Traps CVE-2019-0708

Reply
L1 Bithead

Traps CVE-2019-0708

Does Traps offer protection against CVE-2019-0708 ?

L2 Linker

Re: Traps CVE-2019-0708

I've just opened a support case on this, I'll post when I hear back.

L0 Member

Re: Traps CVE-2019-0708

Hi, Any reply from the Support team? 

L2 Linker

Re: Traps CVE-2019-0708

Hello Chirag,

 

I did receive a response, but it wasn't completely definitive.  At the time that I opened the case, there was no PoC code available for CVE-2019-0708, but the TAC engineer did research on the exploit and stated that it should be covered by Traps Default protections given his understanding of how the exploit works. 

 

Now that there is exploit code available I plan on spinning up a windows VM with Traps to test this statement.  I probably wont get to this until later this week.


 

L0 Member

Re: Traps CVE-2019-0708

Thanks Brandon for sharing an update. 

Please do share outcome from your test. 

Cheers, 

L2 Linker

Re: Traps CVE-2019-0708

Hello All,

 

So as of today, I was able to get some time to do some further testing.  It looks like the default protection built-in to traps unfortunately doesn't seem to catch this.  I'm still trying to determine if there is a configuration change (focusing on the Exploit Profiles) that will protect the process that is exploited as part of this CVE (CVE-2019-0708).

 

The testing methodology that I have used is as follows:

1. Spun up a Windows 7 VM, and fired a PoC Crash exploit at the unpatched system.  This resulted in a Blue Screen and the machine cratched.  Presumably if someone modifies this Blue Screen PoC code to get their own RCE (Remote Code Execution), then they could get their code executing on a system without a Blue Screen.

 

2.  Next, I installed the latest Traps Agent on the Windows 7 VM, and rebooted.  After the reboot, I fired the PoC crash exploit at the unpatched system yet again, and acheived the same result, with nothing being reported in the Traps Management Service.

 

I plan on opening another support ticket to inquire now that there is PoC code available.  I'll post the results of that here later.

 

Thanks

 

 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!