{"id":5562,"date":"2018-05-03T01:55:56","date_gmt":"2018-05-02T23:55:56","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=5562"},"modified":"2022-04-06T01:12:34","modified_gmt":"2022-04-05T23:12:34","slug":"windows-10-meltdown-patch-bypass-and-hcsshim-flaw","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2018\/05\/03\/windows-10-meltdown-patch-bypass-and-hcsshim-flaw\/","title":{"rendered":"Windows 10 Meltdown Patch Bypass and hcsshim flaw"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"http:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/win102.jpg\" width=\"58\" align=\"left\" height=\"58\">[<a href=\"https:\/\/www.borncity.com\/blog\/2018\/05\/03\/windows-10-meltdown-patch-bypass-und-windows-host-compute-service-shim-sicherheitslcken\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]Strange: Microsoft's Meltdown patches for Windows 10 had a fatal flaw. Now it's patched in Windows 10 Version 1803 \u2013 but not in older Windows 10 builds. And there is a critical Windows Host Compute Service Shim-Flaw \u2013 affecting container images \u2013 a patch is available. <\/p>\n<p><!--more--><\/p>\n<h2>Microsoft's Meltdown Patches Bypass<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/ssl-vg03.met.vgwort.de\/na\/b8c17d38326749268349eccc2b878e58\" width=\"1\" height=\"1\">After Microsoft issued patches to close the Meltdown vulnerability, a new vulnerability Total Meltdown was caused. I've blogged about that within my article <a href=\"https:\/\/borncity.com\/win\/2018\/04\/24\/windows-7-server-2008-r2-total-meltdown-exploit-went-public\/\">Windows 7\/Server 2008 R2: Total Meltdown exploit went public<\/a>. But there is also a Meltdown Bypass vulnerability in Windows 10. Microsoft has patched this in Windows 10 April Update (Version 1803). <\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">Welp, it turns out the <a href=\"https:\/\/twitter.com\/hashtag\/Meltdown?src=hash&amp;ref_src=twsrc%5Etfw\">#Meltdown<\/a> patches for Windows 10 had a fatal flaw: calling NtCallEnclave returned back to user space with the full kernel page table directory, completely undermining the mitigation. This is now patched on RS4 but not earlier builds &#8212; no backport?? <a href=\"https:\/\/t.co\/VIit6hmYK0\">pic.twitter.com\/VIit6hmYK0<\/a><\/p>\n<p>\u2014 Alex Ionescu (@aionescu) <a href=\"https:\/\/twitter.com\/aionescu\/status\/991675604469669890?ref_src=twsrc%5Etfw\">May 2, 2018<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/p>\n<p>Security researcher Alex Ionescu mentioned that within the above <a href=\"https:\/\/twitter.com\/aionescu\/status\/991675604469669890\" target=\"_blank\" rel=\"noopener\">Tweet<\/a>. It seems to me, that this is a similar issue, that I've covered within <a href=\"https:\/\/borncity.com\/win\/2018\/04\/24\/windows-7-server-2008-r2-total-meltdown-exploit-went-public\/\">Windows 7\/Server 2008 R2: Total Meltdown exploit went public<\/a>. <\/p>\n<p>\"We are aware and are working to provide customers with an update,\" a Microsoft spokesperson told Bleeping Computer today in an email (see <a href=\"https:\/\/web.archive.org\/web\/20211105215720\/https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-working-on-a-fix-for-windows-10-meltdown-patch-bypass\/\" target=\"_blank\" rel=\"noopener\">this article<\/a> at Bleeping Computer).<\/p>\n<h2>Windows Host Compute Service Shim-Flaw<\/h2>\n<p>A German blog reader mentioned a 'Windows Host Compute Service Shim Remote Code Execution' flaw within <a href=\"https:\/\/www.borncity.com\/blog\/2018\/05\/02\/windows-10-april-update-neuerungen-und-timeline-anschaut\/#comment-57425\" target=\"_blank\" rel=\"noopener\">this comment<\/a>. The vulnerability CVE-2018-8115 has been <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018-8115\" target=\"_blank\" rel=\"noopener\">mentioned<\/a> within the NVD database, but hasn't been analyzed yet. But US CERT <a href=\"https:\/\/www.us-cert.gov\/ncas\/current-activity\/2018\/05\/02\/Microsoft-Releases-Security-Update\" target=\"_blank\" rel=\"noopener\">reported here<\/a>, that Microsoft has released a security update to address a vulnerability in the Windows Host Compute Service Shim (hcsshim) library. A remote attacker could exploit this vulnerability to take control of an affected system. <\/p>\n<p>A few hours ago, I received also a security notification from Microsoft with the following message:<\/p>\n<blockquote>\n<p>**********************************************<br \/>Title: Microsoft Security Update Releases<br \/>Issued: May 2, 2018<br \/>**********************************************<\/p>\n<p>Summary<br \/>=======<\/p>\n<p>The following CVE has undergone a major revision increment:<\/p>\n<p>* CVE-2018-8115<\/p>\n<p>Revision Information:<br \/>=====================<\/p>\n<p>&#8211; CVE-2018-8115 | Windows Host Compute Service Shim Remote Code<br \/>&nbsp;&nbsp; Execution Vulnerability<br \/>&#8211; <a href=\"https:\/\/portal.msrc.microsoft.com\/en-us\/security-guidance\" target=\"_blank\" rel=\"noopener\">https:\/\/portal.msrc.microsoft.com\/en-us\/security-guidance<\/a><br \/>&#8211; Version: 1.0<br \/>&#8211; Reason for Revision: Information published.<br \/>&#8211; Originally posted: May 2, 2018<br \/>&#8211; Aggregate CVE Severity Rating: Critical<\/p>\n<\/blockquote>\n<p><a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2018-8115\" target=\"_blank\" rel=\"noopener\">This Microsoft page<\/a> contains a few more details (Bleeping Computer mentioned it also <a href=\"https:\/\/web.archive.org\/web\/20211105215720\/https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-working-on-a-fix-for-windows-10-meltdown-patch-bypass\/\" target=\"_blank\" rel=\"noopener\">here<\/a>).<\/p>\n<blockquote>\n<p>A remote code execution vulnerability exists when the Windows Host Compute Service Shim (hcsshim) library fails to properly validate input while importing a container image. To exploit the vulnerability, an attacker would place malicious code in a specially crafted container image which, if an authenticated administrator imported (pulled), could cause a container management service utilizing the Host Compute Service Shim library to execute malicious code on the Windows host.  <\/p>\n<p>An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.  <\/p>\n<p>The security update addresses the vulnerability by correcting how Windows Host Compute Service Shim validates input from container images.<\/p>\n<\/blockquote>\n<p>Microsoft has not identified any mitigating factors for this vulnerability. But there isn't a workaround for this vulnerability, related to Container images (Docker etc.). A patched hcsshim file is <a href=\"https:\/\/github.com\/Microsoft\/hcsshim\/releases\/tag\/v0.6.10\" target=\"_blank\" rel=\"noopener\">available for download<\/a> from GitHub.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Strange: Microsoft's Meltdown patches for Windows 10 had a fatal flaw. Now it's patched in Windows 10 Version 1803 \u2013 but not in older Windows 10 builds. And there is a critical Windows Host Compute Service Shim-Flaw \u2013 affecting container &hellip; <a href=\"https:\/\/borncity.com\/win\/2018\/05\/03\/windows-10-meltdown-patch-bypass-and-hcsshim-flaw\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[69,76],"class_list":["post-5562","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-security","tag-windows-10"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/5562","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=5562"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/5562\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=5562"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=5562"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=5562"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}