Barapass, Tsunami scanner, vulnerabilities in Windows DNS Server and SAP products, weird attack on Twitter

2020-07-18T18:31:16

Description

This episode is based on posts from [my Telegram channel avleonovcom](<https://t.me/avleonovcom>), published in the last 2 weeks. So, if you use Telegram, please subscribe. I update it frequently. ![Barapass, Tsunami scanner, vulnerabilities in Windows DNS Server and SAP products, weird attack on Twitter](https://avleonov.com/wp-content/uploads/2020/07/Barapass-Tsunami-scanner-vulnerabilities-in-Windows-DNS-Server-and-SAP-products-weird-attack-on-twitter.png) ## Barapass update I recently [released an update](<https://github.com/leonov-av/barapass>) to my password manager **barapass**. BTW, it seems to be my only pet project at the MVP stage, which I use every day. ![😅](https://s.w.org/images/core/emoji/13.0.1/72x72/1f605.png) What's new: 1. Now I am sure that it works on Windows 10 without WSL. And you can run it beautifully even with the icon. ![😊](https://s.w.org/images/core/emoji/13.0.1/72x72/1f60a.png) Read more about installation in Windows [in this file](<https://github.com/leonov-av/barapass/blob/master/how_to_use_barapass_in_windows.txt>). 2. Not only "copy the next value to the clipboard" (or "revolver mode" ) is now possible in the search results section. You can also get the previous value or copy the same value one again if it was somehow erased in the clipboard. Previously, I had to retype the search request each time to do this, and it was quite annoying. By the way, I unexpectedly discovered that the user input history inside the application magically works in the Windows shell (using up and down arrows) without any additional coding. On Linux it does not. 3. You can set a startup command, for example, to decrypt the container. 4. The startup command and quick (favorite) commands are now in settings.json and not hard-coded. 5. settings.json, container files and decrypted files are now in "files" directory. It became more convenient to update barapass, just change the scripts in the root directory and that’s it. I divided the scripts into several files, now it should be more clear how it works. So, if you need a minimalistic console password manager in which you can easily use any encryption you like - welcome! You can read more about **barapass **[in my previous post](<https://avleonov.com/2019/09/17/barapass-console-password-manager/>). ## Google Tsunami Have you heard about this new open source Tsunami vulnerability scanner released by Google ([github](<https://github.com/google/tsunami-security-scanner>))? What do you think about it? Is it the real thing or just another [useless automation layer over nmap](<https://github.com/google/tsunami-security-scanner/blob/master/docs/orchestration.md>)? I am now more for the second option. And I'm pretty skeptical that they will make effective and safe plugins for exploit-based vulnerability detection. The fact that this is 99.5% Java code doesn't make me enthusiastic as well. But, of course, I want to believe that it will be new "kubernetes" in the Vulnerability Management area. Let's discuss in [@avleonovchat](<https://t.me/avleonovchat>) ![Google Tsunami poll](https://avleonov.com/wp-content/uploads/2020/07/image.png) Vote here: <https://t.me/avleonovcom/731> ## RCE in Windows DNS Server Yep, yet another short post about **SIGRed **([video](<https://www.youtube.com/watch?v=PUlMmhD5it8>), [MS CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>)). Getting RCE with only a DNS request is really impressive. And it was there for 17 years! OMG, what attackers could do with this in corporate environment! [Checkpoint guys stated that](<https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/>) "Due to time constraints, we did not continue to pursue the exploitation of the bug (which includes chaining together all of the exploitation primitives), but we do believe that a determined attacker will be able to exploit it." ![RCE in Windows DNS Server poll](https://avleonov.com/wp-content/uploads/2020/07/image-1.png) Vote here: <https://t.me/avleonovcom/733> ## SAP RECON If your organization uses **SAP **(my condolences), you should initiate some patching right now and make sure this stuff is NOT available on your network perimeter. There is already an [exploit](<https://github.com/chipik/SAP_RECON>) available for these vulnerabilities: [CVE-2020-6287](<https://nvd.nist.gov/vuln/detail/CVE-2020-6287>) - unauthenticated attacker can "execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user" [CVE-2020-6286](<https://nvd.nist.gov/vuln/detail/CVE-2020-6286>) - unauthenticated