CVE-2019-0543
published 2019-01-08CVE-2019-0543: An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka "Microsoft Windows Elevation of Privilege…
PriorityP184high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-05
Exploited in the wild
EPSS
4.72%
90.7th percentile
An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka "Microsoft Windows Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | >= 0 < 4.4.0-184.214 | 4.4.0-184.214 |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1703 | — | — |
| msrc | windows_10_version_1709 | — | — |
| msrc | windows_10_version_1803 | — | — |
| msrc | windows_10_version_1809 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_server_2019 | — | — |
| msrc | windows_server_version_1709 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for processes spawned in Session 0 by non-SYSTEM interactive users — the exploit abuses NTLM loopback authentication via AcquireCredentialsHandle with a SEC_WINNT_AUTH_IDENTITY_EX structure (username/domain set, password omitted) to obtain a network token with Session ID 0, then uses the COM activator to create a child process under that token. ↗
- →Detect calls to AcquireCredentialsHandle where pAuthData supplies a SEC_WINNT_AUTH_IDENTITY_EX structure with username and domain fields populated but no password — this is the specific trigger that bypasses normal loopback short-circuit and returns a Session 0 network token. ↗
- →Alert on COM activator-spawned child processes whose token Session ID is 0 while the parent process is running in an interactive (non-zero) session — this is the observable post-exploitation behaviour of the PoC. ↗
- →Flag use of NtApiDotNet (NuGet package) in compiled C# tooling on endpoints, particularly when combined with SSPI/NTLM loopback authentication activity — the PoC explicitly depends on this library. ↗
- →In AppContainer / Edge sandbox environments, watch for Enterprise Authentication capability usage combined with NTLM loopback — the exploit may return a full (non-AC) token instead of the expected AppContainer token, enabling privilege escalation. ↗
- ·The PoC was only validated on Windows 10 versions 1803 and 1809; behaviour on earlier Windows versions was not confirmed by the researcher. ↗
- ·Normal loopback NTLM authentication (no pAuthData buffer, or SEC_WINNT_AUTH_IDENTITY_EX with empty username/domain) does NOT trigger the vulnerability — only the specific case of username+domain set with no password does. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
osv6.5MEDIUM
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Windows Privilege Escalation Vulnerability
cisa·2022-03-15·CVSS 7.8
CVE-2019-0543 [HIGH] CWE-287 Microsoft Windows Privilege Escalation Vulnerability
Vulnerability: Microsoft Windows Privilege Escalation Vulnerability
Affected: Microsoft Windows
A privilege escalation vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-0543
Remediation Due Date: 2022-04-05
Microsoft
Microsoft Windows Elevation of Privilege Vulnerability
vendor_msrc·2019-01-08·CVSS 7.8
CVE-2019-0543 [HIGH] Microsoft Windows Elevation of Privilege Vulnerability
Microsoft Windows Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context.
An attacker could exploit this vulnerability by running a specially crafted application on the victim system.
The update addresses the vulnerability by correcting the way Windows handles authentication requests.
Microsoft Windows: Microsoft Windows
Impact: Elevation of Privilege
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation More Likely;Older Software Release:Exploitation More Likely
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4480973
Reference: h
GHSA
GHSA-3vmp-cf5x-w457: An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka "Microsoft Windows Elevation of Privilege
ghsa_unreviewed·2022-05-13
CVE-2019-0543 [HIGH] CWE-287 GHSA-3vmp-cf5x-w457: An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka "Microsoft Windows Elevation of Privilege
An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka "Microsoft Windows Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
OSV
linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
osv·2020-06-11·CVSS 6.5
CVE-2019-19319 linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
It was discovered that the ext4 file system implementation in the Linux
kernel did not properly handle setxattr operations in some situations. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2019-19319)
It was discovered that memory contents previously stored in
microarchitectural special registers after RDRAND, RDSEED, and SGX EGETKEY
read operations on Intel client and Xeon E3 processors may be briefly
exposed to processes on the same or different processor cores. A local
attacker could use this to expose sensitive information. (CVE-2020-0543)
Piotr Krysiuk discovered that race conditions existed in the file system
implementation in the Linux
VulnCheck
Microsoft Windows Privilege Escalation Vulnerability
vulncheck·2019·CVSS 7.8
CVE-2019-0543 [HIGH] CWE-287 Microsoft Windows Privilege Escalation Vulnerability
Microsoft Windows Privilege Escalation Vulnerability
A privilege escalation vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.tenable.com/blog/contileaks-chats-reveal-over-30-vulnerabilities-used-by-conti-ransomware-affiliates; https://www.securin.io/articles/all-about-conti-ransomware/
Remediation Due: 2022-04-05
No detection rules found.
http://www.securityfocus.com/bid/106408https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0543https://www.exploit-db.com/exploits/46156/http://www.securityfocus.com/bid/106408https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0543https://www.exploit-db.com/exploits/46156/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-0543
2019-01-08
Published
2022-03-15
Added to CISA KEV
Exploited in the wild