Trending CVEs for the Week of March 18th, 2019
CVE-2019-0797 – Windows Zero-Day Vulnerability
CVE-2019-0797 is one of the three zero-day vulnerabilities (one in Chrome, the other two in Windows) that we touched upon in our last week’s post. It was discovered by Kaspersky Lab and patched by Microsoft as one of the 64 vulnerabilities covered under last week’s (March 12th) Patch Tuesday.
This zero-day (CVE-2019-0797) is almost identical to the one impacting Windows 7 (CVE-2019-0808) that was being chained with the Chrome vulnerability (CVE-2019-5786), but has the added advantage of working on more Windows OS versions. They are both elevation of privilege vulnerabilities affecting the Win32k component.
CVE-2019-0797 is an elevation of privilege vulnerability in Windows when the Win32k component fails to properly handle objects in memory (race-condition error). An attacker who successfully exploits this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system.
Kaspersky Lab warned that at least a couple of threat actors were exploiting this vulnerability in the wild.
- 64-bit Windows 8 and 10 (up to build 15063) are affected.
Exploitation and Risk
Researchers from Kaspersky Lab reported that the vulnerability is being exploited in the wild by at least two threat actors, including FruityArmor and SandCat. While FruityArmor is known to have used zero-days before, SandCat is a relatively new advanced persistent threat (APT) group first observed in 2018.
According to a report by Threatpost, citing Kaspersky Lab researchers, SandCat has been known to use both FinFisher/FinSpy (spyware) and the CHAINSHOT (malware) framework in attacks, coupled with various zero-day vulnerabilities. Targets of SandCat have been mostly observed in the Middle East.
The FruityArmor APT group is an under-the-radar cyber-espionage group also active in the Middle East. It has been around for some time. According to Kaspersky, this is the fourth Windows zero-day that Kaspersky has discovered being abused in the wild by the FruityArmor APT. They were exploiting CVE-2018-8453 back in October 2018, and the earliest mentions go way back to 2016, when another zero-day was identified – CVE-2016-3393.
This is a high-profile vulnerability, thought to be used only for high-value targets in “surgical” campaigns.
- Microsoft patch, released as a part of March 12th Patch Tuesday, addresses this vulnerability by correcting how Win32k handles objects in memory.
- It is important to install the corresponding system update – available from Microsoft.
Share your thoughts in our community!