Vulnerability Name:

CVE-2011-4434 (CCN-71291)

Assigned:2011-11-09
Published:2011-11-09
Updated:2020-09-28
Summary:Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1 do not properly enforce AppLocker rules, which allows local users to bypass intended access restrictions via a (1) macro or (2) scripting feature in an application, as demonstrated by Microsoft Office applications and the SANDBOX_INERT and LOAD_IGNORE_CODE_AUTHZ_LEVEL flags.
CVSS v3 Severity:5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:3.6 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:P)
3.0 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:P/E:F/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): Partial
4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
3.8 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-264
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2011-4434

Source: CCN
Type: Microsoft Article ID: 2532445
You can circumvent AppLocker rules by using an Office macro on a computer that is running Windows 7 or Windows Server 2008 R2

Source: MSKB
Type: UNKNOWN
2532445

Source: CCN
Type: OSVDB ID: 77213
Microsoft Windows AppLocker Rule Weakness Local Access Restriction Bypass

Source: CCN
Type: BID-50687
Microsoft Windows AppLocker Rules Local Security Bypass Vulnerability

Source: XF
Type: UNKNOWN
ms-win-applocker-security-bypass(71291)

Source: CCN
Type: Rapid7 Vulnerability and Exploit Database [08-15-2019]
Applocker Evasion - MSBuild

Vulnerable Configuration:Configuration 1:
  • cpe:/o:microsoft:windows_7:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_7:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_7:-:sp1:*:*:ultimate_n:*:x64:*
  • OR cpe:/o:microsoft:windows_7:-:sp1:*:*:ultimate_n:*:x86:*
  • OR cpe:/o:microsoft:windows_server_2008:r2:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:microsoft:windows_7:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2008:r2:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    microsoft windows 7 *
    microsoft windows 7 -
    microsoft windows 7 - sp1
    microsoft windows 7 - sp1
    microsoft windows server 2008 r2
    microsoft windows server 2008 r2 sp1
    microsoft windows 7 -
    microsoft windows server 2008 - r2
    microsoft windows server 2008 r2 sp1