Details of VAR-201712-0172

ID

VAR-201712-0172

CVE

CVE-2017-11890

TITLE

Automatic DNS registration and proxy autodiscovery allow spoofing of network services

Trust: 0.8

sources: CERT/CC: VU#598349

DESCRIPTION

Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allow an attacker to execute arbitrary code in the context of the current user, due to how Internet Explorer handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11886, CVE-2017-11889, CVE-2017-11893, CVE-2017-11894, CVE-2017-11895, CVE-2017-11901, CVE-2017-11903, CVE-2017-11905, CVE-2017-11907, CVE-2017-11908, CVE-2017-11909, CVE-2017-11910, CVE-2017-11911, CVE-2017-11912, CVE-2017-11913, CVE-2017-11914, CVE-2017-11916, CVE-2017-11918, and CVE-2017-11930. Automatic DNS registration and autodiscovery functionality provides an opportunity for the misconfiguration of networks, resulting in a loss of confidentiality and integrity of the network if an attacker on the network adds a specially configured proxy device. Router DNS The dynamic registration / update function is enabled and the client PC In the network where the auto-detection function is enabled in "wpad" If a device with the host name is added to the network, the contents of the communication may be obtained or altered. Used in home and office (Google WiFi And Ubiquiti UniFi General including etc. ) In routers, often DNS Dynamic registration / update function is used. DNS Dynamic registration / update function DHCP Use the host name sent from the client side in the request as it is A Records are automatically registered / updated. An attacker with access to the network "wpad" And "isatap" A device with a host name of DNS By registering with, you may attract access to the device and attack it. Also, the discoverer mDNS Clients in the network without using a router PC In "wpad" And "isatap" It is confirmed that it can be accessed in combination with the automatic detection function. WPAD About proxy auto-configuration by so-called Nora DHCP Server or higher DNS On the server <a href="https://googleprojectzero.blogspot.fi/2017/12/apacolypse-now-exploiting-windows-10-in_18.html"target="blank"> Has been considered a problem </a> But, LAN/WLAN There was no mention of the internal auto-configuration function. This problem, Arctic Security Company Ossi Salmi , Mika Seppanen , Marko Laakso , Kasper Kyllonen Discovered and verified by NCSC-FI Made adjustments.In an internal network, an attacker "wpad" If a device with the host name is added to the network, the device can be used as an attack proxy, and as a result, the contents of the communication may be obtained or altered. Internet Explorer Contains a vulnerability in the execution of arbitrary code in the context of the current user due to a flaw in handling objects in memory. Vendors have scripted this vulnerability It has been released as “Engine Memory Corruption Vulnerability”. This vulnerability CVE-2017-11886 , CVE-2017-11889 , CVE-2017-11893 , CVE-2017-11894 , CVE-2017-11895 , CVE-2017-11901 , CVE-2017-11903 , CVE-2017-11905 , CVE-2017-11907 , CVE-2017-11908 , CVE-2017-11909 , CVE-2017-11910 , CVE-2017-11911 , CVE-2017-11912 , CVE-2017-11913 , CVE-2017-11914 , CVE-2017-11916 , CVE-2017-11918 and CVE-2017-11930 Is a different vulnerability.An attacker could execute arbitrary code in the context of the current user. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks. Microsoft Internet Explorer are prone to a remote memory-corruption vulnerability. Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted web page. Failed attacks will cause denial of service conditions

Trust: 3.69

sources: NVD: CVE-2017-11890 // CERT/CC: VU#598349 // JVNDB: JVNDB-2017-014029 // JVNDB: JVNDB-2017-011095 // BID: 105298 // BID: 102082 // VULMON: CVE-2017-11890

