Vulnerability Name:

CVE-2017-8676 (CCN-131109)

Assigned:2017-09-12
Published:2017-09-12
Updated:2017-09-21
Summary:The Windows Graphics Device Interface (GDI) in Microsoft Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; Windows 10 Gold, 1511, 1607, 1703, and Server 2016; Office 2007 SP3; Office 2010 SP2; Word Viewer; Office for Mac 2011 and 2016; Skype for Business 2016; Lync 2013 SP1; Lync 2010; Lync 2010 Attendee; and Live Meeting 2007 Add-in and Console allows an authenticated attacker to retrieve information from a targeted system via a specially crafted application, aka "Windows GDI+ Information Disclosure Vulnerability."
CVSS v3 Severity:3.3 Low (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
2.9 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
3.3 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
2.9 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
1.7 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-200
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2017-8676

Source: BID
Type: Third Party Advisory, VDB Entry
100755

Source: CCN
Type: BID-100755
Microsoft Windows Graphics Device Interface CVE-2017-8676 Local Information Disclosure Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1039333

Source: XF
Type: UNKNOWN
ms-gdi-cve20178676-info-disc(131109)

Source: CCN
Type: Microsoft Security TechCenter - September 2017
Windows GDI+ Information Disclosure Vulnerability

Source: CONFIRM
Type: Patch, Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8676

Source: CCN
Type: ZDI-17-724
Microsoft Windows Bitmap Parsing Out-Of-Bounds Read Information Disclosure Vulnerability

Vulnerable Configuration:Configuration 1:
  • cpe:/a:microsoft:live_meeting:2007:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:lync:2010:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:lync:2010:*:attendee:*:*:*:*:*
  • OR cpe:/a:microsoft:lync:2013:sp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:office:2011:*:mac:*:*:*:*:*
  • OR cpe:/a:microsoft:office:2016:*:mac:*:*:*:*:*
  • OR cpe:/a:microsoft:office_2007:*:sp3:*:*:*:*:*:*
  • OR cpe:/a:microsoft:office_2010:*:sp2:*:*:*:*:*:*
  • OR cpe:/a:microsoft:office_word_viewer:-:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:skype_for_business:2016:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_10:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_10:1511:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_10:1607:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_10:1703:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_7:*:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_8.1:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:microsoft:word_viewer:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x32:*
  • OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:itanium:*
  • OR cpe:/a:microsoft:office:2011:*:*:*:*:mac:*:*
  • OR cpe:/o:microsoft:windows_7:-:sp1:-:*:-:-:x32:*
  • OR cpe:/o:microsoft:windows_7:*:sp1:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*
  • OR cpe:/a:microsoft:office:2007:sp3:*:*:*:*:*:*
  • OR cpe:/a:microsoft:lync:2010:*:*:*:attendee:*:*:*
  • OR cpe:/a:microsoft:lync:2010:*:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2012:*:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:office:2010:sp2:*:*:*:*:x64:*
  • OR cpe:/a:microsoft:office:2010:sp2:x32:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_8.1:-:-:-:*:-:-:x32:*
  • OR cpe:/o:microsoft:windows_8.1:*:*:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_10:-:*:*:*:*:*:x32:*
  • OR cpe:/o:microsoft:windows_10:*:*:*:*:*:*:x64:*
  • OR cpe:/a:microsoft:lync:2013:sp1:*:*:*:*:x64:*
  • OR cpe:/a:microsoft:lync_basic:2013:sp1:*:*:*:*:x64:*
  • OR cpe:/a:microsoft:office:2016:*:*:*:*:mac:*:*
  • OR cpe:/o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    microsoft live meeting 2007
    microsoft lync 2010
    microsoft lync 2010
    microsoft lync 2013 sp1
    microsoft office 2011
    microsoft office 2016
    microsoft office 2007 * sp3
    microsoft office 2010 * sp2
    microsoft office word viewer -
    microsoft skype for business 2016
    microsoft windows 10 -
    microsoft windows 10 1511
    microsoft windows 10 1607
    microsoft windows 10 1703
    microsoft windows 7 * sp1
    microsoft windows 8.1 *
    microsoft windows rt 8.1 *
    microsoft windows server 2008 * sp2
    microsoft windows server 2008 r2 sp1
    microsoft windows server 2012 -
    microsoft windows server 2012 r2
    microsoft windows server 2016 *
    microsoft word viewer *
    microsoft windows server 2008 sp2
    microsoft windows server 2008 sp2
    microsoft windows server 2008
    microsoft office 2011
    microsoft windows 7 - sp1
    microsoft windows 7 * sp1
    microsoft windows server 2008 r2
    microsoft windows server 2008 r2
    microsoft office 2007 sp3
    microsoft lync 2010
    microsoft lync 2010
    microsoft windows server 2012
    microsoft office 2010 sp2
    microsoft office 2010 sp2
    microsoft windows 8.1 - -
    microsoft windows 8.1 *
    microsoft windows server 2012 r2
    microsoft windows rt 8.1 *
    microsoft windows 10 -
    microsoft windows 10 *
    microsoft lync 2013 sp1
    microsoft lync basic 2013 sp1
    microsoft office 2016
    microsoft windows server 2016