Windows task scheduler Local privilege escalation vulnerability in ALPC interface

Advisory: CERT.be Advisory #2018-025
Version: 1.0
CVSS: -
Affected software: ALPC interface of Windows task scheduler
Type: Local Privilege Escalation

Sources

https://www.darkreading.com/application-security/powerpool-malware-uses-...
https://www.bleepingcomputer.com/news/security/windows-task-scheduler-ze...
https://www.kb.cert.org/vuls/id/906424

Risks

CERT.be recommends systems administrators to install the latest updates when they will be available. Microsoft did not patch the ALPC bug to this day, but it is expected to release a fix in its monthly security updates, on September 11. The vulnerability presents the following risks: Local Privilege Escalation.

Summary

Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the Advanced Local Procedure Call (ALPC) interface, which can allow a local user to obtain SYSTEM privileges. The Microsoft Windows task scheduler SchRpcSetSecurity API contains a vulnerability in the handling of ALPC, which can allow an authenticated user to overwrite the contents of a file that should be protected by filesystem ACLs. This can be leveraged to gain SYSTEM privileges.
This vulnerability is being exploited in the wild.

Remediation

Microsoft should release an update for this vulnerability in their monthly security updates on September 11. Meanwhile there is a workaround (not approved by Microsoft, proceed with caution!).

Set ACLs on the C:\Windows\Tasks directory
Karsten Nilsen has provided a mitigation for this vulnerability. This change will reportedly break things created by the legacy task scheduler interface. This can include things like SCCM and the associated SCEP updates. Please ensure that you have tested this mitigation to ensure that it does not cause unacceptable consequences in your environment.
To apply this mitigation, run the following commands in an elevated-privilege prompt:
icacls c:\windows\tasks /remove:g "Authenticated Users"
icacls c:\windows\tasks /deny system:(OI)(CI)(WD,WDAC)
Note that when a fix is made available for this vulnerability, these changes should be undone. This can be done by executing the following commands:
icacls c:\windows\tasks /remove:d system
icacls c:\windows\tasks /grant:r "Authenticated Users":(RX,WD)
Source : https://twitter.com/karsten_nilsen/status/1034406706879578112