Summary:
In the month of July 2019, MSPT have several vulnerabilities including windows kernel, win32K, unistore.dll, Hyper-V, Windows WLAN service, Windows Audio service, Windows RPCSS, DirectX, windows dnslvr.dll in Microsoft Windows.
Out of them two zero days were identified for actively Attacked Privilege Escalation vulnerabilities (CVE-2019-1132 and CVE-2019-0880) in Win32k and splwow64 that have been exploited in the wild.
Description:
A local attacker could exploit those vulnerabilities by running a maliciously crafted application or by performing nefarious actions on target systems. Successful exploitation allows privilege escalation to the attacker resulting into DOS or obtain sensitive information.
Win32k Elevation of Privilege Vulnerability (CVE-2019-1132)
A NULL pointer dereference in the win32k.sys is the vulnerable component for LPE (local privilege escalation). It does so as Win32k component fails to properly handle objects in memory. An attacker can even run code in kernel mode.
Affected Products:
The vulnerability (CVE-2019-1132) affects the following Windows versions: Windows 7 SP 1
Windows Server 2008 SP 1
Windows Server 2008 SP 2
Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2019-0880 )
A print driver host for 32-bit applications known as splwow64 (CVE-2019-0880), which is the. Splwow64.exe have a bug thatallows 32-bit applications to use a 64-bit printer spooler service on 64-bit versions of Windows. This vulnerability also leads to privilege escalation as splwow64.exe handles certain calls inappropriately.
By manually disabling the print spooler this vulnerability can be mitigated.
Affected Products:
The vulnerability (CVE-2019-0880) affects the following Windows versions:
Windows 8.1, Server 2012 and later OS.
Mitigation:
Qualys customers can scan their network with QID#91553 to detect vulnerable assets.
Please continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.
References & Sources:
- https://github.com/Vlad-tri/CVE-2019-1132
- https://blog.qualys.com/laws-of-vulnerabilities/2019/07/09/july-2019-patch-tuesday-77-vulns-15-critical-dhcp-rce-exploited-privesc-sql-adobe-vulns
- https://www.zerodayinitiative.com/blog/2019/7/9/the-july-2019-security-update-review
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1132
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0880
- https://www.virusradar.com/en/Win32_Exploit.CVE-2019-1132.A/description