attacker can make Path Traversal I also found a funny bug: **Nessus **has a [remote plugin](<https://www.tenable.com/plugins/nessus/138506>) to detect these vulnerabilities, but you were not be able to find it on **Tenable **website by "CVE-2020-6287" in [CVE filter](<https://www.tenable.com/plugins/search?q=cves%3A\(%22CVE-2020-6287%22\)&sort=&page=1>). Why? When they edited CVE list in plugin, they have put "CVE-2020-6286" there twice. ![SAP RECON Nessus](https://avleonov.com/wp-content/uploads/2020/07/tenable3.png) ![🤦🏻‍♂️](https://s.w.org/images/core/emoji/13.0.1/72x72/1f926-1f3fb-200d-2642-fe0f.png) Sometimes such things happen. ## Weird attack on Twitter A little bit about Twitter? Of course, [the last incident](<https://edition.cnn.com/2020/07/16/tech/twitter-hack-security-analysis/index.html>) puzzled me a lot. Let's say you have an access to the Twitter accounts of Bill Gates, Elon Musk, Obama, Apple and others, and you post a silly Bitcoin scam? Whaat? ![🤪](https://s.w.org/images/core/emoji/13.0.1/72x72/1f92a.png) ![Weird attack on Twitter](https://avleonov.com/wp-content/uploads/2020/07/Twitter_case.png) I recently had some practice in writing email templates for antiphishing trainings (btw, my [video about antiphishing](<https://www.youtube.com/watch?v=ODyJRBUZMfY>)) and was amazed what results can be achieved with regular email messages if you add a little bit of imagination and choose the right time. Even IT security professionals open files and urls, input credentials on fake sites, etc.! It is absolutely clear that these attackers could have done something humongous. Starting from the massive gathering of user accounts / distribution of any malware through high-quality phishing websites and ending with advanced market manipulation. And instead of all this, some messages about bitcoins. It’s strange. ![Weird attack on Twitter poll](https://avleonov.com/wp-content/uploads/2020/07/image-2.png) Vote here: <https://t.me/avleonovcom/741> ![](http://feeds.feedburner.com/~r/avleonov/~4/AmsqOJSEpTc)

{"id": "AVLEONOV:1ABE5F69187E5F9F8625DA462772F80C", "type": "avleonov", "bulletinFamily": "blog", "title": "Barapass, Tsunami scanner, vulnerabilities in Windows DNS Server and SAP products, weird attack on Twitter", "description": "This episode is based on posts from [my Telegram channel avleonovcom](<https://t.me/avleonovcom>), published in the last 2 weeks. So, if you use Telegram, please subscribe. I update it frequently.\n\n![Barapass, Tsunami scanner, vulnerabilities in Windows DNS Server and SAP products, weird attack on Twitter](https://avleonov.com/wp-content/uploads/2020/07/Barapass-Tsunami-scanner-vulnerabilities-in-Windows-DNS-Server-and-SAP-products-weird-attack-on-twitter.png)\n\n## Barapass update\n\nI recently [released an update](<https://github.com/leonov-av/barapass>) to my password manager **barapass**. BTW, it seems to be my only pet project at the MVP stage, which I use every day. ![\ud83d\ude05](https://s.w.org/images/core/emoji/13.0.1/72x72/1f605.png)\n\nWhat's new:\n\n 1. Now I am sure that it works on Windows 10 without WSL. And you can run it beautifully even with the icon. ![\ud83d\ude0a](https://s.w.org/images/core/emoji/13.0.1/72x72/1f60a.png) Read more about installation in Windows [in this file](<https://github.com/leonov-av/barapass/blob/master/how_to_use_barapass_in_windows.txt>).\n 2. Not only "copy the next value to the clipboard" (or "revolver mode" ) is now possible in the search results section. You can also get the previous value or copy the same value one again if it was somehow erased in the clipboard. Previously, I had to retype the search request each time to do this, and it was quite annoying. By the way, I unexpectedly discovered that the user input history inside the application magically works in the Windows shell (using up and down arrows) without any additional coding. On Linux it does not.\n 3. You can set a startup command, for example, to decrypt the container.\n 4. The startup command and quick (favorite) commands are now in settings.json and not hard-coded.\n 5. settings.json, container files and decrypted files are now in "files" directory. It became more convenient to update barapass, just change the scripts in the root directory and that\u2019s it. I divided the scripts into several files, now it should be more clear how it works.\n\nSo, if you need a minimalistic console password manager in which you can easily use any encryption you like - welcome! You can read more about **barapass **[in my previous post](<https://avleonov.com/2019/09/17/barapass-console-password-manager/>).