Think you have a false positive on this rule?

Sid 1-45131

Message

OS-WINDOWS Microsoft Windows RRAS service arbitrary pointer dereference attempt

Summary

This event is generated when an attacker attempts an arbitrary pointer dereference against the Windows Routing and Remote Access Service.

Impact

Potential remote code execution

CVE-2017-11885:

CVSS base score 6.6

CVSS impact score 5.9

CVSS exploitability score 0.7

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

Rule checks for an attempt to cause an arbitrary pointer dereference against Microsoft's RRAS service. CVE-2017-11885: Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allow a remote code execution vulnerability due to the way the Routing and Remote Access service handles requests, aka "Windows RRAS Service Remote Code Execution Vulnerability".

Affected systems

  • microsoft windows_10 -
  • microsoft windows_10 1511
  • microsoft windows_10 1607
  • microsoft windows_10 1703
  • microsoft windows_10 1709
  • microsoft windows_7 -
  • microsoft windows_8.1 *
  • microsoft windowsrt8.1 -
  • microsoft windowsserver1709 -
  • microsoft windowsserver2008 -
  • microsoft windowsserver2008 r2
  • microsoft windowsserver2012 -
  • microsoft windowsserver2012 r2
  • microsoft windowsserver2016 -

Ease of attack

Hard

False positives

Not known

False negatives

Not known

Corrective action

Implement the appropriate patches for this service.

Contributors

  • Cisco's Talos Intelligence Group

Additional References

  • portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11885