⚠ Actively exploited in ransomware campaigns

This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-08-15.

CVE-2018-8174 — Out-of-bounds Write in Microsoft Windows 10

CWE-787 — Out-of-bounds Write37 documents15 sources

Severity

7.5HIGHNVD

EPSS

94.3%

top 0.06%

CISA KEV

KEVRansomware

Added 2022-02-15

Due 2022-08-15

Exploit

Exploited in wild

Active exploitation observed

Affected products

Microsoft Windows 10 Microsoft Windows 10 Servers Microsoft Windows 7 +7 more

Timeline

PublishedMay 9

KEV addedFeb 15

Latest updateMay 13

KEV dueAug 15

CISA Required Action: Apply updates per vendor instructions.

Description

A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka "Windows VBScript Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages11 packages

▶CVEListV5microsoft/windows_server_20085 versions+4

▶CVEListV5microsoft/windows_server_2012(Server Core installation)

▶CVEListV5microsoft/windows_server_2008_r2Itanium-Based Systems Service Pack 1, x64-based Systems Service Pack 1, x64-based Systems Service Pack 1 (Server Core installation)+2

▶CVEListV5microsoft/windows_server_2012_r2(Server Core installation)

▶CVEListV5microsoft/windows_10_serversversion 1709 (Server Core Installation), version 1803 (Server Core Installation)+1

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-5cv8-848m-hmm2: A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka "Windows VBScript Engine Remote Code E↗2022-05-13

▶

Project0

On VBScript - Project Zero↗2018-12-01

▶

CVEList

CVE-2018-8174: A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka "Windows VBScript Engine Remote Code E↗2018-05-09

▶

VulnCheck

Microsoft Windows VBScript Engine Out-of-Bounds Write Vulnerability↗2018

▶

💥Exploits & PoCs

Exploit-DB

Microsoft Internet Explorer 11 (Windows 7 x86/x64) - vbscript Code Execution↗2018-05-21

▶

🔍Detection Rules

Suricata

ET EXPLOIT CVE-2018-8174 Common Construct B64 M2↗2019-03-11

▶

Suricata

ET EXPLOIT CVE-2018-8174 Common Construct B64 M3↗2019-03-11

▶

Suricata

ET EXPLOIT CVE-2018-8174 Common Construct B64 M1↗2019-03-11

▶

📋Vendor Advisories

CISA

Microsoft Windows VBScript Engine Out-of-Bounds Write Vulnerability↗2022-02-15

▶

Microsoft

Windows VBScript Engine Remote Code Execution Vulnerability↗2018-05-08

▶

🕵️Threat Intelligence

Sentinelone

From Zero to Hero, Chapter 3: RIG Exploit Kit - VBScript CVE-2018-8174 & Flash CVE-2018-4878 Exploit↗2019-10-11

▶

Unit42

Web-based Threats-2018 Q4: France Rises to #1 for Malicious URL Hosting, US #1 for Phishing↗2019-05-30

▶

Unit42

New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit↗2018-11-21

▶

Unit42

Web-based Threats-2018 Q2: U.S. Remains #1 in Malicious Web Addresses, China Falls from #2 to #7↗2018-09-05

▶

Unit42

Web-based Threats-2018 Q2: U.S. Remains #1 in Malicious Web Addresses, China Falls from #2 to #7↗2018-09-05

▶

External resources

NVD MITRE CISA KEV

Affected products10

Microsoft Windows 10v32-bit SystemsvVersion 1607 for 32-bit SystemsvVersion 1607 for x64-based Systems+7 more

Microsoft Windows 10 Serversvversion 1709 (Server Core Installation)vversion 1803 (Server Core Installation)

Microsoft Windows 7v32-bit Systems Service Pack 1vx64-based Systems Service Pack 1

Microsoft Windows 8.1v32-bit systemsvx64-based systems

Microsoft Windows RT 8.1vWindows RT 8.1

Microsoft Windows Server 2008v32-bit Systems Service Pack 2v32-bit Systems Service Pack 2 (Server Core installation)vItanium-Based Systems Service Pack 2+3 more

Microsoft Windows Server 2008 R2vItanium-Based Systems Service Pack 1vx64-based Systems Service Pack 1vx64-based Systems Service Pack 1 (Server Core installation)

Microsoft Windows Server 2012v(Server Core installation)vr2

Microsoft Windows Server 2012 R2v(Server Core installation)

Microsoft Windows Server 2016v(Server Core installation)

Disclosure

PublishedMay 9, 2018

KEV addedFeb 15, 2022

Latest updateMay 13, 2022

KEV dueAug 15, 2022