\n\n## Google Tsunami\n\nHave you heard about this new open source Tsunami vulnerability scanner released by Google ([github](<https://github.com/google/tsunami-security-scanner>))? What do you think about it? Is it the real thing or just another [useless automation layer over nmap](<https://github.com/google/tsunami-security-scanner/blob/master/docs/orchestration.md>)? I am now more for the second option. And I'm pretty skeptical that they will make effective and safe plugins for exploit-based vulnerability detection. The fact that this is 99.5% Java code doesn't make me enthusiastic as well. But, of course, I want to believe that it will be new "kubernetes" in the Vulnerability Management area. Let's discuss in [@avleonovchat](<https://t.me/avleonovchat>)\n\n![Google Tsunami poll](https://avleonov.com/wp-content/uploads/2020/07/image.png)\n\nVote here: <https://t.me/avleonovcom/731>\n\n## RCE in Windows DNS Server\n\nYep, yet another short post about **SIGRed **([video](<https://www.youtube.com/watch?v=PUlMmhD5it8>), [MS CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>)). Getting RCE with only a DNS request is really impressive. And it was there for 17 years! OMG, what attackers could do with this in corporate environment! [Checkpoint guys stated that](<https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/>) "Due to time constraints, we did not continue to pursue the exploitation of the bug (which includes chaining together all of the exploitation primitives), but we do believe that a determined attacker will be able to exploit it."\n\n![RCE in Windows DNS Server poll](https://avleonov.com/wp-content/uploads/2020/07/image-1.png)\n\nVote here: <https://t.me/avleonovcom/733>\n\n## SAP RECON\n\nIf your organization uses **SAP **(my condolences), you should initiate some patching right now and make sure this stuff is NOT available on your network perimeter. There is already an [exploit](<https://github.com/chipik/SAP_RECON>) available for these vulnerabilities:\n\n[CVE-2020-6287](<https://nvd.nist.gov/vuln/detail/CVE-2020-6287>) - unauthenticated attacker can "execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user" \n[CVE-2020-6286](<https://nvd.nist.gov/vuln/detail/CVE-2020-6286>) - unauthenticated attacker can make Path Traversal\n\nI also found a funny bug: **Nessus **has a [remote plugin](<https://www.tenable.com/plugins/nessus/138506>) to detect these vulnerabilities, but you were not be able to find it on **Tenable **website by "CVE-2020-6287" in [CVE filter](<https://www.tenable.com/plugins/search?q=cves%3A\\(%22CVE-2020-6287%22\\)&sort=&page=1>). Why? When they edited CVE list in plugin, they have put "CVE-2020-6286" there twice. \n\n![SAP RECON Nessus](https://avleonov.com/wp-content/uploads/2020/07/tenable3.png)\n\n![\ud83e\udd26\ud83c\udffb\u200d\u2642\ufe0f](https://s.w.org/images/core/emoji/13.0.1/72x72/1f926-1f3fb-200d-2642-fe0f.png) Sometimes such things happen. \n\n## Weird attack on Twitter\n\nA little bit about Twitter? Of course, [the last incident](<https://edition.cnn.com/2020/07/16/tech/twitter-hack-security-analysis/index.html>) puzzled me a lot. Let's say you have an access to the Twitter accounts of Bill Gates, Elon Musk, Obama, Apple and others, and you post a silly Bitcoin scam? Whaat? ![\ud83e\udd2a](https://s.w.org/images/core/emoji/13.0.1/72x72/1f92a.png)\n\n![Weird attack on Twitter](https://avleonov.com/wp-content/uploads/2020/07/Twitter_case.png)\n\nI recently had some practice in writing email templates for antiphishing trainings (btw, my [video about antiphishing](<https://www.youtube.com/watch?v=ODyJRBUZMfY>)) and was amazed what results can be achieved with regular email messages if you add a little bit of imagination and choose the right time. Even IT security professionals open files and urls, input credentials on fake sites, etc.!\n\nIt is absolutely clear that these attackers could have done something humongous. Starting from the massive gathering of user accounts / distribution of any malware through high-quality phishing websites and ending with advanced market manipulation. And instead of all this, some messages about bitcoins. It\u2019s strange.