Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
3

CVE-2019-1388

Disclosure Date: November 12, 2019
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An elevation of privilege vulnerability exists in the Windows Certificate Dialog when it does not properly enforce user privileges, aka ‘Windows Certificate Dialog Elevation of Privilege Vulnerability’.

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Given the video showing how to take advantage of this vulnerability: https://youtu.be/3BQKpPNlTSo, this seems like an really easy way to do privilege escalation. Full blog here: https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege

CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • microsoft

Products

  • windows 10 -,
  • windows 10 1607,
  • windows 10 1709,
  • windows 10 1803,
  • windows 10 1809,
  • windows 10 1903,
  • windows 7 -,
  • windows 8.1 -,
  • windows rt 8.1 -,
  • windows server 2008 -,
  • windows server 2008 r2,
  • windows server 2012 -,
  • windows server 2012 r2,
  • windows server 2016 -,
  • windows server 2016 1803,
  • windows server 2016 1903,
  • windows server 2019 -

Additional Info

Technical Analysis