CVE-2016-3309
Published: 09 August 2016
Summary
CVE-2016-3309 is a high-severity an unspecified weakness vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-3 (Access Enforcement).
Deeper analysis
The vulnerability is an elevation of privilege flaw in the kernel-mode drivers of the Win32k component, tracked as CVE-2016-3309. It affects Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607. The issue permits local users to gain elevated privileges through a specially crafted application and is distinct from the related Win32k issues CVE-2016-3308, CVE-2016-3310, and CVE-2016-3311. It carries a CVSS 3.1 base score of 7.8 reflecting local access with high impact on confidentiality, integrity, and availability.
An attacker with the ability to run a crafted application on an affected system can exploit the flaw to elevate privileges, potentially obtaining administrative control over the target host. The attack requires local access and does not need user interaction beyond execution of the malicious code.
Microsoft addressed the vulnerability in security bulletin MS16-098, which provides patches for the listed Windows versions. Administrators are advised to apply the updates to eliminate the exposure.
Public exploit code for the issue has been published, increasing the likelihood of in-the-wild use by attackers with existing local access.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-4341
Vulnerability details
The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allow local users to…
more
gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3308, CVE-2016-3310, and CVE-2016-3311.
- CWE(s)
- KEV Date Added
- 15 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of security-relevant patches such as MS16-098 that eliminate the Win32k EoP flaw.
Enforces least-privilege execution so a local user who triggers the crafted application cannot obtain administrative rights.
Requires the system to enforce access-control decisions that the vulnerable Win32k kernel driver is failing to uphold.