\n\n![Weird attack on Twitter poll](https://avleonov.com/wp-content/uploads/2020/07/image-2.png)\n\nVote here: <https://t.me/avleonovcom/741>\n\n![](http://feeds.feedburner.com/~r/avleonov/~4/AmsqOJSEpTc)", "published": "2020-07-18T18:31:16", "modified": "2020-07-18T18:31:16", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "http://feedproxy.google.com/~r/avleonov/~3/AmsqOJSEpTc/", "reporter": "Alexander Leonov", "references": [], "cvelist": ["CVE-2020-1350", "CVE-2020-6286", "CVE-2020-6287"], "lastseen": "2020-12-20T04:20:58", "viewCount": 206, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:1DE0ADEC-8107-491A-BC8F-DCC3BF6EB3AB", "AKB:56338DBB-1286-429B-B980-5AEDD3A6E87C"]}, {"type": "avleonov", "idList": ["AVLEONOV:13BED8E5AD26449401A37E1273217B9A", "AVLEONOV:7DAB33D28205885E8979C4C664958CDC"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0658", "CPAI-2020-0681", "CPAI-2020-0719"]}, {"type": "cisa", "idList": ["CISA:0A6DEB06CFB7BDA5A3D72E0F236C5665", "CISA:72803FA1C7CD81E274A0417B0A34353E"]}, {"type": "cve", "idList": ["CVE-2020-1350", "CVE-2020-6286", "CVE-2020-6287"]}, {"type": "githubexploit", "idList": ["0AF42B8A-DF0D-58F8-AB60-9E7C63ED9EEB", "1CA47E3F-F5D0-59BE-8F16-9671BB19B938", "26FAD860-F058-5B8B-999F-56C318A499D4", "2A7F5F31-A737-556D-A869-05B87FD1F625", "37D3D343-97C5-5C12-8595-042E337E31C0", "422E055A-09D9-5999-8596-B4036633B613", "479FD3C0-1269-5BC3-BD67-CDEE0485485A", "5F6BE6F7-C220-5BDD-BE92-A5156F21A1B2", "730EEC4F-BE81-5690-BA8D-B89482C5C3D0", "93EEDE73-1DB4-5905-BCAB-CDC6F98831CD", "9DE76D04-93D7-5923-9AE3-457D591197D6", "A37C8010-D2C6-52F5-9079-96E8A538B6CA", "B1274C64-524E-5AAB-9D50-AC7043563B81", "BB10DCF1-2FBA-5DDC-B650-CEE45D356728", "C96C8DD1-344C-5476-85AC-6D2865A5C00F", "CB69BCC3-2317-5740-8B01-4F6F0D320AC3", "DB41442F-7258-545C-BAD0-1F0FB13E16BD", "DD3676BD-E792-5189-86EE-4765FF68EFCB", "F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E", "F3CF4A79-402B-56C0-8689-1AF5EBFECF3F", "FA6C0B5A-E89D-54A7-B603-4D8095BF66DD", "FB0D7C2A-01EB-5929-A539-96230C17B90F", "FFF6ABA4-7461-5653-836A-79F11037A7FF"]}, {"type": "hackerone", "idList": ["H1:1028392", "H1:1103212"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20200716-01-DNS"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:020B268DFC760B88704D35A6F4CF30D7"]}, {"type": "kaspersky", "idList": ["KLA11863", "KLA11865"]}, {"type": "krebs", "idList": ["KREBS:1A886B22AAF8ADC53874F0E126C5A96D"]}, {"type": "mscve", "idList": ["MS:CVE-2020-1350"]}, {"type": "msrc", "idList": ["MSRC:79080D1EA83C3BB4689C763E5FACBDB5"]}, {"type": "nessus", "idList": ["MS_DNS_CVE-2020-1350.NASL", "SAP_NETWEAVER_AS_2934135.NASL", "SAP_NW_CVE-2020-6287.NBIN", "SMB_NT_MS20_JUL_DNS_CHECK.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310817088", "OPENVAS:1361412562310817224", "OPENVAS:1361412562310817226", "OPENVAS:1361412562310817228", "OPENVAS:1361412562310817230", "OPENVAS:1361412562310817231", "OPENVAS:1361412562310817232"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:8028F138635C78F91B08AB2CF72FA154", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "QUALYSBLOG:F343178EEC11B54CFAFBD0B4D505010B"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5109AC30126DB59333F13ED32F7F4713", "RAPID7BLOG:E36C557104ECB6E144C21C3C499B0492"]}, {"type": "thn", "idList": ["THN:3C21F3359B50A4527A83BD7E63B731B2", "THN:D01CFEFA5701B3385F989E1BE705F6AA", "THN:DBFCCEBE2752BA05D9181D55D3477666"]}, {"type": "threatpost", "idList": ["THREATPOST:363C332F7046A481C24C7172C55CF758", "THREATPOST:4CFA3A7AC21D83FC03B1B74B2DA261BD", "THREATPOST:7E6D2DBA11B2CCCE264B0982306FBEB1", "THREATPOST:96E775E045D4DF55CC1B9A3AA0C28F70", "THREATPOST:AA1F3088D813F95D476A024378F27010"]}]}, "score": {"value": -0.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:1DE0ADEC-8107-491A-BC8F-DCC3BF6EB3AB", "AKB:56338DBB-1286-429B-B980-5AEDD3A6E87C"]}, {"type": "avleonov", "idList": ["AVLEONOV:7DAB33D28205885E8979C4C664958CDC"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0658", "CPAI-2020-0681", "CPAI-2020-0719"]}, {"type": "cisa", "idList": ["CISA:0A6DEB06CFB7BDA5A3D72E0F236C5665", "CISA:72803FA1C7CD81E274A0417B0A34353E"]}, {"type": "cve", "idList": ["CVE-2020-1350", "CVE-2020-6286", "CVE-2020-6287"]}, {"type": "githubexploit", "idList": ["0AF42B8A-DF0D-58F8-AB60-9E7C63ED9EEB", "1CA47E3F-F5D0-59BE-8F16-9671BB19B938", "26FAD860-F058-5B8B-999F-56C318A499D4", "2A7F5F31-A737-556D-A869-05B87FD1F625", "37D3D343-97C5-5C12-8595-042E337E31C0", "422E055A-09D9-5999-8596-B4036633B613", "479FD3C0-1269-5BC3-BD67-CDEE0485485A", "5F6BE6F7-C220-5BDD-BE92-A5156F21A1B2", "93EEDE73-1DB4-5905-BCAB-CDC6F98831CD", "9DE76D04-93D7-5923-9AE3-457D591197D6", "A37C8010-D2C6-52F5-9079-96E8A538B6CA", "BB10DCF1-2FBA-5DDC-B650-CEE45D356728", "C96C8DD1-344C-5476-85AC-6D2865A5C00F", "CB69BCC3-2317-5740-8B01-4F6F0D320AC3", "DB41442F-7258-545C-BAD0-1F0FB13E16BD", "DD3676BD-E792-5189-86EE-4765FF68EFCB", "F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E", "F3CF4A79-402B-56C0-8689-1AF5EBFECF3F", "FA6C0B5A-E89D-54A7-B603-4D8095BF66DD", "FB0D7C2A-01EB-5929-A539-96230C17B90F", "FFF6ABA4-7461-5653-836A-79F11037A7FF"]}, {"type": "hackerone", "idList": ["H1:1028392", "H1:1103212"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20200716-01-DNS"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:020B268DFC760B88704D35A6F4CF30D7"]}, {"type": "kaspersky", "idList": ["KLA11863", "KLA11865"]}, {"type": "krebs", "idList": ["KREBS:1A886B22AAF8ADC53874F0E126C5A96D"]}, {"type": "mscve", "idList": ["MS:CVE-2020-1350"]}, {"type": "msrc", "idList": ["MSRC:79080D1EA83C3BB4689C763E5FACBDB5"]}, {"type": "nessus", "idList": ["SAP_NETWEAVER_AS_2934135.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310817088", "OPENVAS:1361412562310817224", "OPENVAS:1361412562310817226", "OPENVAS:1361412562310817228", "OPENVAS:1361412562310817230", "OPENVAS:1361412562310817231", "OPENVAS:1361412562310817232"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:8028F138635C78F91B08AB2CF72FA154", "QUALYSBLOG:F343178EEC11B54CFAFBD0B4D505010B"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:E36C557104ECB6E144C21C3C499B0492"]}, {"type": "talos", "idList": ["SAP"]}, {"type": "thn", "idList": ["THN:D01CFEFA5701B3385F989E1BE705F6AA", "THN:DBFCCEBE2752BA05D9181D55D3477666"]}, {"type": "threatpost", "idList": ["THREATPOST:7E6D2DBA11B2CCCE264B0982306FBEB1", "THREATPOST:96E775E045D4DF55CC1B9A3AA0C28F70", "THREATPOST:AA1F3088D813F95D476A024378F27010"]}]}, "exploitation": null, "vulnersScore": -0.3}, "immutableFields": [], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "edition": 2, "scheme": null, "_state": {"dependencies": 1647589307, "score": 1659743467}}

{"nessus": [{"lastseen": "2022-06-16T15:39:08", "description": "The version of SAP NetWeaver AS Java detected on the remote host may be affected by multiple vulnerabilities, as referenced in SAP Security Note 2934135.\n\n- LM Configuration Wizard of SAP NetWeaver AS JAVA, does not perform an authentication check which allows an attacker without prior authentication, to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system (CVE-2020-6287).\n\n- The insufficient input path validation of certain parameter in the web service, allows an unauthenticated attacker to exploit a method to download zip files to a specific directory (CVE-2020-6286).\n\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-07-15T00:00:00", "type": "nessus", "title": "SAP NetWeaver AS Java Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-6286", "CVE-2020-6287"], "modified": "2022-01-21T00:00:00", "cpe": ["cpe:/a:sap:netweaver_application_server"], "id": "SAP_NETWEAVER_AS_2934135.NASL", "href": "https://www.tenable.com/plugins/nessus/138506", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138506);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\"CVE-2020-6286\", \"CVE-2020-6287\");\n script_xref(name:\"IAVA\", value:\"2020-A-0298\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"SAP NetWeaver AS Java Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SAP NetWeaver AS Java server may be affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of SAP NetWeaver AS Java detected on the remote host may be affected by multiple vulnerabilities,\nas referenced in SAP Security Note 2934135.\n\n- LM Configuration Wizard of SAP NetWeaver AS JAVA, does not perform an authentication check which \nallows an attacker without prior authentication, to execute configuration tasks to perform critical \nactions against the SAP Java system, including the ability to create an administrative user, \nand therefore compromising Confidentiality, Integrity and Availability of the system (CVE-2020-6287).\n\n- The insufficient input path validation of certain parameter in the web service, allows an unauthenticated \nattacker to exploit a method to download zip files to a specific directory (CVE-2020-6286).\n\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's \nself-reported version number.