Sign-up

ID

VAR-201712-0147


CVE

CVE-2017-11907


TITLE

Automatic DNS registration and proxy autodiscovery allow spoofing of network services

Trust: 0.8

sources: CERT/CC: VU#598349

DESCRIPTION

Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to gain the same user rights as the current user, due to how Internet Explorer handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11886, CVE-2017-11889, CVE-2017-11890, CVE-2017-11893, CVE-2017-11894, CVE-2017-11895, CVE-2017-11901, CVE-2017-11903, CVE-2017-11905, CVE-2017-11905, CVE-2017-11908, CVE-2017-11909, CVE-2017-11910, CVE-2017-11911, CVE-2017-11912, CVE-2017-11913, CVE-2017-11914, CVE-2017-11916, CVE-2017-11918, and CVE-2017-11930. Automatic DNS registration and autodiscovery functionality provides an opportunity for the misconfiguration of networks, resulting in a loss of confidentiality and integrity of the network if an attacker on the network adds a specially configured proxy device. Router DNS The dynamic registration / update function is enabled and the client PC In the network where the auto-detection function is enabled in "wpad" If a device with the host name is added to the network, the contents of the communication may be obtained or altered. Used in home and office (Google WiFi And Ubiquiti UniFi General including etc. ) In routers, often DNS Dynamic registration / update function is used. DNS Dynamic registration / update function DHCP Use the host name sent from the client side in the request as it is A Records are automatically registered / updated. An attacker with access to the network "wpad" And "isatap" A device with a host name of DNS By registering with, you may attract access to the device and attack it. Also, the discoverer mDNS Clients in the network without using a router PC In "wpad" And "isatap" It is confirmed that it can be accessed in combination with the automatic detection function. WPAD About proxy auto-configuration by so-called Nora DHCP Server or higher DNS On the server <a href="https://googleprojectzero.blogspot.fi/2017/12/apacolypse-now-exploiting-windows-10-in_18.html"target="blank"> Has been considered a problem </a> But, LAN/WLAN There was no mention of the internal auto-configuration function. This problem, Arctic Security Company Ossi Salmi , Mika Seppanen , Marko Laakso , Kasper Kyllonen Discovered and verified by NCSC-FI Made adjustments.In an internal network, an attacker "wpad" If a device with the host name is added to the network, the device can be used as an attack proxy, and as a result, the contents of the communication may be obtained or altered. Vendors have scripted this vulnerability It has been released as “Engine Memory Corruption Vulnerability”. This vulnerability CVE-2017-11886 , CVE-2017-11889 , CVE-2017-11890 , CVE-2017-11893 , CVE-2017-11894 , CVE-2017-11895 , CVE-2017-11901 , CVE-2017-11903 , CVE-2017-11905 , CVE-2017-11908 , CVE-2017-11909 , CVE-2017-11910 , CVE-2017-11911 , CVE-2017-11912 , CVE-2017-11913 , CVE-2017-11914 , CVE-2017-11916 , CVE-2017-11918 , Oh CVE-2017-11930 Is a different vulnerability.An attacker could gain the same user rights as the current user. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks. Microsoft Internet Explorer is prone to a remote memory-corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial of service conditions. Internet Explorer 9, 10 and 11 are vulnerable

Trust: 3.69

sources: NVD: CVE-2017-11907 // CERT/CC: VU#598349 // JVNDB: JVNDB-2017-014029 // JVNDB: JVNDB-2017-011111 // BID: 105298 // BID: 102045 // VULMON: CVE-2017-11907

