Executive Summary

Summary
TitleVulnerability in Microsoft Windows Kernel Could Allow Elevation of Privilege
Informations
NameKB2914486First vendor Publication2013-11-27
VendorMicrosoftLast vendor Modification1970-01-01
Severity (Vendor) N/ARevision1.0

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score7.2Attack RangeLocal
Cvss Impact Score10Attack ComplexityLow
Cvss Expoit Score3.9AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

General Information

Executive Summary

Microsoft is investigating new reports of a vulnerability in a kernel component of Windows XP and Windows Server 2003. We are aware of limited, targeted attacks that attempt to exploit this vulnerability.

Our investigation of this vulnerability has verified that it does not affect customers who are using operating systems newer than Windows XP and Windows Server 2003.

The vulnerability is an elevation of privilege vulnerability. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

Microsoft is actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. For information about protections released by MAPP partners, see MAPP Partners with Updated Protections.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Mitigating Factors:

  • An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users

Recommendation. Please see the Suggested Actions section of this advisory for more information.

Advisory Details

Issue References

For more information about this issue, see the following references:

ReferencesIdentification
CVE ReferenceCVE-2013-5065
General InformationNDPROXY Overview

Affected Software

This advisory discusses the following software.

Affected Software
Operating System
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems

Non-Affected Software
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2012
Windows Server 2012 R2
Windows RT
Windows RT 8.1

Advisory FAQ

What is the scope of the advisory?
The purpose of this advisory is to notify customers that Microsoft is aware of a new vulnerability report affecting Windows XP and Windows Server 2003.

What causes the vulnerability?
The vulnerability is caused when the NDProxy.sys kernel component fails to properly validate input.

What is NDPROXY?
NDPROXY is a system-provided driver that interfaces WAN miniport drivers, call managers, and miniport call managers to the Telephony Application Programming Interfaces (TAPI) services. For additional information, see MSDN article, NDPROXY Overview.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrator rights.

How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take complete control over the affected system.

Suggested Actions

Apply Workarounds

Workarounds refer to a setting or configuration change that does not correct the underlying issue but would help block known attack vectors before a security update is available. See the next section, Workarounds, for more information.

Workarounds

Reroute the NDProxy service to Null.sys

For environments with non-default, limited user privileges, Microsoft has verified that the following workaround effectively blocks the attacks that have been observed in the wild.

To implement this workaround, follow these steps:

  1. From an elevated command prompt, execute the following commands:

    sc stop ndproxy
    reg add HKLM\System\CurrentControlSet\Services\ndproxy /v ImagePath /t REG_EXPAND_SZ /d system32\drivers\null.sys /f

  2. Restart the system.

Effects of this workaround

Disabling NDProxy.sys will cause certain services that rely on Windows Telephony Application Programming Interfaces (TAPI) to not function. Services that will no longer work include Remote Access Service (RAS), dial-up networking, and virtual private networking (VPN).

How to undo the workaround

To undo this workaround, follow these steps:

  1. From an elevated command prompt, execute the following commands:

    sc stop ndproxy
    reg add HKLM\System\CurrentControlSet\Services\ndproxy /v ImagePath /t REG_EXPAND_SZ /d system32\drivers\ndproxy.sys /f

  2. Restart the system.
Additional Suggested Actions
  • Protect your PC

    We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see Microsoft Safety & Security Center.

  • Keep Microsoft Software Updated

    Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.

Original Source

Url : http://www.microsoft.com/technet/security/advisory/2914486.mspx

CWE : Common Weakness Enumeration

%idName
100 %CWE-20Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:22288
 
Oval ID: oval:org.mitre.oval:def:22288
Title: Kernel NDProxy Vulnerability (CVE-2013-5065) - MS14-002
Description: NDProxy.sys in the kernel in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in November 2013.
Family: windows Class: vulnerability
Reference(s): CVE-2013-5065
Version: 3
Platform(s): Microsoft Windows Server 2003
Microsoft Windows XP
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Os1
Os2

ExploitDB Exploits

idDescription
2013-12-17Microsoft Windows ndproxy.sys - Local Privilege Escalation
2013-12-03Windows NDPROXY Local SYSTEM Privilege Escalation

Information Assurance Vulnerability Management (IAVM)

DateDescription
2014-01-16IAVM : 2014-A-0004 - Microsoft Windows Kernel Privilege Escalation Vulnerability
Severity : Category II - VMSKEY : V0043405

Snort® IPS/IDS

DateDescription
2014-01-10Microsoft Windows NDProxy.sys privilege escalation attempt
RuleID : 28872 - Revision : 5 - Type : OS-WINDOWS
2014-01-10Microsoft Windows NDProxy.sys privilege escalation attempt
RuleID : 28871 - Revision : 5 - Type : OS-WINDOWS
2014-01-10Microsoft Windows NDProxy.sys privilege escalation attempt
RuleID : 28870 - Revision : 5 - Type : OS-WINDOWS
2014-01-10Microsoft Windows NDProxy.sys privilege escalation attempt
RuleID : 28869 - Revision : 5 - Type : OS-WINDOWS
2014-01-10Microsoft Windows NDProxy.sys privilege escalation attempt
RuleID : 28868 - Revision : 5 - Type : OS-WINDOWS
2014-01-10Microsoft Windows NDProxy.sys privilege escalation attempt
RuleID : 28867 - Revision : 5 - Type : OS-WINDOWS

Metasploit Database

idDescription
2013-11-27 MS14-002 Microsoft Windows ndproxy.sys Local Privilege Escalation

Nessus® Vulnerability Scanner

DateDescription
2014-01-14Name : The Windows kernel on the remote host is affected by a privilege escalation v...
File : smb_nt_ms14-002.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
DateInformations
2014-01-19 21:29:41
  • Multiple Updates
2014-01-16 13:22:10
  • Multiple Updates
2014-01-05 00:18:31
  • Multiple Updates
2014-01-03 17:19:07
  • Multiple Updates
2013-11-29 17:21:28
  • Multiple Updates
2013-11-28 13:21:48
  • Multiple Updates
2013-11-28 00:22:46
  • First insertion