[German]Strange: Microsoft's Meltdown patches for Windows 10 had a fatal flaw. Now it's patched in Windows 10 Version 1803 – but not in older Windows 10 builds. And there is a critical Windows Host Compute Service Shim-Flaw – affecting container images – a patch is available.
Microsoft's Meltdown Patches Bypass
After Microsoft issued patches to close the Meltdown vulnerability, a new vulnerability Total Meltdown was caused. I've blogged about that within my article Windows 7/Server 2008 R2: Total Meltdown exploit went public. But there is also a Meltdown Bypass vulnerability in Windows 10. Microsoft has patched this in Windows 10 April Update (Version 1803).
Welp, it turns out the #Meltdown patches for Windows 10 had a fatal flaw: calling NtCallEnclave returned back to user space with the full kernel page table directory, completely undermining the mitigation. This is now patched on RS4 but not earlier builds — no backport?? pic.twitter.com/VIit6hmYK0
— Alex Ionescu (@aionescu) May 2, 2018
Security researcher Alex Ionescu mentioned that within the above Tweet. It seems to me, that this is a similar issue, that I've covered within Windows 7/Server 2008 R2: Total Meltdown exploit went public.
"We are aware and are working to provide customers with an update," a Microsoft spokesperson told Bleeping Computer today in an email (see this article at Bleeping Computer).
Windows Host Compute Service Shim-Flaw
A German blog reader mentioned a 'Windows Host Compute Service Shim Remote Code Execution' flaw within this comment. The vulnerability CVE-2018-8115 has been mentioned within the NVD database, but hasn't been analyzed yet. But US CERT reported here, that Microsoft has released a security update to address a vulnerability in the Windows Host Compute Service Shim (hcsshim) library. A remote attacker could exploit this vulnerability to take control of an affected system.
A few hours ago, I received also a security notification from Microsoft with the following message:
**********************************************
Title: Microsoft Security Update Releases
Issued: May 2, 2018
**********************************************Summary
=======The following CVE has undergone a major revision increment:
* CVE-2018-8115
Revision Information:
=====================– CVE-2018-8115 | Windows Host Compute Service Shim Remote Code
Execution Vulnerability
– https://portal.msrc.microsoft.com/en-us/security-guidance
– Version: 1.0
– Reason for Revision: Information published.
– Originally posted: May 2, 2018
– Aggregate CVE Severity Rating: Critical
This Microsoft page contains a few more details (Bleeping Computer mentioned it also here).
A remote code execution vulnerability exists when the Windows Host Compute Service Shim (hcsshim) library fails to properly validate input while importing a container image. To exploit the vulnerability, an attacker would place malicious code in a specially crafted container image which, if an authenticated administrator imported (pulled), could cause a container management service utilizing the Host Compute Service Shim library to execute malicious code on the Windows host.
An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.
The security update addresses the vulnerability by correcting how Windows Host Compute Service Shim validates input from container images.
Microsoft has not identified any mitigating factors for this vulnerability. But there isn't a workaround for this vulnerability, related to Container images (Docker etc.). A patched hcsshim file is available for download from GitHub.