AFFECTED PRODUCTS

vendor:microsoftmodel:internet explorerscope:eqversion:9

Trust: 2.7

vendor:microsoftmodel:internet explorerscope:eqversion:11

Trust: 2.7

vendor:microsoftmodel:internet explorerscope:eqversion:10

Trust: 2.7

vendor:adtranmodel: - scope: - version: -

Trust: 0.8

vendor:mikrotikmodel: - scope: - version: -

Trust: 0.8

vendor:pi holemodel: - scope: - version: -

Trust: 0.8

vendor:synologymodel: - scope: - version: -

Trust: 0.8

vendor:tippingpointmodel: - scope: - version: -

Trust: 0.8

vendor:ubiquitimodel: - scope: - version: -

Trust: 0.8

vendor:multiple vendorsmodel: - scope: - version: -

Trust: 0.8

vendor:wpadmodel:wpadscope:eqversion:0

Trust: 0.3

vendor:synologymodel:skynasscope:eqversion:0

Trust: 0.3

vendor:synologymodel:router managerscope:eqversion:1.1

Trust: 0.3

vendor:synologymodel:dsmscope:eqversion:6.2

Trust: 0.3

vendor:synologymodel:dsmscope:eqversion:6.1

Trust: 0.3

vendor:synologymodel:dsmscope:eqversion:5.2

Trust: 0.3

vendor:adtranmodel:total access 900/900e seriesscope:eqversion:0

Trust: 0.3

vendor:adtranmodel:sdx 810-rgscope:eqversion:0

Trust: 0.3

vendor:adtranmodel:netvantascope:eqversion:60000

Trust: 0.3

vendor:adtranmodel:netvanta seriesscope:eqversion:6000

Trust: 0.3

vendor:adtranmodel:netvanta seriesscope:eqversion:5000

Trust: 0.3

vendor:adtranmodel:netvanta seriesscope:eqversion:4000

Trust: 0.3

vendor:adtranmodel:netvanta seriesscope:eqversion:3000

Trust: 0.3

vendor:adtranmodel:netvanta seriesscope:eqversion:10000

Trust: 0.3

vendor:adtranmodel:aos r13.2.2scope: - version: -

Trust: 0.3

vendor:adtranmodel:434rg ontscope:eqversion:0

Trust: 0.3

vendor:adtranmodel:424rg ontscope:eqversion:0

Trust: 0.3

vendor:adtranmodel:414rg ontscope:eqversion:0

Trust: 0.3

vendor:synologymodel:router managerscope:neversion:1.1.7-6941-2

Trust: 0.3

vendor:synologymodel:dsmscope:neversion:6.2.1-23824

Trust: 0.3

sources: CERT/CC: VU#598349 // BID: 105298 // BID: 102045 // JVNDB: JVNDB-2017-014029 // JVNDB: JVNDB-2017-011111 // CNNVD: CNNVD-201712-389 // NVD: CVE-2017-11907

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2017-11907
value: HIGH

Trust: 1.8

CNNVD: CNNVD-201712-389
value: HIGH

Trust: 0.6

VULMON: CVE-2017-11907
value: HIGH

Trust: 0.1

VULMON: CVE-2017-11907
severity: HIGH
baseScore: 7.6
vectorString: AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 4.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

NVD: CVE-2017-11907
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 1.8

sources: VULMON: CVE-2017-11907 // JVNDB: JVNDB-2017-011111 // CNNVD: CNNVD-201712-389 // NVD: CVE-2017-11907

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.8

sources: JVNDB: JVNDB-2017-011111 // NVD: CVE-2017-11907

THREAT TYPE

network

Trust: 0.6

sources: BID: 105298 // BID: 102045

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201712-389

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2017-11907

EXPLOIT AVAILABILITY
sources:
            
            
            VULMON: CVE-2017-11907

PATCH
title:CVE-2017-11907 | Scripting Engine Memory Corruption Vulnerabilityurl:https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2017-11907
Trust: 0.8
title:CVE-2017-11907 | スクリプト エンジンのメモリ破損の脆弱性url:https://portal.msrc.microsoft.com/ja-jp/security-guidance/advisory/cve-2017-11907
Trust: 0.8
title:Microsoft Windows Internet Explorer scripting Repair measures for engine security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=77099
Trust: 0.6
title:CVE-2017-11907url:https://github.com/re4lity/cve-2017-11907 
Trust: 0.1
title:domatourl:https://github.com/googleprojectzero/domato 
Trust: 0.1
title:js-vuln-dburl:https://github.com/tunz/js-vuln-db 
Trust: 0.1
title:Exp101tsArchiv30thersurl:https://github.com/nu11secur1ty/exp101tsarchiv30thers 
Trust: 0.1
title:awesome-cve-poc_qazbnm456url:https://github.com/xbl3/awesome-cve-poc_qazbnm456 
Trust: 0.1
title:Threatposturl:https://threatpost.com/project-zero-chains-bugs-for-apacolypse-now-attack-on-windows-10/129193/
Trust: 0.1
title:Threatposturl:https://threatpost.com/microsoft-december-patch-tuesday-update-fixes-34-bugs/129154/
Trust: 0.1
sources:
            
            
            VULMON: CVE-2017-11907 // 
            
            
            
            JVNDB: JVNDB-2017-011111 // 
            
            
            
            CNNVD: CNNVD-201712-389

EXTERNAL IDS
db:NVDid:CVE-2017-11907
Trust: 2.8
db:CERT/CCid:VU#598349
Trust: 2.0
db:BIDid:102045
Trust: 2.0
db:SECTRACKid:1039991
Trust: 1.7
db:EXPLOIT-DBid:43370
Trust: 1.7
db:EXPLOIT-DBid:43367
Trust: 0.8
db:JVNid:JVNVU99302544
Trust: 0.8
db:JVNDBid:JVNDB-2017-014029
Trust: 0.8
db:JVNDBid:JVNDB-2017-011111
Trust: 0.8
db:CNNVDid:CNNVD-201712-389
Trust: 0.6
db:BIDid:105298
Trust: 0.3
db:VULMONid:CVE-2017-11907
Trust: 0.1
sources:
            
