CVE-2019-1253
published 2019-09-11CVE-2019-1253: An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions.To exploit this vulnerability, an attacker…
PriorityP185high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-05
Exploited in the wild
EPSS
11.62%
95.5th percentile
An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1215, CVE-2019-1278, CVE-2019-1303.
Affected
44 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10_version_1903_for_32-bit_systems | — | — |
| microsoft | windows_10_version_1903_for_arm64-based_systems | — | — |
| microsoft | windows_10_version_1903_for_x64-based_systems | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
rule HKTL_NET_GUID_CVE_2019_1253 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/padovah4ck/CVE-2019-1253"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "584964c1-f983-498d-8370-23e27fdd0399" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}- →Monitor AppXSvc (AppX Deployment Server) for unexpected security descriptor modifications on files outside of normal AppX package paths, particularly targeting arbitrary files via hard links from settings.dat.LOG2. ↗
- →Detect creation of hard links from settings.dat.LOG2 (Microsoft Edge profile path) to sensitive system files such as C:\Windows\win.ini as an exploitation indicator. ↗
- →Alert on DACL/security descriptor overwrites by AppXSvc on files not associated with AppX packages, especially granting GENERIC_ALL to low-privileged users. ↗
- →Scan PE binaries for the TypeLib GUID 584964c1-f983-498d-8370-23e27fdd0399 to identify compiled C# exploit tools targeting CVE-2019-1253. ↗
- ·The vulnerability requires the attacker to already have code execution on the victim system before exploitation can proceed. ↗
- ·MSRC describes the root cause as improper handling of junctions, while the public exploit demonstrates exploitation via file hard links against settings.dat.LOG2 — both primitives may be relevant for detection coverage. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
vendor_redhat4.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Windows AppX Deployment Server Privilege Escalation Vulnerability
cisa·2022-03-15·CVSS 7.8
CVE-2019-1253 [HIGH] CWE-59 Microsoft Windows AppX Deployment Server Privilege Escalation Vulnerability
Vulnerability: Microsoft Windows AppX Deployment Server Privilege Escalation Vulnerability
Affected: Microsoft Windows
A privilege escalation vulnerability exists when the Windows AppX Deployment Server improperly handles junctions.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-1253
Remediation Due Date: 2022-04-05
Microsoft
Windows Elevation of Privilege Vulnerability
vendor_msrc·2019-09-10·CVSS 7.8
CVE-2019-1253 [HIGH] Windows Elevation of Privilege Vulnerability
Windows Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions.
To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges.
The security update addresses the vulnerability by correcting how AppX Deployment Server handles junctions.
Microsoft Windows: Microsoft Windows
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Elevation of Privilege
Exploit Status: Publicly Disclosed:Yes;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely;DOS:N/A
Reference: https://catalog.update.microsoft.com/v7/s
Red Hat
jenkins-plugin-config-file-provider: Stored XSS vulnerability in Config File Provider Plugin (SECURITY-1253)
vendor_redhat·2019-01-28·CVSS 4.8
CVE-2019-1003014 [MEDIUM] CWE-79 jenkins-plugin-config-file-provider: Stored XSS vulnerability in Config File Provider Plugin (SECURITY-1253)
jenkins-plugin-config-file-provider: Stored XSS vulnerability in Config File Provider Plugin (SECURITY-1253)
An cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.4.1 and earlier in src/main/resources/lib/configfiles/configfiles.jelly that allows attackers with permission to define shared configuration files to execute arbitrary JavaScript when a user attempts to delete the shared configuration file.
Package: jenkins-plugin-config-file-provider (Red Hat OpenShift Container Platform 3.10) - Will not fix
Package: jenkins-plugin-config-file-provider (Red Hat OpenShift Container Platform 3.6) - Will not fix
Package: jenkins-plugin-config-file-provider (Red Hat OpenShift Container Platform 3.7) - Will not fix
Package: jenkins-plugin-config-file-provider (Red
GHSA
GHSA-wp5j-ppw9-22mw: An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions
ghsa_unreviewed·2022-05-24·CVSS 7.8
CVE-2019-1253 [HIGH] CWE-59 GHSA-wp5j-ppw9-22mw: An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions
An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1215, CVE-2019-1278, CVE-2019-1303.
