Microsoft Malware Protection Engine < 1.1.13804 Multiple Vulnerabilities

high Nessus Plugin ID 100551

Synopsis

An antimalware application installed on the remote host is affected by multiple vulnerabilities.

Description

The version of Microsoft Malware Protection Engine (MMPE) installed on the remote Windows host is prior to 1.1.13804.0. It is, therefore, affected by multiple vulnerabilities :

- Multiple denial of service vulnerabilities exist due to improper scanning of specially crafted files. An unauthenticated, remote attacker can exploit these, by convincing a user to download or open a malicious file, to cause the monitoring service to stop. (CVE-2017-8535, CVE-2017-8536, CVE-2017-8537, CVE-2017-8539, CVE-2017-8542)

- Multiple memory corruption issues exist due to improper validation of input when scanning specially crafted files. An unauthenticated, remote attacker can exploit these, by convincing a user to download or open a malicious file, to cause a denial of service condition or the possible execution of arbitrary code.
(CVE-2017-8538, CVE-2017-8541)

- A use-after-free error exists in the garbage collection system used for managing JavaScript objects when scanning specially crafted files. An unauthenticated, remote attacker can exploit this, by convincing a user to download or open a malicious file, to dereference already freed memory and potentially execute arbitrary code. (CVE-2017-8540)

- A flaw exits in the x86 emulator implementation for the Win32 API due to improper restrictions on access to certain NTDLL routines. An unauthenticated, remote attacker can exploit this, by convincing a user to download or open a malicious file, to execute arbitrary code with SYSTEM privileges.

Note that Nessus has checked if a vulnerable version of MMPE is being used by any of the following applications :

- Microsoft Forefront Endpoint Protection 2010

- Microsoft Endpoint Protection

- Microsoft Forefront Security for SharePoint

- Microsoft System Center Endpoint Protection

- Microsoft Security Essentials

- Windows Defender for Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, Windows 10 1511, Windows 10 1607, Windows 10 1703, and Windows Server 2016

- Windows Intune Endpoint Protection

Solution

Enable automatic updates to update the scan engine for the relevant antimalware applications. Refer to Knowledge Base Article 2510781 for information on how to verify that MMPE has been updated.

See Also

http://www.nessus.org/u?f8fbaf43

http://www.nessus.org/u?11f499cd

http://www.nessus.org/u?e396b434

http://www.nessus.org/u?488a2d94

http://www.nessus.org/u?8c519ccb

http://www.nessus.org/u?e672c25a

http://www.nessus.org/u?bffe5e2f

http://www.nessus.org/u?b798c511

http://www.nessus.org/u?34db9ea8

https://bugs.chromium.org/p/project-zero/issues/detail?id=1260

Plugin Details

Severity: High

ID: 100551

File Name: microsoft_mpeng_1_1_13804.nasl

Version: 1.9

Type: local

Agent: windows

Family: Windows

Published: 5/31/2017

Updated: 4/25/2023

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2017-8541

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7.2

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:microsoft:windows, cpe:/a:microsoft:malware_protection_engine

Required KB Items: SMB/Registry/Enumerated

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/24/2017

Vulnerability Publication Date: 5/25/2017

CISA Known Exploited Vulnerability Due Dates: 3/24/2022

Reference Information

CVE: CVE-2017-8535, CVE-2017-8536, CVE-2017-8537, CVE-2017-8538, CVE-2017-8539, CVE-2017-8540, CVE-2017-8541, CVE-2017-8542

BID: 98702, 98703, 98704, 98705, 98706, 98707, 98708, 98710