CVE-2018-8405
published 2018-08-15CVE-2018-8405: An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics…
PriorityP183high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
3.44%
87.5th percentile
An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics Kernel Elevation of Privilege Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8400, CVE-2018-8401, CVE-2018-8406.
Affected
37 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10_servers | — | — |
| microsoft | windows_10_servers | — | — |
| microsoft | windows_server_2012 | — | — |
| microsoft | windows_server_2016 | — | — |
| microsoft | windows_server_2016 | — | — |
| microsoft | windows_server_2016 | — | — |
| msrc | windows_10_for_32-bit_systems | — | — |
| msrc | windows_10_for_x64-based_systems | — | — |
| msrc | windows_10_version_1607_for_32-bit_systems | — | — |
| msrc | windows_10_version_1607_for_x64-based_systems | — | — |
| msrc | windows_10_version_1703_for_32-bit_systems | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered via D3DKMTCreateAllocation by first creating an allocation with CrossAdapter flag=0, then passing the resulting handle into a second allocation call with CrossAdapter flag=1, causing a type confusion in DXGDEVICE::CreateAllocation. ↗
- →The faulting code is in DXGDEVICE::CreateAllocation inside dxgkrnl.sys — monitor for anomalous D3DKMTCreateAllocation calls from unprivileged user-mode processes, especially those making sequential allocation calls with differing CrossAdapter flag values. ↗
- →Enable special pool on dxgkrnl.sys to detect exploitation attempts; a BSOD/kernel crash in DXGDEVICE::CreateAllocation is a strong indicator of exploitation. ↗
- →Exploitation requires local logon followed by execution of a specially crafted application; monitor for low-privilege processes making direct calls into dxgkrnl.sys via D3DKMTCreateAllocation that result in privilege escalation to SYSTEM. ↗
- ·Vulnerability only affects Windows versions prior to the August 2018 patch; systems patched with KB4343885, KB4343909, KB4343897, KB4343892, KB4343887, KB4343898, or KB4343888 are not vulnerable. ↗
- ·Exploitation requires local access; this is a local privilege escalation, not a remote code execution vulnerability. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft DirectX Graphics Kernel Privilege Escalation Vulnerability
cisa·2022-03-28·CVSS 7.8
CVE-2018-8405 [HIGH] CWE-404 Microsoft DirectX Graphics Kernel Privilege Escalation Vulnerability
Vulnerability: Microsoft DirectX Graphics Kernel Privilege Escalation Vulnerability
Affected: Microsoft DirectX Graphics Kernel (DXGKRNL)
An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-8405
Remediation Due Date: 2022-04-18
Microsoft
DirectX Graphics Kernel Elevation of Privilege Vulnerability
vendor_msrc·2018-08-14·CVSS 7.0
CVE-2018-8405 [HIGH] DirectX Graphics Kernel Elevation of Privilege Vulnerability
DirectX Graphics Kernel Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context.
To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system.
The security update addresses the vulnerability by correcting how DXGKRNL handles objects in memory.
Microsoft Graphics Component: Microsoft Graphics Component
Impact: Elevation of Privilege
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation More Likely;Older Software Release:
GHSA
GHSA-5999-mxm4-23g8: An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Gr
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2018-8400 [HIGH] CWE-404 GHSA-5999-mxm4-23g8: An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Gr
An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics Kernel Elevation of Privilege Vulnerability." This affects Windows 10 Servers, Windows 10. This CVE ID is unique from CVE-2018-8401, CVE-2018-8405, CVE-2018-8406.
GHSA
GHSA-4x9p-q533-qww3: An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Gr
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2018-8401 [HIGH] CWE-404 GHSA-4x9p-q533-qww3: An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Gr
An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics Kernel Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8400, CVE-2018-8405, CVE-2018-8406.
GHSA
GHSA-mxvv-3vrg-ch3p: An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Gr
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2018-8406 [HIGH] CWE-404 GHSA-mxvv-3vrg-ch3p: An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Gr
An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics Kernel Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8400, CVE-2018-8401, CVE-2018-8405.
GHSA
GHSA-87h6-m3qc-h3rx: An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Gr
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2018-8405 [HIGH] CWE-404 GHSA-87h6-m3qc-h3rx: An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Gr
An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics Kernel Elevation of Privilege Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8400, CVE-2018-8401, CVE-2018-8406.
VulnCheck
Microsoft DirectX Graphics Kernel Privilege Escalation Vulnerability
vulncheck·2018·CVSS 7.8
CVE-2018-8405 [HIGH] CWE-404 Microsoft DirectX Graphics Kernel Privilege Escalation Vulnerability
Microsoft DirectX Graphics Kernel Privilege Escalation Vulnerability
An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory.
