Pen Test Edfect Advice

Document ID : KB000074878
Last Modified Date : 27/03/2018
Show Technical Document Details
Question:
Are SpectroSERVER, OC server, CABI server affected by the registry modification as documented in the following penetration test analysis?

Description:
The builds were vulnerable to a condition known as binary planting which could, in some circumstances, be exploited by an attacker in order to trigger arbitrary remote code execution. The problem existed due to a security update being applied but not activated through the manual creation of a registry key.
When an application starts up on the Windows platform, it loads functionality from a range of application extension libraries (DLL files), both its own and common platform libraries. When an application is started as a result of an associated document or data file being double-clicked (or equivalent), applications which have not been securely coded may first attempt to load libraries from the same location as the file used to initialise the application, rather than from a more controlled alternative location (such as the application installation directory).
However, if a location used to store documents or data (such as an SMB file share or WebDAV resource) were under the control of an attacker then they could exploit this in order to run arbitrary code. They could do this by placing a malicious DLL in the same location as the document or data file; so that when the target application was launched the malicious DLL would also be run.
An update to reorder the priority of DLL search paths was released by Microsoft. However, the update does not automatically take effect when it is installed as this could disrupt third party applications. A new registry key must also be created and set to an appropriate value for the updated functionality to be enabled.

In this case, the update had been applied, but the registry key to enable it had not been set.
ntdll.dll has been upgraded by KB2264107 or a related, subsequent update, but the following registry entry has not been set:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\CWDIllegalInDllSearch
A number of third party software products and some Windows components were found to be vulnerable at the time of the vendor advisory, increasing the severity of the problem. It is expected that a considerable number of third party applications may still be vulnerable to this issue.

Recommendation:
Create a registry key named CWDIllegalInDllSearch in the following location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
The registry value should be set to ‘2’ where possible, as this will prevent library loading if the software application is located on a network share or within a WebDAV enabled directory. Testing should be undertaken to ensure that this change will not have a negative effect on any existing software.
Answer:
QA verification has been completed for this vulnerability and SE confirmed that we have not seen any issues with the registry modification entry in place.
So SpectroSERVER, OC, CABi are not affected by such registry modifications.
Additional Information:
see https://support.microsoft.com/en-us/help/2264107/a-new-cwdillegalindllsearch-registry-entry-is-available-to-control-the