Details of VAR-201711-0179

ID

VAR-201711-0179

CVE

CVE-2017-11855

TITLE

Automatic DNS registration and proxy autodiscovery allow spoofing of network services

Trust: 0.8

sources: CERT/CC: VU#598349

DESCRIPTION

Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, 1709, Windows Server 2016 and Windows Server, version 1709 allows an attacker to gain the same user rights as the current user, due to how Internet Explorer handles objects in memory, aka "Internet Explorer Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11856. Automatic DNS registration and autodiscovery functionality provides an opportunity for the misconfiguration of networks, resulting in a loss of confidentiality and integrity of the network if an attacker on the network adds a specially configured proxy device. Router DNS The dynamic registration / update function is enabled and the client PC In the network where the auto-detection function is enabled in "wpad" If a device with the host name is added to the network, the contents of the communication may be obtained or altered. Used in home and office (Google WiFi And Ubiquiti UniFi General including etc. ) In routers, often DNS Dynamic registration / update function is used. DNS Dynamic registration / update function DHCP Use the host name sent from the client side in the request as it is A Records are automatically registered / updated. An attacker with access to the network "wpad" And "isatap" A device with a host name of DNS By registering with, you may attract access to the device and attack it. Also, the discoverer mDNS Clients in the network without using a router PC In "wpad" And "isatap" It is confirmed that it can be accessed in combination with the automatic detection function. WPAD About proxy auto-configuration by so-called Nora DHCP Server or higher DNS On the server <a href="https://googleprojectzero.blogspot.fi/2017/12/apacolypse-now-exploiting-windows-10-in_18.html"target="blank"> Has been considered a problem </a> But, LAN/WLAN There was no mention of the internal auto-configuration function. This problem, Arctic Security Company Ossi Salmi , Mika Seppanen , Marko Laakso , Kasper Kyllonen Discovered and verified by NCSC-FI Made adjustments.In an internal network, an attacker "wpad" If a device with the host name is added to the network, the device can be used as an attack proxy, and as a result, the contents of the communication may be obtained or altered. The vendor Internet Explorer Memory Corruption Vulnerability ". This vulnerability CVE-2017-11856 Is a different vulnerability.An attacker could gain the same user rights as the current user. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial of service conditions. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks

Trust: 3.69

sources: NVD: CVE-2017-11855 // CERT/CC: VU#598349 // JVNDB: JVNDB-2017-014029 // JVNDB: JVNDB-2017-010095 // BID: 101751 // BID: 105298 // VULMON: CVE-2017-11855

AFFECTED PRODUCTS

vendor:	microsoft	model:	internet explorer	scope:	eq	version:	11	Trust: 2.7
vendor:	microsoft	model:	internet explorer	scope:	eq	version:	9	Trust: 2.1
vendor:	microsoft	model:	internet explorer	scope:	eq	version:	10	Trust: 2.1
vendor:	adtran	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	mikrotik	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	pi hole	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	synology	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	tippingpoint	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	ubiquiti	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	multiple vendors	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	wpad	model:	wpad	scope:	eq	version:	0	Trust: 0.3
vendor:	synology	model:	skynas	scope:	eq	version:	0	Trust: 0.3
vendor:	synology	model:	router manager	scope:	eq	version:	1.1	Trust: 0.3
vendor:	synology	model:	dsm	scope:	eq	version:	6.2	Trust: 0.3
vendor:	synology	model:	dsm	scope:	eq	version:	6.1	Trust: 0.3
vendor:	synology	model:	dsm	scope:	eq	version:	5.2	Trust: 0.3
vendor:	adtran	model:	total access 900/900e series	scope:	eq	version:	0	Trust: 0.3
vendor:	adtran	model:	sdx 810-rg	scope:	eq	version:	0	Trust: 0.3
vendor:	adtran	model:	netvanta	scope:	eq	version:	60000	Trust: 0.3
vendor:	adtran	model:	netvanta series	scope:	eq	version:	6000	Trust: 0.3
vendor:	adtran	model:	netvanta series	scope:	eq	version:	5000	Trust: 0.3
vendor:	adtran	model:	netvanta series	scope:	eq	version:	4000	Trust: 0.3
vendor:	adtran	model:	netvanta series	scope:	eq	version:	3000	Trust: 0.3
vendor:	adtran	model:	netvanta series	scope:	eq	version:	10000	Trust: 0.3
vendor:	adtran	model:	aos r13.2.2	scope:	-	version:	-	Trust: 0.3
vendor:	adtran	model:	434rg ont	scope:	eq	version:	0	Trust: 0.3
vendor:	adtran	model:	424rg ont	scope:	eq	version:	0	Trust: 0.3
vendor:	adtran	model:	414rg ont	scope:	eq	version:	0	Trust: 0.3
vendor:	synology	model:	router manager	scope:	ne	version:	1.1.7-6941-2	Trust: 0.3
vendor:	synology	model:	dsm	scope:	ne	version:	6.2.1-23824	Trust: 0.3