GHSA
GHSA-63x7-m3j2-hxwg: An elevation of privilege vulnerability exists in the way that ws2ifsl
ghsa_unreviewed·2022-05-24·CVSS 7.8
CVE-2019-1215 [HIGH] CWE-269 GHSA-63x7-m3j2-hxwg: An elevation of privilege vulnerability exists in the way that ws2ifsl
An elevation of privilege vulnerability exists in the way that ws2ifsl.sys (Winsock) handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1253, CVE-2019-1278, CVE-2019-1303.
GHSA
GHSA-mgf9-3fp9-mhfh: An elevation of privilege vulnerability exists in the way that the unistore
ghsa_unreviewed·2022-05-24·CVSS 7.8
CVE-2019-1278 [HIGH] GHSA-mgf9-3fp9-mhfh: An elevation of privilege vulnerability exists in the way that the unistore
An elevation of privilege vulnerability exists in the way that the unistore.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1215, CVE-2019-1253, CVE-2019-1303.
GHSA
GHSA-2fr6-xf6c-rwpx: An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions
ghsa_unreviewed·2022-05-24·CVSS 7.8
CVE-2019-1303 [HIGH] GHSA-2fr6-xf6c-rwpx: An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions
An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1215, CVE-2019-1253, CVE-2019-1278.
VulnCheck
Microsoft Windows AppX Deployment Server Privilege Escalation Vulnerability
vulncheck·2019·CVSS 7.8
CVE-2019-1253 [HIGH] CWE-59 Microsoft Windows AppX Deployment Server Privilege Escalation Vulnerability
Microsoft Windows AppX Deployment Server Privilege Escalation Vulnerability
A privilege escalation vulnerability exists when the Windows AppX Deployment Server improperly handles junctions.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.tenable.com/blog/contileaks-chats-reveal-over-30-vulnerabilities-used-by-conti-ransomware-affiliates; https://www.securin.io/articles/all-about-conti-ransomware/
Exploit PoC: https://vulncheck.com/xdb/8413d1b8bafe; https://vulncheck.com/xdb/be673a8a105e; https://vulncheck.com/xdb/cc8bc5f73283
Remediation Due: 2022-04-05
Tenable
ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help
blogs_tenable·2022-03-24
ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Microsoft's September 2019 Patch Tuesday: Tenable Roundup
blogs_tenable·2019-09-10
Microsoft's September 2019 Patch Tuesday: Tenable Roundup
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bugzilla
CVE-2019-1003014 jenkins-plugin-config-file-provider: Stored XSS vulnerability in Config File Provider Plugin (SECURITY-1253)
bugzilla·2019-01-31·CVSS 4.8
CVE-2019-1003014 [MEDIUM] CVE-2019-1003014 jenkins-plugin-config-file-provider: Stored XSS vulnerability in Config File Provider Plugin (SECURITY-1253)
CVE-2019-1003014 jenkins-plugin-config-file-provider: Stored XSS vulnerability in Config File Provider Plugin (SECURITY-1253)
Config File Provider Plugin up to and including version 3.4.1 improperly handled script names in its JavaScript-based UI, resulting in a stored cross-site scripting (XSS) vulnerability.
Upstream patches:
https://github.com/jenkinsci/config-file-provider-plugin/commit/64fba993c897ff52a9c6c38c6c41806f2e8cc73f
Discussion:
External References:
https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1253
---
openshift-enterprise 3.6-3.11 inclusive: affected
Once openshift3/jenkins-1-rhel7, openshift3/jenkins-2-rhel7, openshift3/jenkins-slave-base-rhel7 container images have been released with these fixes, users of all versions of openshift-enterprise-3.2+ are
http://packetstormsecurity.com/files/154488/AppXSvc-17763.1.amd64fre.rs5_release.180914-1434-Privilege-Escalation.htmlhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1253http://packetstormsecurity.com/files/154488/AppXSvc-17763.1.amd64fre.rs5_release.180914-1434-Privilege-Escalation.htmlhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1253https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1253
2019-09-11
Published
2022-03-15
Added to CISA KEV
Exploited in the wild