CVE-2019-1253
Published: 11 September 2019
Summary
CVE-2019-1253 is a high-severity Link Following (CWE-59) vulnerability in Microsoft Windows 10 1709. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 3.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Deeper analysis
An elevation of privilege vulnerability exists in the Windows AppX Deployment Server when it improperly handles junctions. The flaw, tracked as CVE-2019-1253, affects Windows systems and carries a CVSS 3.1 base score of 7.8. It is distinct from the related issues CVE-2019-1215, CVE-2019-1278, and CVE-2019-1303.
An attacker who has already obtained code execution on a victim system can exploit the weakness to escalate privileges. Successful exploitation grants the attacker full control over confidentiality, integrity, and availability on the affected host without requiring user interaction beyond the initial foothold.
Microsoft's security advisory and the CISA Known Exploited Vulnerabilities catalog address the issue, indicating that patches are available through standard Windows update channels. Public exploit code has been published, confirming that the vulnerability has been observed in real-world exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-9819
Vulnerability details
An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is…
more
unique from CVE-2019-1215, CVE-2019-1278, CVE-2019-1303.
- CWE(s)
- KEV Date Added
- 15 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patch that corrects the AppX Deployment Server's improper junction handling.
Limits the privileges available to any initial code execution, thereby blocking or reducing the impact of the subsequent EoP.
Enforces access-control decisions on file-system objects so that malicious junctions cannot be used to elevate rights.