cbcvebase.
CVE-2018-8405
published 2018-08-15

CVE-2018-8405: An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics…

PriorityP183high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
3.44%
87.5th percentile
An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics Kernel Elevation of Privilege Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8400, CVE-2018-8401, CVE-2018-8406.

Affected

37 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10_servers
microsoftwindows_10_servers
microsoftwindows_server_2012
microsoftwindows_server_2016
microsoftwindows_server_2016
microsoftwindows_server_2016
msrcwindows_10_for_32-bit_systems
msrcwindows_10_for_x64-based_systems
msrcwindows_10_version_1607_for_32-bit_systems
msrcwindows_10_version_1607_for_x64-based_systems
msrcwindows_10_version_1703_for_32-bit_systems

Detection & IOCsextracted from sources · hover to see the quote

commandD3DKMTCreateAllocation
  • The vulnerability is triggered via D3DKMTCreateAllocation by first creating an allocation with CrossAdapter flag=0, then passing the resulting handle into a second allocation call with CrossAdapter flag=1, causing a type confusion in DXGDEVICE::CreateAllocation.
  • The faulting code is in DXGDEVICE::CreateAllocation inside dxgkrnl.sys — monitor for anomalous D3DKMTCreateAllocation calls from unprivileged user-mode processes, especially those making sequential allocation calls with differing CrossAdapter flag values.
  • Enable special pool on dxgkrnl.sys to detect exploitation attempts; a BSOD/kernel crash in DXGDEVICE::CreateAllocation is a strong indicator of exploitation.
  • Exploitation requires local logon followed by execution of a specially crafted application; monitor for low-privilege processes making direct calls into dxgkrnl.sys via D3DKMTCreateAllocation that result in privilege escalation to SYSTEM.
  • ·Vulnerability only affects Windows versions prior to the August 2018 patch; systems patched with KB4343885, KB4343909, KB4343897, KB4343892, KB4343887, KB4343898, or KB4343888 are not vulnerable.
  • ·Exploitation requires local access; this is a local privilege escalation, not a remote code execution vulnerability.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.