\");\n # https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a89e2685\");\n # https://launchpad.support.sap.com/#/notes/2934135\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ff519fdb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6287\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/15\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:sap:netweaver_application_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sap_netweaver_as_web_detect.nbin\");\n script_require_keys(\"installed_sw/SAP Netweaver Application Server (AS)\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80, 443, 8000, 50000);\n\n exit(0);\n}\n\ninclude('install_func.inc');\ninclude('http.inc');\ninclude('vcf.inc');\n\napp = 'SAP Netweaver Application Server (AS)';\n\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:443);\n\napp_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nconstraints = [\n {'min_version' : '7.30', 'fixed_version' : '7.53', 'fixed_display' : 'See vendor advisory' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-16T15:21:01", "description": "An authentication bypass vulnerability exists in SAP NetWeaver AS JAVA (LM Configuration Wizard) due to insufficient authentication checks. An unauthenticated, remote attacker can exploit this by executing configuration tasks that perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-07-20T00:00:00", "type": "nessus", "title": "SAP NetWeaver : Authentication Bypass (CVE-2020-6287) (Direct Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-6287"], "modified": "2022-08-15T00:00:00", "cpe": ["cpe:/a:sap:netweaver_application_server"], "id": "SAP_NW_CVE-2020-6287.NBIN", "href": "https://www.tenable.com/plugins/nessus/138762", "sourceData": "Binary data sap_nw_cve-2020-6287.nbin", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-16T13:45:19", "description": "The remote Windows host is missing a security update. It is, therefore, affected by a remote code execution vulnerability:\n\n - A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability. (CVE-2020-1350)\n\nNote: Tenable is testing for the presence of updates which address this issue, as well as Microsoft's recommended mitigation/workaround.\n\nThe registry key being checked for the mitigation is:\n - HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters\\TcpReceivePacketSize and it is being checked for Microsoft's recommended value of 0xFF00.\n\nOnce in place, the DNS Service must be restarted for the change to take effect.\n\nFor more information, refer to the Microsoft advisory for CVE-2020-1350.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-07-17T00:00:00", "type": "nessus", "title": "Windows DNS Server RCE (CVE-2020-1350)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1350"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_JUL_DNS_CHECK.NASL", "href": "https://www.tenable.com/plugins/nessus/138600", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138600);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2020-1350\");\n script_xref(name:\"MSKB\", value:\"4558998\");\n script_xref(name:\"MSKB\", value:\"4565483\");\n script_xref(name:\"MSKB\", value:\"4565483\");\n script_xref(name:\"MSKB\", value:\"4565503\");\n script_xref(name:\"MSKB\", value:\"4565511\");\n script_xref(name:\"MSKB\", value:\"4565524\");\n script_xref(name:\"MSKB\", value:\"4565529\");\n script_xref(name:\"MSKB\", value:\"4565535\");\n script_xref(name:\"MSKB\", value:\"4565536\");\n script_xref(name:\"MSKB\", value:\"4565537\");\n script_xref(name:\"MSKB\", value:\"4565539\");\n script_xref(name:\"MSKB\", value:\"4565540\");\n script_xref(name:\"MSKB\", value:\"4565541\");\n script_xref(name:\"MSFT\", value:\"MS20-4558998\");\n script_xref(name:\"MSFT\", value:\"MS20-4565483\");\n script_xref(name:\"MSFT\", value:\"MS20-4565483\");\n script_xref(name:\"MSFT\", value:\"MS20-4565503\");\n script_xref(name:\"MSFT\", value:\"MS20-4565511\");\n script_xref(name:\"MSFT\", value:\"MS20-4565524\");\n script_xref(name:\"MSFT\", value:\"MS20-4565529\");\n script_xref(name:\"MSFT\", value:\"MS20-4565535\");\n script_xref(name:\"MSFT\", value:\"MS20-4565536\");\n script_xref(name:\"MSFT\", value:\"MS20-4565537\");\n script_xref(name:\"MSFT\", value:\"MS20-4565539\");\n script_xref(name:\"MSFT\", value:\"MS20-4565540\");\n script_xref(name:\"MSFT\", value:\"MS20-4565541\");\n script_xref(name:\"IAVA\", value:\"2020-A-0299\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2020/07/24\");\n\n script_name(english:\"Windows DNS Server RCE (CVE-2020-1350)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is, \ntherefore, affected by a remote code execution vulnerability:\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System servers when they fail to properly\n handle requests. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the Local System Account. Windows servers\n that are configured as DNS servers are at risk from this\n vulnerability. (CVE-2020-1350)\n\nNote: Tenable is testing for the presence of updates which address this issue, as well as Microsoft's recommended\nmitigation/workaround.