CVE-2013-7331
Published: 26 February 2014
Summary
CVE-2013-7331 is a medium-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and CM-7 (Least Functionality).
Deeper analysis
The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier versions is vulnerable to information disclosure tracked as CVE-2013-7331 and CWE-209. Remote attackers can supply specially crafted res:// URLs that trigger distinguishable error codes, revealing the existence or non-existence of local filesystem paths, UNC share paths, intranet hostnames, and intranet IP addresses without requiring authentication.
An attacker can embed such URLs in web content delivered to a victim browser, then inspect the resulting error responses to map internal resources on the target system or network. This enables reconnaissance that supports further targeted attacks, such as identifying files for subsequent exploitation or confirming the presence of specific intranet hosts.
Microsoft addressed the issue in security bulletin MS14-052, while additional details and indicators appear in CERT VU#539289 and related vendor advisories. The vulnerability was exploited in the wild in February 2014 during Operation Snowman, which compromised the US Veterans of Foreign Wars website to deliver DeputyDog malware.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-7105
Vulnerability details
The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier allows remote attackers to determine the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes, as demonstrated by a res:// URL, and…
more
exploited in the wild in February 2014.
- CWE(s)
- KEV Date Added
- 25 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires error messages to avoid revealing sensitive information (local paths, UNC shares, intranet hosts) that this CVE exploits via distinguishable res:// error codes.
Establishes usage restrictions and implementation guidance for mobile code technologies such as the vulnerable Microsoft.XMLDOM ActiveX control.
Enforces least functionality by disabling or restricting unnecessary ActiveX controls and features that enable the information-disclosure vector.