Information disclosure in Windows Remote Assistance

Published: 2018-03-13 23:25:04
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-0878
CVSSv3 4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CWE ID CWE-611
Exploitation vector Network
Public exploit N/A
Vulnerable software Windows
Windows Server
Vulnerable software versions Windows 8.1
Windows 7
Windows 10
Windows RT 8.1
Windows Server 2012
Windows Server 2012 R2
Windows Server 2008
Windows Server 2008 R2
Windows Server 2016
Vendor URL Microsoft

Security Advisory

1) XXE attack

Description

The vulnerability allows a remote attacker to perform XXE attack on the target system.

The vulnerability exists due to Windows Remote Assistance incorrectly processes XML External Entities (XXE). A remote attacker can send a specially crafted Remote Assistance invitation file to a user and then steal text files from known locations on the victim's machine, under the context of the user, or alternatively, steal text information from URLs accessible to the victim.

Remediation

Install updates from vendor's website.

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0878

Back to List