            
            CERT/CC: VU#598349 // 
            
            
            
            VULMON: CVE-2017-11907 // 
            
            
            
            BID: 105298 // 
            
            
            
            BID: 102045 // 
            
            
            
            JVNDB: JVNDB-2017-014029 // 
            
            
            
            JVNDB: JVNDB-2017-011111 // 
            
            
            
            CNNVD: CNNVD-201712-389 // 
            
            
            
            NVD: CVE-2017-11907

REFERENCES
url:https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2017-11907
Trust: 2.0
url:https://www.exploit-db.com/exploits/43370/
Trust: 1.8
url:http://www.securityfocus.com/bid/102045
Trust: 1.7
url:http://www.securitytracker.com/id/1039991
Trust: 1.7
url:https://googleprojectzero.blogspot.fi/2017/12/apacolypse-now-exploiting-windows-10-in_18.html
Trust: 1.6
url:https://www.kb.cert.org/vuls/id/598349
Trust: 1.2
url:https://supportforums.adtran.com/docs/doc-9269
Trust: 1.1
url:https://www.exploit-db.com/exploits/43367/
Trust: 0.8
url:https://community.ubnt.com/t5/unifi-updates-blog/usg-firmware-v4-4-28-now-available/ba-p/2482349
Trust: 0.8
url:https://jvn.jp/vu/jvnvu99302544/
Trust: 0.8
url:https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2018/haavoittuvuus-2018-019.html
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-11907
Trust: 0.8
url:https://www.ipa.go.jp/security/ciadr/vul/20171213-ms.html
Trust: 0.8
url:http://www.jpcert.or.jp/at/2017/at170048.html
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-11907
Trust: 0.8
url:https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-windows-10-in_18.html
Trust: 0.3
url:https://www.synology.com/en-global/support/security/synology_sa_18_53
Trust: 0.3
url:http://www.microsoft.com
Trust: 0.3
url:http://www.microsoft.com/ie/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/119.html
Trust: 0.1
url:https://www.rapid7.com/db/vulnerabilities/msft-cve-2017-11907
Trust: 0.1
url:https://github.com/re4lity/cve-2017-11907
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            CERT/CC: VU#598349 // 
            
            
            
            VULMON: CVE-2017-11907 // 
            
            
            
            BID: 105298 // 
            
            
            
            BID: 102045 // 
            
            
            
            JVNDB: JVNDB-2017-014029 // 
            
            
            
            JVNDB: JVNDB-2017-011111 // 
            
            
            
            CNNVD: CNNVD-201712-389 // 
            
            
            
            NVD: CVE-2017-11907

CREDITS
Ossi Salmi, Mika Seppanen, Marko Laakso and Kasper Kyllonen of Arctic Security
Trust: 0.3
sources:
            
            
            BID: 105298

SOURCES
db:CERT/CCid:VU#598349
db:VULMONid:CVE-2017-11907
db:BIDid:105298
db:BIDid:102045
db:JVNDBid:JVNDB-2017-014029
db:JVNDBid:JVNDB-2017-011111
db:CNNVDid:CNNVD-201712-389
db:NVDid:CVE-2017-11907

LAST UPDATE DATE
2022-05-06T12:59:16.669000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#598349date:2018-10-23T00:00:00
db:VULMONid:CVE-2017-11907date:2019-04-25T00:00:00
db:BIDid:105298date:2018-09-05T00:00:00
db:BIDid:102045date:2017-12-19T22:38:00
db:JVNDBid:JVNDB-2017-014029date:2018-09-11T00:00:00
db:JVNDBid:JVNDB-2017-011111date:2018-01-05T00:00:00
db:CNNVDid:CNNVD-201712-389date:2019-04-26T00:00:00
db:NVDid:CVE-2017-11907date:2019-04-25T19:13:00

SOURCES RELEASE DATE
db:CERT/CCid:VU#598349date:2018-09-05T00:00:00
db:VULMONid:CVE-2017-11907date:2017-12-12T00:00:00
db:BIDid:105298date:2018-09-05T00:00:00
db:BIDid:102045date:2017-12-12T00:00:00
db:JVNDBid:JVNDB-2017-014029date:2018-09-07T00:00:00
db:JVNDBid:JVNDB-2017-011111date:2018-01-05T00:00:00
db:CNNVDid:CNNVD-201712-389date:2017-12-13T00:00:00
db:NVDid:CVE-2017-11907date:2017-12-12T21:29:00