sources: CERT/CC: VU#598349 // BID: 101751 // BID: 105298 // JVNDB: JVNDB-2017-014029 // JVNDB: JVNDB-2017-010095 // CNNVD: CNNVD-201711-568 // NVD: CVE-2017-11855

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2017-11855
value:	HIGH
Trust: 1.8
CNNVD:	CNNVD-201711-568
value:	HIGH
Trust: 0.6
VULMON:	CVE-2017-11855
value:	HIGH
Trust: 0.1

VULMON:	CVE-2017-11855
severity:	HIGH
baseScore:	7.6
vectorString:	AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	4.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

NVD:	CVE-2017-11855
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 1.8

sources: VULMON: CVE-2017-11855 // JVNDB: JVNDB-2017-010095 // CNNVD: CNNVD-201711-568 // NVD: CVE-2017-11855

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.8

sources: JVNDB: JVNDB-2017-010095 // NVD: CVE-2017-11855

THREAT TYPE

network

Trust: 0.6

sources: BID: 101751 // BID: 105298

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201711-568

CONFIGURATIONS

sources: NVD: CVE-2017-11855

EXPLOIT AVAILABILITY

sources: VULMON: CVE-2017-11855

PATCH

title:	CVE-2017-11855 \| Internet Explorer Memory Corruption Vulnerability	url:	https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2017-11855	Trust: 0.8
title:	CVE-2017-11855 \| Internet Explorer Memory Corruption Vulnerability	url:	https://portal.msrc.microsoft.com/ja-jp/security-guidance/advisory/cve-2017-11855	Trust: 0.8
title:	Microsoft Windows Internet Explorer Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=76407	Trust: 0.6
title:	The Register	url:	https://www.theregister.co.uk/2017/11/15/november_patch_tuesday/	Trust: 0.2
title:	domato	url:	https://github.com/googleprojectzero/domato	Trust: 0.1
title:	js-vuln-db	url:	https://github.com/tunz/js-vuln-db	Trust: 0.1
title:	Exp101tsArchiv30thers	url:	https://github.com/nu11secur1ty/exp101tsarchiv30thers	Trust: 0.1
title:	awesome-cve-poc_qazbnm456	url:	https://github.com/xbl3/awesome-cve-poc_qazbnm456	Trust: 0.1
title:	Threatpost	url:	https://threatpost.com/project-zero-chains-bugs-for-apacolypse-now-attack-on-windows-10/129193/	Trust: 0.1

sources: VULMON: CVE-2017-11855 // JVNDB: JVNDB-2017-010095 // CNNVD: CNNVD-201711-568

EXTERNAL IDS

db:	NVD	id:	CVE-2017-11855	Trust: 2.8
db:	CERT/CC	id:	VU#598349	Trust: 2.0
db:	BID	id:	101751	Trust: 2.0
db:	EXPLOIT-DB	id:	43371	Trust: 1.7
db:	EXPLOIT-DB	id:	43367	Trust: 0.8
db:	JVN	id:	JVNVU99302544	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-014029	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-010095	Trust: 0.8
db:	CNNVD	id:	CNNVD-201711-568	Trust: 0.6
db:	BID	id:	105298	Trust: 0.3
db:	VULMON	id:	CVE-2017-11855	Trust: 0.1

sources: CERT/CC: VU#598349 // VULMON: CVE-2017-11855 // BID: 101751 // BID: 105298 // JVNDB: JVNDB-2017-014029 // JVNDB: JVNDB-2017-010095 // CNNVD: CNNVD-201711-568 // NVD: CVE-2017-11855

