CVE-2018-8641
published 2018-12-12CVE-2018-8641: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka "Win32k Elevation…
PriorityP277high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.12%
62.0th percentile
An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8639.
Affected
60 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10_servers | — | — |
| microsoft | windows_10_servers | — | — |
| microsoft | windows_7 | — | — |
| microsoft | windows_7 | — | — |
| microsoft | windows_8.1 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability resides in the Windows kernel-mode driver (Win32k) failing to properly handle objects in memory; monitor for specially crafted applications executed by a locally logged-on user that interact with Win32k kernel-mode objects. ↗
- →Exploitation requires local logon followed by execution of a specially crafted application; hunt for low-privilege processes spawning kernel-mode interactions or unexpected privilege escalation to SYSTEM/kernel context. ↗
- →Successful exploitation allows arbitrary code execution in kernel mode; alert on unexpected kernel-mode code execution originating from user-mode processes, new high-privilege account creation, or mass data access/deletion following a privilege escalation event. ↗
- →Microsoft rates exploitation as 'More Likely' for both latest and older software releases; prioritize detection and patching on all affected Windows versions including Windows 7, 8.1, 10, Server 2008/2012/2016/2019. ↗
- ·The vulnerability affects a broad range of Windows versions; ensure patch applicability is verified per OS version before deploying the corresponding KB update. ↗
- ·This CVE is distinct from CVE-2018-8639, which is a separate Win32k EoP vulnerability patched in the same cycle; ensure both are tracked and remediated independently. ↗
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
vendor_msrc7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jxw3-833q-c4j7: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka "Win32k
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2018-8641 [HIGH] CWE-404 GHSA-jxw3-833q-c4j7: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka "Win32k
An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8639.
GHSA
GHSA-93mm-g479-2cx4: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2018-8639 [HIGH] CWE-404 GHSA-93mm-g479-2cx4: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8641.
VulnCheck
Microsoft Windows Improper Resource Shutdown or Release
vulncheck·2018·CVSS 7.8
CVE-2018-8641 [HIGH] Microsoft Windows Improper Resource Shutdown or Release
Microsoft Windows Improper Resource Shutdown or Release
An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8639.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://securelist.com/magnitude-exploit-kit-evolution/97436/
Microsoft
Win32k Elevation of Privilege Vulnerability
vendor_msrc·2018-12-11·CVSS 7.0
CVE-2018-8641 [HIGH] Win32k Elevation of Privilege Vulnerability
Win32k Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.
Windows Kernel-Mode Drivers: Windows Kernel-Mode D
No detection rules found.
No public exploits indexed.
Checkpoint
Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
blogs_checkpoint·2020-10-02
CVE-2019-0859 Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
Research by: Itay Cohen, Eyal Itkin
In the past months, our Vulnerability and Malware Research tea
Securelist
IT threat evolution Q2 2020
blogs_securelist·2020-09-03
IT threat evolution Q2 2020
Table of Contents
Targeted attacks
PhantomLance: hiding in plain sight
Naikon’s Aria
COMpfun authors spoof visa application with HTTP status-based Trojan
Mind the [air] gap
Looking at big threats using code similarity
SixLittleMonkeys
Other malware
Loncom packer: from backdoors to Cobalt Strike
xHelper: the Trojan matryoshka
Spike in RDP brute-force attacks
Gaming during the COVID-19 pandemic
Rovnix bootkit back in business
Web skimming with Google Analytics
The Magnitude Exploit Kit
Authors
David Emm
IT threat evolution Q2 2020. PC statistics
IT threat evolution Q2 2020. Mobile statistics
## Targeted attacks
## PhantomLance: hiding in plain sight
In April, we reported the results of our investigation into a mobile spyware campaign that we call ‘PhantomLance’ . The cam
Securelist
Magnitude exploit kit – evolution
blogs_securelist·2020-06-24·CVSS 7.5
[HIGH] Magnitude exploit kit – evolution
Table of Contents
Introduction
Infection vector
Shellcode
Elevation of privilege exploit
Ransomware
Conclusions
Authors
Boris Larin
Exploit kits are not as widespread as they used to be. In the past, they relied on the use of already patched vulnerabilities. Newer and more secure web browsers with automatic updates simply do not allow known vulnerabilities to be exploited. It was very different back in the heyday of Adobe Flash because it’s just a plugin for a web browser, meaning that even if the user has an up-to-date browser, there’s a non-zero chance that Adobe Flash may still be vulnerable to 1-day exploits. Now that Adobe Flash is about to reach its end-of-life date at the end of this year, it is disabled by default in all web browser and has pretty much been replaced with o
Securelist
Magnitude exploit kit – evolution
blogs_securelist·2020-06-24·CVSS 7.5
[HIGH] Magnitude exploit kit – evolution
Table of Contents
- Introduction
- Shellcode
- Elevation of privilege exploit
- Ransomware
- Conclusions
Authors
- Boris Larin
Exploit kits are not as widespread as they used to be. In the past, they relied on the use of already patched vulnerabilities. Newer and more secure web browsers with automatic updates simply do not allow known vulnerabilities to be exploited. It was very different back in the heyday of Adobe Flash because it’s just a plugin for a web browser, meaning that even if the user has an up-to-date browser, there’s a non-zero chance that Adobe Flash may still be vulnerable to 1-day exploits. Now that Adobe Flash is about to reach its end-of-life date at the end of this year, it is disabled by default in all web browser and has pretty much been replaced with open stand
2018-12-12
Published
Exploited in the wild