Affected: Microsoft DirectX Graphics Kernel (DXGKRNL)
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.africacybersecurityconference.com/document/CrowdStrike_GTR_2019.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-04-18
No detection rules found.
No public exploits indexed.
Trendmicro
DirectX to the Kernel
blogs_trendmicro·2018-12-04·CVSS 7.8
[HIGH] DirectX to the Kernel
## DirectX to the Kernel
Learn about DirectX to the kernel.
By: Zero Day Initiative Dec 04, 2018 Read time: ( words)
Save to Folio
The operating system kernel is the final goal for every great exploit chain. You can look at the entries in the Zero Day Initiative (ZDI) Pwn2Own contests over the years to see that process at work. The Windows kernel has been subject to many points of attack. One of my favourites is abuse of DeviceIoControl calls to various drivers since this allows access to so many drivers written by so many vendors, many of which are not all that well-written or tested.
Over the years, most of the attacks to penetrate into the Windows kernel have gone through win32k.sys -- a kernel-mode device driver that controls the Windows graphic and window management system. When
Trendmicro
DirectX to the Kernel
blogs_trendmicro·2018-12-04·CVSS 7.8
[HIGH] DirectX to the Kernel
## DirectX to the Kernel
Learn about DirectX to the kernel.
By: Zero Day Initiative 2018/12/04 Read time: ( words)
Save to Folio
The operating system kernel is the final goal for every great exploit chain. You can look at the entries in the Zero Day Initiative (ZDI) Pwn2Own contests over the years to see that process at work. The Windows kernel has been subject to many points of attack. One of my favorites is abuse of DeviceIoControl calls to various drivers since this allows access to so many drivers written by so many vendors, many of which are not all that well written or tested.
Over the years, most of the attacks to penetrate into the Windows kernel have gone through win32k.sys -- a kernel-mode device driver that controls the Windows graphic and window management system. When Mic
Trendmicro
DirectX to the Kernel
blogs_trendmicro·2018-12-04·CVSS 7.8
[HIGH] DirectX to the Kernel
# DirectX to the Kernel
Learn about DirectX to the kernel.
By: Zero Day Initiative
2018/12/04
Read time: ( words)
Save to Folio
The operating system kernel is the final goal for every great exploit chain. You can look at the entries in the Zero Day Initiative (ZDI) Pwn2Own contests over the years to see that process at work. The Windows kernel has been subject to many points of attack. One of my favorites is abuse of DeviceIoControl calls to various drivers since this allows access to so many drivers written by so many vendors, many of which are not all that well written or tested.
Over the years, most of the attacks to penetrate into the Windows kernel have gone through win32k.sys -- a kernel-mode device driver that controls the Windows graphic and window management system. When Mic
Trendmicro
DirectX to the Kernel
blogs_trendmicro·2018-12-04·CVSS 7.8
[HIGH] DirectX to the Kernel
## DirectX to the Kernel
Learn about DirectX to the kernel.
By: Zero Day Initiative Dec 04, 2018 Read time: ( words)
Save to Folio
The operating system kernel is the final goal for every great exploit chain. You can look at the entries in the Zero Day Initiative (ZDI) Pwn2Own contests over the years to see that process at work. The Windows kernel has been subject to many points of attack. One of my favorites is abuse of DeviceIoControl calls to various drivers since this allows access to so many drivers written by so many vendors, many of which are not all that well written or tested.
