protection Engine. Of the 67 listed vulnerabilities, 24 were rated critical. Eight of these were disclosed through Trend Micro’s ZDI program:
CVE-2018-1011
CVE-2018-1008
CVE-2018-1004
CVE-2018-1001
CVE-2018-1000
CVE-2018-0
Trendmicro
Microsoft Fixes Vulnerabilities in Fonts and Keyboard
blogs_trendmicro·2018-04-11·CVSS 5.3
[MEDIUM] Microsoft Fixes Vulnerabilities in Fonts and Keyboard
Exploits & Vulnerabilities
# Microsoft Fixes Vulnerabilities in Fonts and Keyboard
Microsof's Patch Tuesday for April addressed security issues in Internet Explorer (IE), Edge, ChakraCore, Visual Studio, Microsoft Office and Office Services and Web Apps, and Malware Protection Engine.
By: IoT Reputation Service Team
2018/04/11
Read time: ( words)
Save to Folio
Microsoft has rolled out its Patch Tuesday for April to address security issues in Internet Explorer (IE), Edge, ChakraCore, Visual Studio, Microsoft Office and Office Services and Web Apps, and Malware Protection Engine. Of the 67 listed vulnerabilities, 24 were rated critical. Eight of these were disclosed through Trend Micro’s ZDI program:
- CVE-2018-1011
- CVE-2018-1008
- CVE-2018-1004
- CVE-2018-1001
- CVE-2018-1000
- CVE
Trendmicro
Microsoft Fixes Vulnerabilities in Fonts and Keyboard
blogs_trendmicro·2018-04-11·CVSS 5.3
[MEDIUM] Microsoft Fixes Vulnerabilities in Fonts and Keyboard
Exploits & Vulnerabilities
## Microsoft Fixes Vulnerabilities in Fonts and Keyboard
Microsof's Patch Tuesday for April addressed security issues in Internet Explorer (IE), Edge, ChakraCore, Visual Studio, Microsoft Office and Office Services and Web Apps, and Malware Protection Engine.
By: IoT Reputation Service Team Apr 11, 2018 Read time: ( words)
Save to Folio
Microsoft has rolled out its Patch Tuesday for April to address security issues in Internet Explorer (IE), Edge, ChakraCore, Visual Studio, Microsoft Office and Office Services and Web Apps, and Malware Protection Engine. Of the 67 listed vulnerabilities, 24 were rated critical. Eight of these were disclosed through Trend Micro’s ZDI program:
CVE-2018-1011
CVE-2018-1008
CVE-2018-1004
CVE-2018-1001
CVE-2018-1000
CVE-2018
Trendmicro
Microsoft Fixes Vulnerabilities in Fonts and Keyboard
blogs_trendmicro·2018-04-11·CVSS 5.3
[MEDIUM] Microsoft Fixes Vulnerabilities in Fonts and Keyboard
Ausnutzung von Schwachstellen
## Microsoft Fixes Vulnerabilities in Fonts and Keyboard
Microsof's Patch Tuesday for April addressed security issues in Internet Explorer (IE), Edge, ChakraCore, Visual Studio, Microsoft Office and Office Services and Web Apps, and Malware Protection Engine.
By: IoT Reputation Service Team Apr 11, 2018 Read time: ( words)
Save to Folio
Microsoft has rolled out its Patch Tuesday for April to address security issues in Internet Explorer (IE), Edge, ChakraCore, Visual Studio, Microsoft Office and Office Services and Web Apps, and Malware Protection Engine. Of the 67 listed vulnerabilities, 24 were rated critical. Eight of these were disclosed through Trend Micro’s ZDI program:
CVE-2018-1011
CVE-2018-1008
CVE-2018-1004
CVE-2018-1001
CVE-2018-1000
CVE-2
Trendmicro
Microsoft Fixes Vulnerabilities in Fonts and Keyboard
blogs_trendmicro·2018-04-11·CVSS 5.3
[MEDIUM] Microsoft Fixes Vulnerabilities in Fonts and Keyboard
Exploits y vulnerabilidades
## Microsoft Fixes Vulnerabilities in Fonts and Keyboard
Microsof's Patch Tuesday for April addressed security issues in Internet Explorer (IE), Edge, ChakraCore, Visual Studio, Microsoft Office and Office Services and Web Apps, and Malware Protection Engine.
