Vulnerability Name:

CVE-2017-11940 (CCN-136154)

Assigned:2017-12-07
Published:2017-12-07
Updated:2018-10-30
Summary:The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Windows 7 SP1, Windows 8.1, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, 1709 and Windows Server 2016, Windows Server, version 1709, Microsoft Exchange Server 2013 and 2016, does not properly scan a specially crafted file leading to remote code execution. aka "Microsoft Malware Protection Engine Remote Code Execution Vulnerability". This is different than CVE-2017-11937.
CVSS v3 Severity:7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
6.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
7.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
6.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
6.8 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-119
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2017-11940

Source: BID
Type: Third Party Advisory, VDB Entry
102104

Source: CCN
Type: BID-102104
Microsoft Malware Protection Engine CVE-2017-11940 Remote Code Execution Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1039972

Source: XF
Type: UNKNOWN
ms-mpe-cve201711940-code-exec(136154)

Source: CCN
Type: Microsoft Security TechCenter - December 2017
Microsoft Malware Protection Engine Remote Code Execution Vulnerability

Source: CONFIRM
Type: Patch, Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11940

Vulnerable Configuration:Configuration 1:
  • cpe:/a:microsoft:malware_protection_engine:*:*:*:*:*:*:*:* (Version <= 1.1.14306.0)
  • AND
  • cpe:/a:microsoft:exchange_server:2013:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:exchange_server:2016:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:forefront_endpoint_protection_2010:-:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:windows_defender:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_10:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_10:1511:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_10:1607:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_10:1703:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_10:1709:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_1709:-:*:*:*:*:*:x64:*

    • Configuration CCN 1:
  • cpe:/a:microsoft:windows_defender:*:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:security_essentials:*:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:forefront_endpoint_protection:2010:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:exchange_server:2016:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:endpoint_protection:-:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:forefront_endpoint_protection:-:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:intune_endpoint_protection:*:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:exchange_server:2013:*:*:*:*:*:*:*
  • AND
  • cpe:/o:microsoft:windows_7:-:sp1:-:*:-:-:x32:*
  • OR cpe:/o:microsoft:windows_7:*:sp1:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_8.1:-:-:-:*:-:-:x32:*
  • OR cpe:/o:microsoft:windows_8.1:-:*:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_10:-:*:*:*:*:*:x32:*
  • OR cpe:/o:microsoft:windows_10_1507:-:*:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server:1709:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    microsoft malware protection engine *
    microsoft exchange server 2013
    microsoft exchange server 2016
    microsoft forefront endpoint protection 2010 -
    microsoft windows defender -
    microsoft windows 10 -
    microsoft windows 10 1511
    microsoft windows 10 1607
    microsoft windows 10 1703
    microsoft windows 10 1709
    microsoft windows 7 - sp1
    microsoft windows 8.1 -
    microsoft windows rt 8.1 -
    microsoft windows server 2016 -
    microsoft windows server 2016 1709
    microsoft windows defender *
    microsoft security essentials *
    microsoft forefront endpoint protection 2010
    microsoft exchange server 2016
    microsoft endpoint protection -
    microsoft forefront endpoint protection -
    microsoft intune endpoint protection *
    microsoft exchange server 2013
    microsoft windows 7 - sp1
    microsoft windows 7 * sp1
    microsoft windows 8.1 - -
    microsoft windows 8.1 -
    microsoft windows rt 8.1 *
    microsoft windows 10 -
    microsoft windows 10 -
    microsoft windows server 2016
    microsoft windows server 1709