While we all breathed a sigh of relief after patching our systems against the two zero-days reported in the April Patch Tuesday, news broke out that one them was actively exploited in the wild and could allow an attacker to completely compromise your system. This is another case of win32k.sys in jeopardy.
This vulnerability is assigned with CVE-2019-0859 was reported by Vasiliy Berdnikov and Boris Larin of the Kaspersky Labs. This is an elevation of privilege vulnerability caused due to improper handling of objects in the memory by Win32k component. Successful exploitation allows an attacker to run arbitrary code in kernel mode which could be further used to view, change, or delete data, install programs or create new accounts with full user rights to establish backdoors connecting back to the attackers.
Researchers believe that this bug has been a new addition for the campaigns carried out by APT groups such as SandCat and FruityArmor.
CVSS v3.0 Severity and Metrics:
Base Score: 7.8 HIGH
CVSS v2.0 Severity and Metrics:
Base Score: 7.2 HIGH
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
We can use SanerNow platform to apply this critical vulnerability quickly across the organization as shown in the below diagrams.
NOTE: This vulnerability is been actively exploited by the attacker to break into the system, hence consider applying the solution immediately.
SanerNow: Vulnerability detection and patching of CVE-2019-0859:
1. Login to SanerNow platform
2. Switch to the account/site specific view and Go to 'VM tool'
3. CVE-2019-0859 vulnerability will be listed in 'Top Vulnerabilities' or 'Recently Discovered Vulnerabilities' as shown in the below diagram
4. Search for this vulnerability in VM tool. If you are affected, apply the patch through PM -> Missing Patches
5. Select 'Groups/Devices' in the 'Asset Source' section and click 'Apply'.
6. Select the appropriate patches from the 'Asset' section as shown in the below diagram. Please refer this Microsoft advisory for more information.
7. Select 'Apply Selected Patches' at the rightmost corner. This will prompt for 'Creating Patching Task'. Fill in 'Task Name' and 'Remediation Schedule' as per your preference and click on 'Apply Selected Patches' as shown below,
8. Remediation job will be created, which will fix the vulnerability by applying the patch.
9. Once remediation is done, the Saner agent automatically scans again and uploads the result.