CVE-2018-8174
Published: 09 May 2018
Summary
CVE-2018-8174 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2018-8174 is a remote code execution vulnerability in the Windows VBScript engine caused by improper handling of objects in memory, classified under CWE-787 as an out-of-bounds write. It affects Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
An unauthenticated attacker can trigger the flaw over a network with no privileges required, although exploitation requires user interaction and presents high attack complexity. Successful exploitation yields full control over the target system, enabling arbitrary code execution with high impact to confidentiality, integrity, and availability.
Microsoft published an advisory detailing the issue and available updates, while a micropatch approach has also been demonstrated for certain deployments. Public exploit code for the vulnerability is available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-19844
Vulnerability details
A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka "Windows VBScript Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows…
more
Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
- CWE(s)
- KEV Date Added
- 15 February 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch that eliminates the out-of-bounds write flaw in the VBScript engine.
Allows disabling or uninstalling the VBScript engine (or restricting its use) so the vulnerable component cannot be invoked.
Establishes usage restrictions and technical controls on mobile code such as VBScript executed by the browser or Office.