Friday, 28 July 2017

On 00:35 by admin in    No comments
A vulnerability has been found in Microsoft Outlook up to 2016 C2R and classified as critical. This vulnerability affects an unknown function of the component Document File Handler. The manipulation with an unknown input leads to a privilege escalation vulnerability. The CWE definition for the vulnerability is CWE-269. As an impact it is known to affect confidentiality, integrity, and availability.

The weakness was shared 07/27/2017 as KB4011052 as confirmed security update guide (Website). The advisory is shared for download atportal.msrc.microsoft.com. This vulnerability was named CVE-2017-8571. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. There are neither technical details nor an exploit publicly available. The current price for an exploit might be approx. USD $5k-$25k (estimation calculated on 07/28/2017). The advisory points out:
A security feature bypass vulnerability exists when Microsoft Office Outlook improperly handles input. An attacker who successfully exploited the vulnerability could execute arbitrary commands.
Applying the patch KB4011052 is able to eliminate this problem. The bugfix is ready for download at catalog.update.microsoft.com. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The vulnerability is also documented in the vulnerability database at SecurityTracker (ID 1039012).

CVSSv3

VulDB Base Score6.3
VulDB Temp Score6.0
VulDB VectorCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C
VulDB Reliability: High

CVSSv2

VectorComplexityAuthenticationConfidentialityIntegrityAvailability
LocalHighMultipleNoneNoneNone
AdjacentMediumSinglePartialPartialPartial
NetworkLowNoneCompleteCompleteComplete
VulDB Base Score6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
VulDB Temp Score5.9 (CVSS2#E:ND/RL:OF/RC:C)
VulDB Reliability: High

CPE

  • cpe:/a:microsoft:outlook:2007:sp3
  • cpe:/a:microsoft:outlook:2010:sp2
  • cpe:/a:microsoft:outlook:2013:sp1
  • cpe:/a:microsoft:outlook:2013_rt:sp1
  • cpe:/a:microsoft:outlook:2016:sp1
  • cpe:/a:microsoft:outlook:2010_c2r:sp1
  • cpe:/a:microsoft:outlook:2013_c2r:sp1
  • cpe:/a:microsoft:outlook:2016_c2r:sp1

Exploiting

Class: Privilege escalation (CWE-269)
Local: No
Remote: Yes

Availability: No

Price Prediction: steady
Current Price Estimation

0-Day$0-$5k$5k-$25k$25k-$100k$100k-$500k
Today$0-$5k$5k-$25k$25k-$100k$100k-$500k

Countermeasures

Recommended: Patch
Status: Official fix
Reaction Time: 0 days since reported
0-Day Time: 0 days since found
Exposure Time: 0 days since known

PatchKB4011052

Timeline

07/27/2017   Advisory disclosed
07/27/2017  +0 days Countermeasure disclosed
07/27/2017  +0 days SecurityTracker entry created
07/28/2017  +1 days VulDB entry created
07/28/2017  +0 days VulDB last update

Sources

AdvisoryKB4011052
Status: Confirmed

CVE: CVE-2017-8571 (mitre.org) (nvd.nist.org) (cvedetails.com)

0 comments:

Post a comment