\n\nThe registry key being checked for the mitigation is:\n - HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters\\TcpReceivePacketSize\nand it is being checked for Microsoft's recommended value of 0xFF00.\n\nOnce in place, the DNS Service must be restarted for the change to take effect.\n\nFor more information, refer to the Microsoft advisory for CVE-2020-1350.\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6a916fa9\");\n # https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f3307e60\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate security update or mitigation as described in the Microsoft advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1350\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"wmi_enum_server_features.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\", \"SMB/WMI/Available\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\n\n\nfunction is_dns_server()\n{\n local_var server_features, feature;\n server_features = get_kb_list(\"WMI/server_feature/*\");\n foreach (feature in server_features)\n {\n if ('DNS Server' == feature) return 1;\n }\n return 0;\n}\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-07';\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nmy_os = get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\nmy_os_build = get_kb_item('SMB/WindowsVersionBuild');\nmy_prod = get_kb_item_or_exit('SMB/ProductName');\nsp = 0;\nvuln = FALSE;\nmitigated = FALSE;\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n## Set kbs and sp\nif(my_os == '6.0' && 'server' >< tolower(my_prod))\n{\n kbs = make_list('4565536','4565529');\n sp = 2;\n}\nelse if(my_os == '6.1' && 'server' >< tolower(my_prod))\n{\n kbs = make_list('4565524','4565539');\n sp = 1;\n}\nelse if(my_os == '6.2' && 'server' >< tolower(my_prod))\n{\n kbs = make_list('4565537','4565535');\n}\nelse if(my_os == '6.3' && 'server' >< tolower(my_prod))\n{\n kbs = make_list('4565541','4565540');\n}\nelse if(my_os == '10' && 'server' >< tolower(my_prod))\n{\n if(my_os_build == '14393') kbs = make_list('4565511');\n else if(my_os_build == '17763') kbs = make_list('4558998');\n else if(my_os_build == '18362') kbs = make_list('4565483');\n else if(my_os_build == '18363') kbs = make_list('4565483');\n else if(my_os_build == '19041') kbs = make_list('4565503');\n}\nelse\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif ( my_os == '10' )\n{ \n vuln = smb_check_rollup( os:'10',\n sp:0,\n os_build:my_os_build,\n rollup_date:'07_2020',\n bulletin:bulletin,\n rollup_kb_list:kbs\n );\n}\nelse\n{\n vuln = smb_check_rollup( os:my_os, \n sp:sp,\n rollup_date:'07_2020',\n bulletin:bulletin,\n rollup_kb_list:kbs\n );\n}\n\n## Check mitigation\nmitigation_key = 'SYSTEM\\\\CurrentControlSet\\\\Services\\\\DNS\\\\Parameters\\\\TcpReceivePacketSize';\nregistry_init();\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\npacketsize = get_registry_value(handle:hklm, item:mitigation_key);\nRegCloseKey(handle:hklm);\nclose_registry(close:TRUE);\n\nif (!isnull(packetsize) && (packetsize == 65280))\n mitigated = TRUE;\n\nif(vuln && is_dns_server() && !mitigated)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-16T13:47:12", "description": "According to its self-reported version number, the Microsoft DNS Server running on the remote host is affected by a remote code execution vulnerability. An unauthenticated, remote attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account.\n\nNote that in order to get the full Microsoft DNS server version, the EnableVersionQuery DNS setting would need to be set to 1.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-07-16T00:00:00", "type": "nessus", "title": "Microsoft DNS Server Remote Code Execution (SIGRed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1350"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "MS_DNS_CVE-2020-1350.NASL", "href": "https://www.tenable.com/plugins/nessus/138554", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138554);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2020-1350\");\n script_xref(name:\"IAVA\", value:\"2020-A-0299\");\n script_xref(name:\"MSKB\", value:\"4558998\");\n script_xref(name:\"MSKB\", value:\"4565483\");\n script_xref(name:\"MSKB\", value:\"4565503\");\n script_xref(name:\"MSKB\", value:\"4565511\");\n script_xref(name:\"MSKB\", value:\"4565524\");\n script_xref(name:\"MSKB\", value:\"4565529\");\n script_xref(name:\"MSKB\", value:\"4565535\");\n script_xref(name:\"MSKB\", value:\"4565536\");\n script_xref(name:\"MSKB\", value:\"4565537\");\n script_xref(name:\"MSKB\", value:\"4565539\");\n