AFFECTED PRODUCTS

vendor:	microsoft	model:	internet explorer	scope:	eq	version:	9	Trust: 2.7
vendor:	microsoft	model:	internet explorer	scope:	eq	version:	11	Trust: 2.7
vendor:	microsoft	model:	internet explorer	scope:	eq	version:	10	Trust: 2.7
vendor:	adtran	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	mikrotik	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	pi hole	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	synology	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	tippingpoint	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	ubiquiti	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	multiple vendors	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	wpad	model:	wpad	scope:	eq	version:	0	Trust: 0.3
vendor:	synology	model:	skynas	scope:	eq	version:	0	Trust: 0.3
vendor:	synology	model:	router manager	scope:	eq	version:	1.1	Trust: 0.3
vendor:	synology	model:	dsm	scope:	eq	version:	6.2	Trust: 0.3
vendor:	synology	model:	dsm	scope:	eq	version:	6.1	Trust: 0.3
vendor:	synology	model:	dsm	scope:	eq	version:	5.2	Trust: 0.3
vendor:	adtran	model:	total access 900/900e series	scope:	eq	version:	0	Trust: 0.3
vendor:	adtran	model:	sdx 810-rg	scope:	eq	version:	0	Trust: 0.3
vendor:	adtran	model:	netvanta	scope:	eq	version:	60000	Trust: 0.3
vendor:	adtran	model:	netvanta series	scope:	eq	version:	6000	Trust: 0.3
vendor:	adtran	model:	netvanta series	scope:	eq	version:	5000	Trust: 0.3
vendor:	adtran	model:	netvanta series	scope:	eq	version:	4000	Trust: 0.3
vendor:	adtran	model:	netvanta series	scope:	eq	version:	3000	Trust: 0.3
vendor:	adtran	model:	netvanta series	scope:	eq	version:	10000	Trust: 0.3
vendor:	adtran	model:	aos r13.2.2	scope:	-	version:	-	Trust: 0.3
vendor:	adtran	model:	434rg ont	scope:	eq	version:	0	Trust: 0.3
vendor:	adtran	model:	424rg ont	scope:	eq	version:	0	Trust: 0.3
vendor:	adtran	model:	414rg ont	scope:	eq	version:	0	Trust: 0.3
vendor:	synology	model:	router manager	scope:	ne	version:	1.1.7-6941-2	Trust: 0.3
vendor:	synology	model:	dsm	scope:	ne	version:	6.2.1-23824	Trust: 0.3

sources: CERT/CC: VU#598349 // BID: 105298 // BID: 102082 // JVNDB: JVNDB-2017-014029 // JVNDB: JVNDB-2017-011095 // CNNVD: CNNVD-201712-398 // NVD: CVE-2017-11890

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2017-11890
value:	HIGH
Trust: 1.8
CNNVD:	CNNVD-201712-398
value:	HIGH
Trust: 0.6
VULMON:	CVE-2017-11890
value:	HIGH
Trust: 0.1

VULMON:	CVE-2017-11890
severity:	HIGH
baseScore:	7.6
vectorString:	AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	4.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

NVD:	CVE-2017-11890
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 1.8

sources: VULMON: CVE-2017-11890 // JVNDB: JVNDB-2017-011095 // CNNVD: CNNVD-201712-398 // NVD: CVE-2017-11890

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.8

sources: JVNDB: JVNDB-2017-011095 // NVD: CVE-2017-11890

THREAT TYPE

network

Trust: 0.6

sources: BID: 105298 // BID: 102082

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201712-398

CONFIGURATIONS

sources: NVD: CVE-2017-11890

EXPLOIT AVAILABILITY

sources: VULMON: CVE-2017-11890

PATCH

title:	CVE-2017-11890 \| Scripting Engine Memory Corruption Vulnerability	url:	https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2017-11890	Trust: 0.8
title:	CVE-2017-11890 \| スクリプトエンジンのメモリ破損の脆弱性	url:	https://portal.msrc.microsoft.com/ja-jp/security-guidance/advisory/cve-2017-11890	Trust: 0.8
title:	Microsoft Windows Internet Explorer scripting Repair measures for engine security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=77108	Trust: 0.6
title:	js-vuln-db	url:	https://github.com/tunz/js-vuln-db	Trust: 0.1
title:	Exp101tsArchiv30thers	url:	https://github.com/nu11secur1ty/exp101tsarchiv30thers	Trust: 0.1
title:	awesome-cve-poc_qazbnm456	url:	https://github.com/xbl3/awesome-cve-poc_qazbnm456	Trust: 0.1
title:	Threatpost	url:	https://threatpost.com/project-zero-chains-bugs-for-apacolypse-now-attack-on-windows-10/129193/	Trust: 0.1

