CVE-2019-1064
Published: 12 June 2019
Summary
CVE-2019-1064 is a high-severity Link Following (CWE-59) vulnerability in Microsoft Windows 10 1709. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 6.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-1064 is an elevation-of-privilege vulnerability in the Windows AppX Deployment Service (AppXSVC) that stems from improper handling of hard links, tracked under CWE-59. The flaw resides in a core Windows component responsible for deploying and managing packaged applications and affects multiple versions of Windows that include this service.
An authenticated local attacker can exploit the issue by logging on to a vulnerable system and executing a specially crafted application. Successful exploitation allows the attacker to run processes in an elevated context, thereby installing programs and viewing, modifying, or deleting data with privileges higher than those of the logged-on user.
Microsoft security updates address the vulnerability by correcting AppXSVC handling of hard links. Corresponding advisories are published on the Microsoft Security Response Center site and the Microsoft Security Update Guide.
The flaw appears in CISA's catalog of known exploited vulnerabilities, indicating confirmed in-the-wild use.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-9646
Vulnerability details
An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete…
more
data. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows AppX Deployment Service handles hard links.
- CWE(s)
- KEV Date Added
- 15 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the root cause by requiring application of the vendor security update that corrects AppXSVC hard-link handling.
Limits the impact of successful exploitation by ensuring processes and users operate with only the privileges required, blocking unauthorized elevation via the AppXSVC flaw.
Enforces correct access decisions on hard-link operations within AppXSVC, preventing the improper privilege escalation path described in the CVE.