Zero-day vulnerability in Windows

Race condition
CVE-2018-8611

2018-12-11

This vulnerability was reported to Microsoft by Kaspersky Lab. It is believed it was used by FruityArmor and SandCat APT groups against companies in the Middle East and Africa.

Vulnerability details

Advisory: SB2018121105 - Privilege escalation in Windows kernel

Vulnerable component: Windows

CVE-ID: CVE-2018-8611

CVSSv3 score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Description:

The vulnerability allows a local user to execute arbitrary code with elevated privileges.

The vulnerability exists due to a race condition within the Kernel Transaction Manager driver (ntoskrnl.exe) when processing transacted file operations in kernel mode. A local user can create a specially program, and run arbitrary code on the system n kernel mode.

Note: the vulnerability is being exploited in the wild.

External links:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8611

https://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/

About zero-day vulnerabilities

Zero-day vulnerability is an undisclosed vulnerability in software that hackers can exploit to compromise computer programs, gain unauthorized access to sensitive data, penetrate networks, etc. We consider vulnerability a zero-day when there is no solution provided from software vendor and the vulnerability is being actively exploited by malicious actors.

Zero-day candidate is a potential zero-day vulnerability in software which might have been used in targeted attacks, however there is no evidence to support this suggestion.

Zero-day vulnerability in Windows

Race condition CVE-2018-8611

About zero-day vulnerabilities

Race condition
CVE-2018-8611