Two vulnerabilities in Windows Subsystem for Linux

Published: 2017-08-08 22:08:41
Severity Low
Patch available YES
Number of vulnerabilities 2
CVSSv2 5.3 (AV:L/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
3.6 (AV:L/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C)
CVSSv3 8 [CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
6.1 [CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE ID CVE-2017-8622
CVE-2017-8627
CWE ID CWE-20
CWE-119
Exploitation vector Local
Public exploit Not available
Vulnerable software Windows
Vulnerable software versions Windows 10
Vendor URL Microsoft
Advisory type Public

Security Advisory

1) Improper input validation

Description

The vulnerability allows a local user to elevate privileges on the system.

The vulnerability exists due to an error in the way that the Windows Subsystem for Linux handles NT pipes. A local user could exploit this vulnerability to execute code with elevated permissions.

Successful exploitation of the vulnerability may allow a local user to execute code with elevated privileges on the system.

Remediation

Install updates from vendor's website.

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8622

2) Memory corruption

Description

The vulnerability allows a local user to perform a denial of service attack.

The vulnerability exists due to boundary error within Windows Subsystem for Linux. A local user could exploit this vulnerability to perform a denial of service attack.

Remediation

Install updates from vendor's website.

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8627

Back to List