CVE-2017-8540
Published: 26 May 2017
Summary
CVE-2017-8540 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).
Deeper analysis
The vulnerability is a remote code execution flaw, tracked as CVE-2017-8540, in the Microsoft Malware Protection Engine used by Microsoft Forefront, Microsoft Defender, and related products. It affects Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, multiple Windows 10 releases through 1703, Windows Server 2016, and Microsoft Exchange Server 2013 and 2016. The root cause is improper handling of a specially crafted file during scanning, which produces memory corruption classified under CWE-787.
An attacker can exploit the issue by supplying a malicious file that the engine processes on the target system. Successful exploitation grants arbitrary code execution with the privileges of the scanning process; the CVSS vector indicates local attack vector, low complexity, no authentication required, and user interaction needed, resulting in full confidentiality, integrity, and availability impact.
Publicly available references, including the Microsoft Security Response Center advisory and an entry on Exploit-DB, indicate that updates addressing the flaw have been released, and at least one working exploit has been published.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-17490
Vulnerability details
The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607,…
more
and 1703, and Windows Server 2016, Microsoft Exchange Server 2013 and 2016, does not properly scan a specially crafted file leading to memory corruption. aka "Microsoft Malware Protection Engine Remote Code Execution Vulnerability", a different vulnerability than CVE-2017-8538 and CVE-2017-8541.
- CWE(s)
- KEV Date Added
- 03 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patches released to correct the memory-corruption flaw in the Malware Protection Engine.
Implements memory-protection mechanisms that can block the out-of-bounds write (CWE-787) exploited by the crafted file.
Requires the malicious-code protection capability whose failure is the root cause; proper configuration and updates of the engine itself reduce exposure.