CVE-2019-0623
published 2019-03-05CVE-2019-0623: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of…
PriorityP276high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.93%
92.3th percentile
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.
Affected
56 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability resides in the Win32k kernel component; monitor for specially crafted application execution by locally logged-on users targeting Win32k object handling in kernel mode ↗
- →Exploitation requires local logon; alert on low-privileged users spawning processes that interact with Win32k and subsequently gain kernel-mode code execution ↗
- →Post-exploitation indicators include new account creation or modification of data by processes running in kernel mode; monitor for unexpected privilege escalation to SYSTEM from standard user context ↗
- ·Microsoft assessed exploitation as 'Less Likely' for both latest and older software releases at time of disclosure; no in-the-wild exploitation was confirmed ↗
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
vendor_msrc7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-92xm-45mw-fv9w: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation
ghsa_unreviewed·2022-05-13
CVE-2019-0623 [HIGH] GHSA-92xm-45mw-fv9w: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.
VulnCheck
Win32k Elevation of Privilege
vulncheck·2019·CVSS 7.8
CVE-2019-0623 [HIGH] Win32k Elevation of Privilege
Win32k Elevation of Privilege
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/manic-menagerie-targets-web-hosting-and-it/
Exploit PoC: https://vulncheck.com/xdb/d2ece1328cbb; https://vulncheck.com/xdb/6ed76c6ef267
Microsoft
Win32k Elevation of Privilege Vulnerability
vendor_msrc·2019-02-12·CVSS 7.0
CVE-2019-0623 [HIGH] Win32k Elevation of Privilege Vulnerability
Win32k Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The update addresses this vulnerability by correcting how Win32k handles objects in memory.
Windows Kernel: Windows Kernel
Impact: Elevation of Privilege
Exploit Status: Publ
No detection rules found.
No public exploits indexed.
Unit42
Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor
blogs_unit42·2023-06-28·CVSS 9.1
CVE-2021-26855 [CRITICAL] Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor
Threat Research Center
High Profile Threats
Malware
## Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor
Daniel Frank
Published: June 28, 2023
High Profile Threats
Malware
Cryptocurrency
Cryptojacking
CVE-2021-26855
CVE-2021-33766
CVE-2021-34473
CVE-2022-41040
Manic Menagerie
Microsoft Exchange Server
Persistence method
ProxyNotShell
Webshell
## Executive Summary
Unit 42 researchers discovered an active campaign that targeted several web hosting and IT providers in the United States and European Union from late 2020 to late 2022. Unit 42 tracks the activity associated with this campaign as CL-CRI-0021 and believes it stems from the same threat actor responsible for the previous campaign known as Manic Menagerie .
The threat actor deployed coin m
Unit42
Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor
blogs_unit42·2023-06-28
Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor
## Executive Summary
Unit 42 researchers discovered an active campaign that targeted several web hosting and IT providers in the United States and European Union from late 2020 to late 2022. Unit 42 tracks the activity associated with this campaign as CL-CRI-0021 and believes it stems from the same threat actor responsible for the previous campaign known as Manic Menagerie.
The threat actor deployed coin miners on hijacked machines to abuse the compromised servers’ resources. They have further deepened their foothold in victims’ environments by mass deployment of web shells, which granted them sustained access, as well as access to internal resources of the compromised websites.
In doing so, the attackers could potentially have turned the hijacked legitimate websites – hosted by the tar
Bugzilla
CVE-2019-9790 Mozilla: Use-after-free when removing in-use DOM elements
bugzilla·2019-03-20·CVSS 9.8
CVE-2019-9790 [CRITICAL] CVE-2019-9790 Mozilla: Use-after-free when removing in-use DOM elements
CVE-2019-9790 Mozilla: Use-after-free when removing in-use DOM elements
A use-after-free vulnerability can occur when a raw pointer to a DOM element on a page is obtained using JavaScript and the element is then removed while still in use. This results in a potentially exploitable crash.
External Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/#CVE-2019-9790
Discussion:
Acknowledgments:
Name: the Mozilla project
Upstream: Brandon Wieser
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2019:0622 https://access.redhat.com/errata/RHSA-2019:0622
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2019:0623 https://access.redhat.com/errata/RHSA-2019:0623
---
Sta
Bugzilla
CVE-2019-9795 Mozilla: Type-confusion in IonMonkey JIT compiler
bugzilla·2019-03-20·CVSS 9.8
CVE-2019-9795 [CRITICAL] CVE-2019-9795 Mozilla: Type-confusion in IonMonkey JIT compiler
CVE-2019-9795 Mozilla: Type-confusion in IonMonkey JIT compiler
A vulnerability where type-confusion in the IonMonkey just-in-time (JIT) compiler could potentially be used by malicious JavaScript to trigger a potentially exploitable crash.
External Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/#CVE-2019-9795
Discussion:
Acknowledgments:
Name: the Mozilla project
Upstream: Nils
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2019:0622 https://access.redhat.com/errata/RHSA-2019:0622
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2019:0623 https://access.redhat.com/errata/RHSA-2019:0623
---
Statement:
In general, this flaw be exploited through email i
2019-03-05
Published
Exploited in the wild