Issues potentially affected all PCs and other devices running on Windows 10
Positive Technologies expert Mikhail Tsvetkov has discovered two critical vulnerabilities in Microsoft Windows 10. With them, an attacker could obtain access to Windows 10 computers and intercept sensitive information. Both vulnerabilities have been fixed in Microsoft's March 2019 security update.
The vulnerabilities were discovered in the DHCP client built in to Windows 10. The DHCP protocol is responsible for automatically connecting devices to a network by assigning IP addresses and other network parameters. DHCP helps to avoid network conflicts, such as duplicate IP addresses, and the need to perform manual configuration of each device. An administrator can simply configure a DHCP server once on a physical server or router in order to assign IP addresses and other network parameters to DHCP clients (such as employee workstations, printers, and other equipment). Network configurations are assigned at an interval of time that is set by the administrator.
Positive Technologies expert Mikhail Tsvetkov explained: "Here is how such a vulnerability could be exploited. An attacker configures a DHCP server on their computer. The server responds to network configuration requests with malformed packets. On some networks, this attack is possible from a mobile phone or tablet. Then the attacker waits for a vulnerable Windows 10 computer to ask for a renewal of its IP address lease, which usually happens every few hours. By sending this invalid response, the attacker can obtain the rights of an anonymous user on the victim computer."
Even at that point, exploitation of this vulnerability was no "home run" for the attacker, since the anonymous user has limited privileges. Access to user and system processes, registry folders and branches, and a number of other folders is forbidden. In addition, other vulnerabilities could be chained to escalate privileges and continue the attack. According to Positive Technologies statistics, corporate workstations are poorly defended: in 100 percent of test cases, it was possible to obtain full control over the network from an employee computer. In 2017, even after the appearance of WannaCry, more than half of tested systems were still found to contain the vulnerability, which enabled spread of the malware outbreak (though the patch was released several month before the outbreak).
Attackers had to be on the same network as the targeted system. But this could be an attacker who has succeeded in using phishing to obtain access to a poorly protected workstation. The ultimate target could be a critical system, such as internal bank servers. And at some organizations, attacks could originate directly from external networks (when DHCP Relay has been configured to get network parameters from an external DHCP server).
Both vulnerabilities were exploited by spoofing the response from the legitimate DHCP server with a specially crafted message. The attacker sent a special list of DNS suffixes (CVE-2019-0726) or included an abnormally large number of options in the DHCP response (CVE-2019-0697).
This is not the first time Positive Technologies and Microsoft have worked together. In 2013, Timur Yunusov and other Positive Technologies experts discovered the ability to perform XXE attacks in Microsoft Office applications. In 2017, Mikhail Tsvetkov while performing incident response work discovered an attempt to exploit CVE-2017-0263, a Windows vulnerability unknown at the time, which enabled installing programs; viewing, changing, and deleting data; and creating new accounts with system privileges.
Checks for the presence of vulnerabilities CVE-2019-0726 and CVE-2019-0697 have been added to the knowledge base of the MaxPatrol 8 vulnerability and compliance management system.