By: IoT Reputation Service Team Apr 11, 2018 Read time: ( words)
Save to Folio
Microsoft has rolled out its Patch Tuesday for April to address security issues in Internet Explorer (IE), Edge, ChakraCore, Visual Studio, Microsoft Office and Office Services and Web Apps, and Malware Protection Engine. Of the 67 listed vulnerabilities, 24 were rated critical. Eight of these were disclosed through Trend Micro’s ZDI program:
CVE-2018-1011
CVE-2018-1008
CVE-2018-1004
CVE-2018-1001
CVE-2018-1000
CVE-201
Qualys
Microsoft Misfires with Meltdown Patch, while WannaCry Pops Up at Boeing
blogs_qualys·2018-04-02·CVSS 7.8
[HIGH] Microsoft Misfires with Meltdown Patch, while WannaCry Pops Up at Boeing
In our weekly roundup of InfoSec happenings, we start, as has often been the case this year, with concerning Meltdown / Spectre news — this time involving Microsoft — and also touch on a password hack at Under Armour, a WannaCry infection at Boeing, and a severe Drupal vulnerability.
## Microsoft patches its Meltdown patch, then patches it again
In an instance of the cure possibly being worse than the disease, a Microsoft patch for Meltdown released in January created a gaping security hole in certain systems in which it was installed.
It took Microsoft two tries to fix the issue, which affects Windows 7 (x64) and Windows Server 2008 R2 (x64) systems. The company thought it had solved the vulnerability ( CVE-2018-1038 ) with a scheduled patch last Tuesday, but then had to rush out an em
Qualys
Microsoft Misfires with Meltdown Patch, while WannaCry Pops Up at Boeing | Qualys
blogs_qualys·2018-04-02·CVSS 7.8
[HIGH] Microsoft Misfires with Meltdown Patch, while WannaCry Pops Up at Boeing | Qualys
In our weekly roundup of InfoSec happenings, we start, as has often been the case this year, with concerning Meltdown / Spectre news — this time involving Microsoft — and also touch on a password hack at Under Armour, a WannaCry infection at Boeing, and a severe Drupal vulnerability.
### Microsoft patches its Meltdown patch, then patches it again
In an instance of the cure possibly being worse than the disease, a Microsoft patch for Meltdown released in January created a gaping security hole in certain systems in which it was installed.
It took Microsoft two tries to fix the issue, which affects Windows 7 (x64) and Windows Server 2008 R2 (x64) systems. The company thought it had solved the vulnerability (CVE-2018-1038) with a scheduled patch last Tuesday, but then had to rush out an eme
Qualys
A “Patch for the Meltdown Patch” released out of band Thursday night
blogs_qualys·2018-03-30·CVSS 7.8
CVE-2018-1038 [HIGH] A “Patch for the Meltdown Patch” released out of band Thursday night
The Meltdown/Spectre saga continues…
Late Thursday, Microsoft released a patch for Windows 7 and Server 2008 R2 operating systems to resolve CVE-2018-1038 . Apparently, this vulnerability was actually introduced by the patches released in January to mitigate the effects of Meltdown. Microsoft did include a partial fix in the March updates on Patch Tuesday , but did not completely resolve the issue.
According to a blog post by Ulf Frisk , some of the modifications to memory handling opened up read/write access to User mode code, essentially allowing any application on the machine to read and write from memory.
Qualys has created QID 91440 in Vulnerability Management . This detection requires authenticated scanning or a Qualys Cloud Agent installed on the asset, and looks for the presence
Qualys
A “Patch for the Meltdown Patch” released out of band Thursday night | Qualys
blogs_qualys·2018-03-30·CVSS 7.8
CVE-2018-1038 [HIGH] A “Patch for the Meltdown Patch” released out of band Thursday night | Qualys
The Meltdown/Spectre saga continues…
Late Thursday, Microsoft released a patch for Windows 7 and Server 2008 R2 operating systems to resolve CVE-2018-1038. Apparently, this vulnerability was actually introduced by the patches released in January to mitigate the effects of Meltdown. Microsoft did include a partial fix in the March updates on Patch Tuesday, but did not completely resolve the issue.
According to a blog post by Ulf Frisk, some of the modifications to memory handling opened up read/write access to User mode code, essentially allowing any application on the machine to read and write from memory.
Qualys has created QID 91440 in Vulnerability Management. This detection requires authenticated scanning or a Qualys Cloud Agent installed on the asset, and looks for the presence of
http://www.securityfocus.com/bid/103549http://www.securitytracker.com/id/1040632https://blog.xpnsec.com/total-meltdown-cve-2018-1038/https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1038https://www.exploit-db.com/exploits/44581/http://www.securityfocus.com/bid/103549http://www.securitytracker.com/id/1040632https://blog.xpnsec.com/total-meltdown-cve-2018-1038/https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1038https://www.exploit-db.com/exploits/44581/
2018-04-02
Published
Exploited in the wild