Microsoft Windows contains a vulnerability in the RtlQueryRegistryValues API when handling specially crafted user-controlled registry keys. An attacker leveraging this vulnerability could gain kernel-level privileges. There are reports of this vulnerability being actively exploited in-the-wild.
Windows Vista, 2008, 7, and 2008 R2
Elevation of Privilege
Local elevation of privileges to System rights Attackers exploiting this vulnerability would be seeking to gain kernel-level access to a machine. It would need to be used in combination with some other exploit to initially gain access to the system, since this privilege escalation vulnerability is only locally exploitable. After exploiting the vulnerability, the attacker would have gained the ability to execute code with Kernel level privileges.
BeyondTrust Prevention and Detection:
- BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.
- Retina Audit ID 14082 - Microsoft Windows Kernel Privilege Escalation (2393802)
- Retina Audit ID 14083 - Microsoft Windows Kernel Privilege Escalation (2393802) - 2003 IA64
Apply appropriate patch from MS11-011.