REFERENCES

url:	https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2017-11855	Trust: 2.0
url:	https://www.exploit-db.com/exploits/43371/	Trust: 1.8
url:	http://www.securityfocus.com/bid/101751	Trust: 1.7
url:	https://googleprojectzero.blogspot.fi/2017/12/apacolypse-now-exploiting-windows-10-in_18.html	Trust: 1.6
url:	https://www.kb.cert.org/vuls/id/598349	Trust: 1.2
url:	https://supportforums.adtran.com/docs/doc-9269	Trust: 1.1
url:	https://www.exploit-db.com/exploits/43367/	Trust: 0.8
url:	https://community.ubnt.com/t5/unifi-updates-blog/usg-firmware-v4-4-28-now-available/ba-p/2482349	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu99302544/	Trust: 0.8
url:	https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2018/haavoittuvuus-2018-019.html	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-11855	Trust: 0.8
url:	https://www.ipa.go.jp/security/ciadr/vul/20171115-ms.html	Trust: 0.8
url:	http://www.jpcert.or.jp/at/2017/at170044.html	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-11855	Trust: 0.8
url:	http://www.microsoft.com	Trust: 0.3
url:	http://www.microsoft.com/ie/	Trust: 0.3
url:	https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-windows-10-in_18.html	Trust: 0.3
url:	https://www.synology.com/en-global/support/security/synology_sa_18_53	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/119.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://tools.cisco.com/security/center/viewalert.x?alertid=55852	Trust: 0.1
url:	https://threatpost.com/project-zero-chains-bugs-for-apacolypse-now-attack-on-windows-10/129193/	Trust: 0.1

CREDITS

Hui Gao of Palo Alto Networks

Trust: 0.3

sources: BID: 101751

SOURCES

db:	CERT/CC	id:	VU#598349
db:	VULMON	id:	CVE-2017-11855
db:	BID	id:	101751
db:	BID	id:	105298
db:	JVNDB	id:	JVNDB-2017-014029
db:	JVNDB	id:	JVNDB-2017-010095
db:	CNNVD	id:	CNNVD-201711-568
db:	NVD	id:	CVE-2017-11855

LAST UPDATE DATE

2022-05-06T12:59:16.773000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#598349	date:	2018-10-23T00:00:00
db:	VULMON	id:	CVE-2017-11855	date:	2019-04-29T00:00:00
db:	BID	id:	101751	date:	2017-12-19T22:00:00
db:	BID	id:	105298	date:	2018-09-05T00:00:00
db:	JVNDB	id:	JVNDB-2017-014029	date:	2018-09-11T00:00:00
db:	JVNDB	id:	JVNDB-2017-010095	date:	2017-12-05T00:00:00
db:	CNNVD	id:	CNNVD-201711-568	date:	2019-04-30T00:00:00
db:	NVD	id:	CVE-2017-11855	date:	2019-04-29T18:34:00

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#598349	date:	2018-09-05T00:00:00
db:	VULMON	id:	CVE-2017-11855	date:	2017-11-15T00:00:00
db:	BID	id:	101751	date:	2017-11-14T00:00:00
db:	BID	id:	105298	date:	2018-09-05T00:00:00
db:	JVNDB	id:	JVNDB-2017-014029	date:	2018-09-07T00:00:00
db:	JVNDB	id:	JVNDB-2017-010095	date:	2017-12-05T00:00:00
db:	CNNVD	id:	CNNVD-201711-568	date:	2017-11-16T00:00:00
db:	NVD	id:	CVE-2017-11855	date:	2017-11-15T03:29:00