Key Information Vulnerability Overview - EDB-ID: 46716 - CVE: 2019-0732 - Author: GOOGLE SECURITY RESEARCH - Type: LOCAL - Platform: WINDOWS - Date: 2019-04-16 - Affected Application: N/A Vulnerability Description - Vulnerability Name: Microsoft Windows 10 1809 - LUAFV NtSetCachedSigningLevel Device Guard Bypass - Affected Platform: Windows 10 1809 - Vulnerability Type: Security Feature Bypass Vulnerability Details - Summary: By manipulating LUAFV operations to invoke the NtSetCachedSigningLevel system call, an attacker can apply cached signing to any file, thereby bypassing code signing enforcement under UMCI. - Method: 1. Create a file containing valid Microsoft-signed content (e.g., notepad.exe). 2. Request DELETE access to virtualize the file. 3. Copy an unsigned executable into the virtual store. 4. Call NtSetCachedSigningLevel with flag 4. Proof of Concept (PoC) - A Cproject is provided as PoC, enabling the signing of any DLL file and mapping it into memory, even when Microsoft-signed code mitigation is enabled. - Link: Proof of Concept