LTS Secure Warning: Microsoft Cortana Vulnerability allows unauthorized access

In June 2018, senior principal engineer Cedric Cochin at McAfee discovered a flaw in Cortana that could allow an attacker to elevate privileges and execute code from system locked screen. This issue tracked as CVE-2018-8140.

Microsoft explains about this vulnerability, when Cortana retrieves data from user input services without consideration for status. The company confirms the possible exploitation to execute commands with elevated permissions.

Technical Details

This vulnerability requires physical access to the impacted device and appears connected to a flaw independent researchers Amichai Shulman and Tal Be’ery detailed in March, and which could be abused to install malware on the affected computers.

In order to exploit the issue, an attacker with access to the impacted computer needs to have Cortana assistance enabled. A user can interact with the voice-based assistant even from the lock screen, by saying “Hey Cortana.”

Cortana can also be tricked to display search results with the contextual search menu, from the lock screen. This, however, requires the use of a keyboard-timing sequence: “any keystroke can trigger the menu from the time when Cortana begins to listen to when the answer is displayed.”

When hovering over a file in the search results provided by Cortana, the full path or the content of the file would be displayed. When clicking on the file, it is launched using the appropriate program, but would only be accessible after the user logs in. “At this point, we can execute various preloaded Windows utilities such as the calculator, but we cannot pass any parameters to the command line. We can open scripts, including PowerShell, but instead of being executed, they will be opened in a text editor (notepad),” Cochin says.

Thus, an attacker can drop an executable in the One Drive folder, which can then even be executed as an administrator by simply right-clicking on it.

Impact

The report says a large amount of publicly available data has been compromised, attackers use private SSH keys to access to servers, certificates that can be used to decrypt network traffic, PII, and more sensitive data.

Moreover, the attackers have now found using the compromised servers as a proxy to scan and find vulnerabilities, including SQL injection, cross-site scripting, and malicious file uploads, and remote code executions, in other websites.

Recommended Actions

To prevent exploitation of the vulnerability, turn off Cortana on the lock screen. Installing the recently released fixes for CVE-2018-8140 also mitigates the attack.

Do not leave your computer unattended, it is important to note that this vulnerability is completely dependent on physical access to a Windows 10 computer with Cortana.

McAfee has released a security advisory about this Vulnerability in Microsoft Cortana on June 12, 2018.