Experts from Kaspersky Lab reported that that the recently patched Windows kernel zero-day vulnerability (CVE-2018-8611) has been exploited by several threat actors.

Microsoft’s Patch Tuesday updates for December 2018 address nearly 40 flaws, including a zero-day vulnerability affecting the Windows kernel.

The flaw, tracked as CVE-2018-8611, is as a privilege escalation flaw caused by the failure of the Windows kernel to properly handle objects in memory.

“An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.” reads the security advisory published by Microsoft.

“An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.”

The vulnerability was reported to Microsoft by researchers at Kaspersky Lab. Kudos to Kaspersky experts that in the last months reported other two Windows zero-days, CVE-2018-8453 and CVE-2018-8589, respectively exploited by FruityArmor and multiple threat actors in attacks mostly aimed at the Middle East.

According to Kaspersky, the CVE-2018-8611 is a race condition that resides in the Kernel Transaction Manager, and most interesting, it could be used to escape the sandbox of the Chrome and Edge web browsers.

“CVE-2018-8611 is a race condition that is present in the Kernel Transaction Manager due to improper processing of transacted file operations in kernel mode.” reads the analysis published by Kaspersky.

“This vulnerability successfully bypasses modern process mitigation policies, such as Win32k System call Filtering that is used, among others, in the Microsoft Edge Sandbox and the Win32k Lockdown Policy employed in the Google Chrome Sandbox. Combined with a compromised renderer process, for example, this vulnerability can lead to a full Remote Command Execution exploit chain in the latest state-of-the-art web-browsers.”

Kaspersky has found several builds of the CVE-2018-8611 exploit, including one adapted for the latest versions of Windows.

The flaw was exploited by known threat actors and a recently discovered group tracked as SandCat that appears to be active in the Middle East.

SandCat was also using the FinFisher/FinSpy spyware and the CHAINSHOT malware,

According to Kaspersky, SandCat exploited the CVE-2018-8611 flaw in attacks aimed at entities in the Middle East and Africa.

Pierluigi Paganini

(Security Affairs –SANDCAT, CVE-2018-8611)

Share this...

Linkedin Reddit Pinterest

Share On