Microsoft Windows User Mode Scheduler privilege escalation
| ms-win-usermode-priv-esc (75927) |  High Risk |
Description:
Microsoft Windows could allow a local attacker to gain elevated privileges on the system, caused by the improper handling of a particular system request by the Windows User Mode Scheduler. By persuading a victim to browse a directory containing a specially-crafted application, a local attacker with valid login credentials could exploit this vulnerability to execute arbitrary code on the system with elevated privileges.
*CVSS:
| Base Score: | 7.2 |
| Access Vector: | Local |
| Access Complexity: | Low |
| Authentication: | None |
| Confidentiality Impact: | Complete |
| Integrity Impact: | Complete |
| Availability Impact: | Complete |
| Temporal Score: | 5.6 |
| Exploitability: | Proof-of-Concept |
| Remediation Level: | Official-Fix |
| Report Confidence: | Confirmed |
Consequences:
Gain Privileges
Remedy:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS12-042. See References.
For other distributions:
Apply the appropriate update for your system. See References.
References:
- CTX133161: Citrix XenServer Multiple Security Updates .
- FreeBSD-SA-12:04.sysret : Privilege escalation when returning from kernel.
- INTEL-SA-00032: Privilege Escalation in Intel Hybrid Cloud (IHC).
- Microsoft Security Bulletin MS12-042: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2711167).
- Microsoft Windows Kernel Intel x64 SYSRET PoC: EDB-ID: 20861.
- NetBSD-SA2012-003: Intel processors sysret to non-canonical address behaviour.
- Oracle Web Site: Oracle Critical Patch Update Advisory - October 2012.
- Packet Storm Web site: Microsoft Windows Kernel Intel x64 SYSRET Proof Of Concept.
- pfSense Web site: pfSense Open Source Firewall Distribution - Home.
- XSA-7: Xen Security Advisory 7 (CVE-2012-0217) - PV privilege escalation.
- BID-53856: Intel CPU Hardware Local Privilege Escalation Vulnerability
- CVE-2012-0217: The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and other products; Oracle Solaris 11 and earlier; illumos before r13724; Joyent SmartOS before 20120614T184600Z; FreeBSD before 9.0-RELEASE-p3; NetBSD 6.0 Beta and earlier; Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1; and possibly other operating systems, when running on an Intel processor, incorrectly uses the sysret path in cases where a certain address is not a canonical address, which allows local users to gain privileges via a crafted application. NOTE: because this issue is due to incorrect use of the Intel specification, it should have been split into separate identifiers; however, there was some value in preserving the original mapping of
- DSA-2501: xen -- several vulnerabilities
- DSA-2508: kfreebsd-8 -- privilege escalation
- RHSA-2012-0720: Important: kernel security and bug fix update
- RHSA-2012-0721: Important: kernel security update
- SA49381: Xen Privilege Escalation and Denial of Service Vulnerabilities
- SA49429: Citrix XenServer Privilege Escalation and Denial of Service Vulnerabilities
- SA49454: Microsoft Windows Kernel Two Privilege Escalation Vulnerabilities
- SA49516: NetBSD 64-bit Mode Sanity Check Privilege Escalation Vulnerability
- SA49518: FreeBSD 64-bit Mode Sanity Check Privilege Escalation Vulnerability
- SA49817: Intel Hybrid Cloud 64-bit Mode Sanity Check Privilege Escalation Vulnerability
- SA51674: pfSense Multiple Vulnerabilities
Platforms Affected:
- Citrix XenServer 5.0
- Citrix XenServer 5.5
- Citrix XenServer 5.6
- Citrix XenServer 6.0
- FreeBSD FreeBSD 8.1
- Intel Hybrid Cloud 2.x
- Intel Hybrid Cloud 3.x
- Microsoft Windows 7 SP1 x64
- Microsoft Windows Server 2008 R2 SP1 x64
- Microsoft Windows Server 2008 R2 Itanium
- NetBSD NetBSD 4.0
- Oracle Solaris 10
- pfSense pfSense 2.0
- RedHat Enterprise Linux 5
- RedHat Enterprise Linux 5 Client
- RedHat Enterprise Linux EUS 5.6.z
- RedHat Enterprise Linux Long Life 5.6
- XenSource Xen 3.4
- XenSource Xen 4.0
- XenSource Xen 4.1
Reported:
Jun 12, 2012
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this
* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.