CVE-2019-0863
Published: 16 May 2019
Summary
CVE-2019-0863 is a high-severity an unspecified weakness vulnerability in Microsoft Windows 10 1709. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 9.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2019-0863 is an elevation of privilege vulnerability in the way the Windows Error Reporting (WER) component handles files. It affects Microsoft Windows systems and carries a CVSS 3.1 base score of 7.8 reflecting local attack vector, low attack complexity, and low privileges required.
A local attacker with existing low-privileged access can exploit the flaw without user interaction to obtain high impact on confidentiality, integrity, and availability, effectively escalating to full control of the system.
Microsoft security guidance published via the MSRC advisory portal addresses remediation steps, while the vulnerability appears in the CISA catalog of known exploited vulnerabilities.
Publicly available exploit code, including the proof-of-concept released as Angry Polar Bear 2, demonstrates local privilege escalation against WER on affected Windows versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-1612
Vulnerability details
An elevation of privilege vulnerability exists in the way Windows Error Reporting (WER) handles files, aka 'Windows Error Reporting Elevation of Privilege Vulnerability'.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforcing least privilege on WER processes and the files they handle directly blocks the low-to-high privilege escalation path exploited by CVE-2019-0863.
Proper access enforcement on files and objects processed by WER would have prevented the unauthorized elevation that the vulnerability permits.
Timely application of the vendor patch for CVE-2019-0863 eliminates the WER file-handling flaw before local exploitation can succeed.