Two newly discovered critical vulnerabilities in Microsoft Windows 10 would enable an attacker to obtain access to Windows 10 computers and intercept sensitive information. Both vulnerabilities have been fixed in Microsoft's March 2019 security update.
The vulnerabilities were discovered by Mikhail Tsvetkov of Positive Technologies in the DHCP (Dynamic Host Configuration Protocol) client built in to Windows 10. The DHCP protocol is responsible for automatically connecting devices to a network by assigning IP addresses and other network parameters. DHCP helps to avoid network conflicts, such as duplicate IP addresses, and the need to perform manual configuration of each device.
Positive Technologies reports that an administrator can simply configure a DHCP server once on a physical server or router to assign IP addresses and other network parameters to DHCP clients (such as employee workstations, printers, and other equipment). Network configurations are assigned at an interval of time that is set by the administrator.
In an email to SC Media UK Tsvetkov explained: "Here is how such a vulnerability could be exploited. An attacker configures a DHCP server on their computer. The server responds to network configuration requests with malformed packets. On some networks, this attack is possible from a mobile phone or tablet. Then the attacker waits for a vulnerable Windows 10 computer to ask for a renewal of its IP address lease, which usually happens every few hours. By sending this invalid response, the attacker can obtain the rights of an anonymous user on the victim computer."
Even at that point, exploitation of this vulnerability was no "home run" for the attacker, since the anonymous user has limited privileges. Access to user and system processes, registry folders and branches, and a number of other folders is forbidden. In addition, other vulnerabilities could be chained to escalate privileges and continue the attack.
In 100 percent of test cases, Positive Technologies reports that it was possible to obtain full control over the network from an employee computer. At some organisations, attacks could originate directly from external networks (when DHCP Relay has been configured to get network parameters from an external DHCP server).
Both vulnerabilities were exploited by spoofing the response from the legitimate DHCP server with a specially crafted message. The attacker sent a special list of DNS suffixes (CVE-2019-0726) or included an abnormally large number of options in the DHCP response (CVE-2019-0697).