US-CERT Warns of Exploitable Windows ASLR Implementation Flaw

The U.S. Computer Emergency Readiness Team (US-CERT) has issued a warning about an exploitable Windows ASLR implementation flaw affecting Windows 8, Windows 8.1 and Windows 10.

Address Space Layout Randomization (ASLR) is designed to make systems safer by preventing memory-based code execution attacks. Instead of a system executing programs in the memory in predictable locations, which can be anticipated by hackers, ASLR ensures programs are executed in random memory locations.

However, a recently discovered Windows ASLR implementation flaw would allow this technology to be exploited to remotely execute code, which could allow an attacker to take full control of a device.

While ASLR can help to make systems safer, there have been many successful attempts to bypass the protection in recent years. However, the US-CERT warning does not cover the technology itself, but rather how Microsoft implemented the technology in Windows 8 and subsequent Windows releases.

US-CERT explains that the Windows ASLR implementation flaw is not a vulnerability, but an error in which affected Windows systems “fail to properly randomize every application if system-wide mandatory ASLR is enabled via EMET or Windows Defender Exploit Guard.”

ASLR still continues to function correctly, but in Windows 8, 8.1, and 10, the way Microsoft has implemented ASLR results in programs being relocated to a predictable addresses.

US-CERT researcher Will Dormann explained, “Starting with Windows 8.0, system-wide mandatory ASLR (enabled via EMET) has zero entropy, essentially making it worthless. Windows Defender Exploit Guard for Windows 10 is in the same boat.”

In its warning, US-CERT explained that the change made by Microsoft to the implementation of ASLR “Requires system-wide bottom-up ASLR to be enabled for mandatory ASLR to receive entropy. Tools that enable system-wide ASLR without also setting bottom-up ASLR will fail to properly randomize executables that do not opt in to ASLR.”

Microsoft is currently investigating the issue, and an update to correct the Windows ASLR implementation flaw is expected to be released. However, US-CERT suggests the following workaround could help to prevent exploitation of the flaw until that update is released.

Enable system-wide bottom-up ASLR on systems that have system-wide mandatory ASLR

To enable both bottom-up ASLR and mandatory ASLR on a system-wide basis on a Windows 8 or newer system, the following registry value should be imported:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
“MitigationOptions”=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00

US-CERT points out that by importing this registry key, users will overwrite any existing system-wide mitigations specified by this registry value.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news