CVE-2013-5065
Published: 28 November 2013
Summary
CVE-2013-5065 is a high-severity an unspecified weakness vulnerability in Microsoft Windows Xp. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Deeper analysis
NDProxy.sys in the kernel of Microsoft Windows XP SP2 and SP3 and Windows Server 2003 SP2 contains a vulnerability that permits local privilege escalation when a crafted application is executed. The flaw is tracked as CVE-2013-5065 with a CVSS 3.1 score of 7.8 reflecting local attack vector, low complexity, and high impact on confidentiality, integrity, and availability.
Local users without administrative rights can exploit the issue by running a malicious application that triggers the flaw in NDProxy.sys, resulting in elevated privileges on affected systems. Public references confirm the vulnerability was exploited in the wild as early as November 2013.
Microsoft security advisory 2914486 and bulletin MS14-002 address the issue and provide mitigation guidance, while additional details appear in FireEye reporting and a public exploit on Exploit-DB. The vulnerability was publicly disclosed and actively used in targeted attacks during late 2013.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-4907
Vulnerability details
NDProxy.sys in the kernel in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in November 2013.
- CWE(s)
- KEV Date Added
- 03 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Least privilege directly stops local users from obtaining kernel-level rights via the NDProxy.sys flaw.
Applying the MS14-002 patch removes the vulnerable NDProxy.sys code before exploitation can succeed.
Malicious-code protections can block or alert on execution of the crafted application that triggers the kernel flaw.