Windows 10 Meltdown Patch Bypass and hcsshim flaw

[German]Strange: Microsoft's Meltdown patches for Windows 10 had a fatal flaw. Now it's patched in Windows 10 Version 1803 – but not in older Windows 10 builds. And there is a critical Windows Host Compute Service Shim-Flaw – affecting container images – a patch is available.


Microsoft's Meltdown Patches Bypass

After Microsoft issued patches to close the Meltdown vulnerability, a new vulnerability Total Meltdown was caused. I've blogged about that within my article Windows 7/Server 2008 R2: Total Meltdown exploit went public. But there is also a Meltdown Bypass vulnerability in Windows 10. Microsoft has patched this in Windows 10 April Update (Version 1803).

Security researcher Alex Ionescu mentioned that within the above Tweet. It seems to me, that this is a similar issue, that I've covered within Windows 7/Server 2008 R2: Total Meltdown exploit went public.

"We are aware and are working to provide customers with an update," a Microsoft spokesperson told Bleeping Computer today in an email (see this article at Bleeping Computer).

Windows Host Compute Service Shim-Flaw

A German blog reader mentioned a 'Windows Host Compute Service Shim Remote Code Execution' flaw within this comment. The vulnerability CVE-2018-8115 has been mentioned within the NVD database, but hasn't been analyzed yet. But US CERT reported here, that Microsoft has released a security update to address a vulnerability in the Windows Host Compute Service Shim (hcsshim) library. A remote attacker could exploit this vulnerability to take control of an affected system.


A few hours ago, I received also a security notification from Microsoft with the following message:

Title: Microsoft Security Update Releases
Issued: May 2, 2018


The following CVE has undergone a major revision increment:

* CVE-2018-8115

Revision Information:

– CVE-2018-8115 | Windows Host Compute Service Shim Remote Code
   Execution Vulnerability
– Version: 1.0
– Reason for Revision: Information published.
– Originally posted: May 2, 2018
– Aggregate CVE Severity Rating: Critical

This Microsoft page contains a few more details (Bleeping Computer mentioned it also here).

A remote code execution vulnerability exists when the Windows Host Compute Service Shim (hcsshim) library fails to properly validate input while importing a container image. To exploit the vulnerability, an attacker would place malicious code in a specially crafted container image which, if an authenticated administrator imported (pulled), could cause a container management service utilizing the Host Compute Service Shim library to execute malicious code on the Windows host.

An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.

The security update addresses the vulnerability by correcting how Windows Host Compute Service Shim validates input from container images.

Microsoft has not identified any mitigating factors for this vulnerability. But there isn't a workaround for this vulnerability, related to Container images (Docker etc.). A patched hcsshim file is available for download from GitHub.

Cookies helps to fund this blog: Cookie settings


This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *