Microsoft Malware Protection Engine < 1.1.13804 Multiple Vulnerabilities

High Nessus Plugin ID 100551

Synopsis

An antimalware application installed on the remote host is affected by multiple vulnerabilities.

Description

The version of Microsoft Malware Protection Engine (MMPE) installed on the remote Windows host is prior to 1.1.13804.0. It is, therefore, affected by multiple vulnerabilities :

- Multiple denial of service vulnerabilities exist due to improper scanning of specially crafted files. An unauthenticated, remote attacker can exploit these, by convincing a user to download or open a malicious file, to cause the monitoring service to stop. (CVE-2017-8535, CVE-2017-8536, CVE-2017-8537, CVE-2017-8539, CVE-2017-8542)

- Multiple memory corruption issues exist due to improper validation of input when scanning specially crafted files. An unauthenticated, remote attacker can exploit these, by convincing a user to download or open a malicious file, to cause a denial of service condition or the possible execution of arbitrary code.
(CVE-2017-8538, CVE-2017-8541)

- A use-after-free error exists in the garbage collection system used for managing JavaScript objects when scanning specially crafted files. An unauthenticated, remote attacker can exploit this, by convincing a user to download or open a malicious file, to dereference already freed memory and potentially execute arbitrary code. (CVE-2017-8540)

- A flaw exits in the x86 emulator implementation for the Win32 API due to improper restrictions on access to certain NTDLL routines. An unauthenticated, remote attacker can exploit this, by convincing a user to download or open a malicious file, to execute arbitrary code with SYSTEM privileges.

Note that Nessus has checked if a vulnerable version of MMPE is being used by any of the following applications :

- Microsoft Forefront Endpoint Protection 2010

- Microsoft Endpoint Protection

- Microsoft Forefront Security for SharePoint

- Microsoft System Center Endpoint Protection

- Microsoft Security Essentials

- Windows Defender for Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, Windows 10 1511, Windows 10 1607, Windows 10 1703, and Windows Server 2016

- Windows Intune Endpoint Protection

Solution

Enable automatic updates to update the scan engine for the relevant antimalware applications. Refer to Knowledge Base Article 2510781 for information on how to verify that MMPE has been updated.

See Also

http://www.nessus.org/u?f8fbaf43

http://www.nessus.org/u?11f499cd

http://www.nessus.org/u?e396b434

http://www.nessus.org/u?488a2d94

http://www.nessus.org/u?8c519ccb

http://www.nessus.org/u?e672c25a

http://www.nessus.org/u?bffe5e2f

http://www.nessus.org/u?b798c511

http://www.nessus.org/u?34db9ea8

https://bugs.chromium.org/p/project-zero/issues/detail?id=1260

Plugin Details

Severity: High

ID: 100551

File Name: microsoft_mpeng_1_1_13804.nasl

Version: 1.6

Type: local

Agent: windows

Family: Windows

Published: 2017/05/31

Updated: 2019/01/02

Dependencies: 13855, 43164

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:microsoft:windows, cpe:/a:microsoft:malware_protection_engine

Required KB Items: SMB/Registry/Enumerated

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2017/05/24

Vulnerability Publication Date: 2017/05/25

Reference Information

CVE: CVE-2017-8535, CVE-2017-8536, CVE-2017-8537, CVE-2017-8538, CVE-2017-8539, CVE-2017-8540, CVE-2017-8541, CVE-2017-8542

BID: 98702, 98703, 98704, 98705, 98706, 98707, 98708, 98710