sources: VULMON: CVE-2017-11890 // JVNDB: JVNDB-2017-011095 // CNNVD: CNNVD-201712-398

EXTERNAL IDS

db:	NVD	id:	CVE-2017-11890	Trust: 2.8
db:	CERT/CC	id:	VU#598349	Trust: 2.0
db:	BID	id:	102082	Trust: 1.4
db:	SECTRACK	id:	1039991	Trust: 1.1
db:	EXPLOIT-DB	id:	43369	Trust: 1.1
db:	EXPLOIT-DB	id:	43367	Trust: 0.8
db:	JVN	id:	JVNVU99302544	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-014029	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-011095	Trust: 0.8
db:	CNNVD	id:	CNNVD-201712-398	Trust: 0.6
db:	BID	id:	105298	Trust: 0.3
db:	VULMON	id:	CVE-2017-11890	Trust: 0.1

sources: CERT/CC: VU#598349 // VULMON: CVE-2017-11890 // BID: 105298 // BID: 102082 // JVNDB: JVNDB-2017-014029 // JVNDB: JVNDB-2017-011095 // CNNVD: CNNVD-201712-398 // NVD: CVE-2017-11890

REFERENCES

url:	https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2017-11890	Trust: 2.0
url:	https://googleprojectzero.blogspot.fi/2017/12/apacolypse-now-exploiting-windows-10-in_18.html	Trust: 1.6
url:	http://www.securityfocus.com/bid/102082	Trust: 1.2
url:	https://www.exploit-db.com/exploits/43369/	Trust: 1.2
url:	https://www.kb.cert.org/vuls/id/598349	Trust: 1.2
url:	https://supportforums.adtran.com/docs/doc-9269	Trust: 1.1
url:	http://www.securitytracker.com/id/1039991	Trust: 1.1
url:	https://www.exploit-db.com/exploits/43367/	Trust: 0.8
url:	https://community.ubnt.com/t5/unifi-updates-blog/usg-firmware-v4-4-28-now-available/ba-p/2482349	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu99302544/	Trust: 0.8
url:	https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2018/haavoittuvuus-2018-019.html	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-11890	Trust: 0.8
url:	https://www.ipa.go.jp/security/ciadr/vul/20171213-ms.html	Trust: 0.8
url:	http://www.jpcert.or.jp/at/2017/at170048.html	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-11890	Trust: 0.8
url:	https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-windows-10-in_18.html	Trust: 0.3
url:	https://www.synology.com/en-global/support/security/synology_sa_18_53	Trust: 0.3
url:	http://www.microsoft.com	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/119.html	Trust: 0.1
url:	https://tools.cisco.com/security/center/viewalert.x?alertid=56135	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://threatpost.com/project-zero-chains-bugs-for-apacolypse-now-attack-on-windows-10/129193/	Trust: 0.1

CREDITS

Ossi Salmi, Mika Seppanen, Marko Laakso and Kasper Kyllonen of Arctic Security

Trust: 0.3

sources: BID: 105298

SOURCES

db:	CERT/CC	id:	VU#598349
db:	VULMON	id:	CVE-2017-11890
db:	BID	id:	105298
db:	BID	id:	102082
db:	JVNDB	id:	JVNDB-2017-014029
db:	JVNDB	id:	JVNDB-2017-011095
db:	CNNVD	id:	CNNVD-201712-398
db:	NVD	id:	CVE-2017-11890

LAST UPDATE DATE

2022-05-06T12:59:16.716000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#598349	date:	2018-10-23T00:00:00
db:	VULMON	id:	CVE-2017-11890	date:	2017-12-26T00:00:00
db:	BID	id:	105298	date:	2018-09-05T00:00:00
db:	BID	id:	102082	date:	2017-12-19T22:38:00
db:	JVNDB	id:	JVNDB-2017-014029	date:	2018-09-11T00:00:00
db:	JVNDB	id:	JVNDB-2017-011095	date:	2018-01-05T00:00:00
db:	CNNVD	id:	CNNVD-201712-398	date:	2017-12-13T00:00:00
db:	NVD	id:	CVE-2017-11890	date:	2017-12-26T14:56:00

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#598349	date:	2018-09-05T00:00:00
db:	VULMON	id:	CVE-2017-11890	date:	2017-12-12T00:00:00
db:	BID	id:	105298	date:	2018-09-05T00:00:00
db:	BID	id:	102082	date:	2017-12-12T00:00:00
db:	JVNDB	id:	JVNDB-2017-014029	date:	2018-09-07T00:00:00
db:	JVNDB	id:	JVNDB-2017-011095	date:	2018-01-05T00:00:00
db:	CNNVD	id:	CNNVD-201712-398	date:	2017-12-13T00:00:00
db:	NVD	id:	CVE-2017-11890	date:	2017-12-12T21:29:00