Over the years, most of the attacks to penetrate into the Windows kernel have gone through win32k.sys -- a kernel-mode device driver that controls the Windows graphic and window management system. When M
Trendmicro
August Patch Tuesday: A Tale of Two Zero-Days
blogs_trendmicro·2018-08-15·CVSS 7.5
[HIGH] August Patch Tuesday: A Tale of Two Zero-Days
Ausnutzung von Schwachstellen
## August Patch Tuesday: A Tale of Two Zero-Days
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
By: Trend Micro Aug 15, 2018 Read time: ( words)
Save to Folio
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
The first of these zero day vulnerabilities is CVE-2018-8373 , a use-after-free (UAF) vulnerability in VBscript engine that Trend Micro researchers found in Internet Explorer. This vulnerability bears many similarities to CVE-2018-8174 , another VBscript engine vulnerability that was patched back in May . Successful exploitation of this vulnerability could
Trendmicro
August Patch Tuesday: A Tale of Two Zero-Days
blogs_trendmicro·2018-08-15·CVSS 7.5
CVE-2018-8373 [HIGH] August Patch Tuesday: A Tale of Two Zero-Days
Exploits y vulnerabilidades
## August Patch Tuesday: A Tale of Two Zero-Days
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
By: Trend Micro Aug 15, 2018 Read time: ( words)
Save to Folio
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
The first of these zero day vulnerabilities is CVE-2018-8373 , a use-after-free (UAF) vulnerability in VBscript engine that Trend Micro researchers found in Internet Explorer. This vulnerability bears many similarities to CVE-2018-8174 , another VBscript engine vulnerability that was patched back in May . Successful exploitation of this vulnerability could a
Trendmicro
August Patch Tuesday: A Tale of Two Zero-Days
blogs_trendmicro·2018-08-15·CVSS 7.5
CVE-2018-8373 [HIGH] August Patch Tuesday: A Tale of Two Zero-Days
Exploits & Vulnerabilities
# August Patch Tuesday: A Tale of Two Zero-Days
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
By: Trend Micro
2018/08/15
Read time: ( words)
Save to Folio
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
The first of these zero day vulnerabilities is CVE-2018-8373, a use-after-free (UAF) vulnerability in VBscript engine that Trend Micro researchers found in Internet Explorer. This vulnerability bears many similarities to CVE-2018-8174, another VBscript engine vulnerability that was patched back in May. Successful exploitation of this vulnerability could allow a
Trendmicro
August Patch Tuesday: A Tale of Two Zero-Days
blogs_trendmicro·2018-08-15·CVSS 7.5
CVE-2018-8373 [HIGH] August Patch Tuesday: A Tale of Two Zero-Days
Exploits & Vulnerabilities
## August Patch Tuesday: A Tale of Two Zero-Days
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
By: Trend Micro Aug 15, 2018 Read time: ( words)
Save to Folio
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
The first of these zero day vulnerabilities is CVE-2018-8373 , a use-after-free (UAF) vulnerability in VBscript engine that Trend Micro researchers found in Internet Explorer. This vulnerability bears many similarities to CVE-2018-8174 , another VBscript engine vulnerability that was patched back in May . Successful exploitation of this vulnerability could al
Trendmicro
August Patch Tuesday: A Tale of Two Zero-Days
blogs_trendmicro·2018-08-15·CVSS 7.5
CVE-2018-8373 [HIGH] August Patch Tuesday: A Tale of Two Zero-Days
Exploits & Vulnerabilities
## August Patch Tuesday: A Tale of Two Zero-Days
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
By: Trend Micro 2018/08/15 Read time: ( words)
Save to Folio
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
The first of these zero day vulnerabilities is CVE-2018-8373 , a use-after-free (UAF) vulnerability in VBscript engine that Trend Micro researchers found in Internet Explorer. This vulnerability bears many similarities to CVE-2018-8174 , another VBscript engine vulnerability that was patched back in May . Successful exploitation of this vulnerability could allo
Talos
Microsoft Tuesday August 2018
blogs_talos·2018-08-14·CVSS 9.8
[CRITICAL] Microsoft Tuesday August 2018
## Microsoft Tuesday August 2018
Microsoft released its monthly set of security advisories today for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 62 new vulnerabilities, 20 of which are rated “critical,” 38 that are rated “important,” one that is rated moderate and one that is rated as low severity. These vulnerabilities impact Windows Operating System, Edge and Internet Explorer, along with several other products.
In addition to the 60 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180020 which addresses the vulnerabilities described in the Adobe Flash Security Bulletin APSB18-25.
## Critical Vulnerabilities
This month, Microsoft is addressing 20 vulnerabilities that a
Talos
Microsoft Tuesday August 2018
blogs_talos·2018-08-14·CVSS 9.8
[CRITICAL] Microsoft Tuesday August 2018
Microsoft released its monthly set of security advisories today for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 62 new vulnerabilities, 20 of which are rated “critical,” 38 that are rated “important,” one that is rated moderate and one that is rated as low severity. These vulnerabilities impact Windows Operating System, Edge and Internet Explorer, along with several other products.
In addition to the 60 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180020 which addresses the vulnerabilities described in the Adobe Flash Security Bulletin APSB18-25.
### Critical Vulnerabilities
This month, Microsoft is addressing 20 vulnerabilities that are rated "critical." Talos believ
http://www.securityfocus.com/bid/105011http://www.securitytracker.com/id/1041461https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8405http://www.securityfocus.com/bid/105011http://www.securitytracker.com/id/1041461https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8405https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-8405
2018-08-15
Published
2022-03-28
Added to CISA KEV
Exploited in the wild