CVE-2017-0022
Published: 17 March 2017
Summary
CVE-2017-0022 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 2.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Deeper analysis
Microsoft XML Core Services (MSXML) in Windows 10 Gold, 1511, and 1607; Windows 7 SP1; Windows 8.1; Windows RT 8.1; Windows Server 2008 SP2 and R2 SP1; Windows Server 2012 Gold and R2; Windows Server 2016; and Windows Vista SP2 contains an information disclosure vulnerability. The component improperly handles objects in memory, which can be leveraged to reveal the presence of arbitrary files on disk. The issue is tracked as CWE-119 with a CVSS 3.1 base score of 6.5 reflecting network attack vector, low complexity, and high confidentiality impact.
An unauthenticated remote attacker can exploit the flaw by convincing a user to visit a specially crafted web site under the attacker's control. Successful exploitation allows the attacker to test for the existence of files on the victim's local disk without requiring additional privileges or user interaction beyond visiting the page, resulting in targeted information disclosure.
The Microsoft Security Response Center advisory for CVE-2017-0022 provides official guidance on available patches and mitigations for the listed Windows versions. A related security blog post documents the vulnerability's incorporation into exploit kit activity, confirming real-world use for file-existence probing in the wild.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-0389
Vulnerability details
Microsoft XML Core Services (MSXML) in Windows 10 Gold, 1511, and 1607; Windows 7 SP1; Windows 8.1; Windows RT 8.1; Windows Server 2008 SP2 and R2 SP1; Windows Server 2012 Gold and R2; Windows Server 2016; and Windows Vista SP2…
more
improperly handles objects in memory, allowing attackers to test for files on disk via a crafted web site, aka "Microsoft XML Information Disclosure Vulnerability."
- CWE(s)
- KEV Date Added
- 24 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patches Microsoft released for CVE-2017-0022, eliminating the MSXML memory-handling flaw before exploitation.
Restricts or disables mobile code (scripts/active content) delivered by untrusted web sites, blocking the crafted-page vector used to trigger the MSXML information disclosure.
Deploys malicious-code protection mechanisms that can inspect or sandbox web content attempting to abuse the MSXML file-existence probe.