script_xref(name:\"MSKB\", value:\"4565540\");\n script_xref(name:\"MSKB\", value:\"4565541\");\n script_xref(name:\"MSFT\", value:\"MS20-4558998\");\n script_xref(name:\"MSFT\", value:\"MS20-4565483\");\n script_xref(name:\"MSFT\", value:\"MS20-4565503\");\n script_xref(name:\"MSFT\", value:\"MS20-4565511\");\n script_xref(name:\"MSFT\", value:\"MS20-4565524\");\n script_xref(name:\"MSFT\", value:\"MS20-4565529\");\n script_xref(name:\"MSFT\", value:\"MS20-4565535\");\n script_xref(name:\"MSFT\", value:\"MS20-4565536\");\n script_xref(name:\"MSFT\", value:\"MS20-4565537\");\n script_xref(name:\"MSFT\", value:\"MS20-4565539\");\n script_xref(name:\"MSFT\", value:\"MS20-4565540\");\n script_xref(name:\"MSFT\", value:\"MS20-4565541\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2020/07/24\");\n\n script_name(english:\"Microsoft DNS Server Remote Code Execution (SIGRed)\");\n script_summary(english:\"Checks version of Microsoft DNS Server\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The DNS server running on the remote host is affected by a\nremote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Microsoft DNS\nServer running on the remote host is affected by a remote code\nexecution vulnerability. An unauthenticated, remote attacker who\nsuccessfully exploited the vulnerability could run arbitrary code in\nthe context of the Local System Account.\n\nNote that in order to get the full Microsoft DNS server version, the\nEnableVersionQuery DNS setting would need to be set to 1.\");\n # https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?22a53c13\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, version 1903, 1909, and 2004.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1350\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"DNS\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ms_dns_version.nasl\");\n script_require_keys(\"ms_dns/version\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nkb_ver = 'ms_dns/version';\nversion = get_kb_item_or_exit(kb_ver);\nport = 53;\n\napp_info = vcf::get_app_info(app:'Microsoft DNS server', kb_ver:kb_ver, port:port);\n\nvcf::check_granularity(app_info:app_info, sig_segments:4);\n\nconstraints = [\n # Windows Server 2008\n { 'min_version': '6.0.6003.0', 'fixed_version': '6.0.6003.20885' },\n\n # Windows Server 2008 R2\n { 'min_version': '6.1.7601.0', 'fixed_version': '6.1.7601.24557' },\n\n # Windows Sever 2012\n { 'min_version': '6.2.9200.0', 'fixed_version': '6.2.9200.23084' },\n\n # Windows Sever 2012 R2\n { 'min_version': '6.3.9600.0', 'fixed_version': '6.3.9600.19759' },\n \n # Windows Server 2016\n { 'min_version': '10.0.14393.0', 'fixed_version': '10.0.14393.3808' },\n\n # Windows Server 2019\n { 'min_version': '10.0.17763.0', 'fixed_version': '10.0.17763.1339' },\n\n # Windows Server, version 1903/1909\n # 1903 and 1909 have the same KB\n { 'min_version': '10.0.18362.0', 'fixed_version': '10.0.18362.959' },\n\n # Windows Server, version 2004\n { 'min_version': '10.0.19041.0', 'fixed_version': '10.0.19041.388' }\n\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-03-16T16:20:58", "description": "PoC for CVE-2020-6287, CVE-2020-6286 (SAP RECON vulnerability)\n\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-15T15:20:09", "type": "githubexploit", "title": "Exploit for Path Traversal in Sap Netweaver Application Server Java", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6286", "CVE-2020-6287"], "modified": "2022-03-16T15:43:51", "id": "422E055A-09D9-5999-8596-B4036633B613", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:54:34", "description": "<b>[CVE-2020-6287] SAP NetWeaver AS JAVA (LM Configuration Wizar...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-08-13T09:12:37", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Sap Netweaver Application Server Java", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6286", "CVE-2020-6287"], "modified": "2021-08-19T10:38:43", "id": "1CA47E3F-F5D0-59BE-8F16-9671BB19B938", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-18T18:39:00", "description": "# CVE-2020-6287-exploit\n### PoC for CVE-2020-6287\n### The PoC in...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-20T18:45:53", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Sap Netweaver Application Server Java", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6286", "CVE-2020-6287"], "modified": "2022-01-18T17:25:12", "id": "DB41442F-7258-545C-BAD0-1F0FB13E16BD", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-16T16:18:04", "description": "<b>[CVE-2020-6286] SAP NetWeaver AS JAVA (LM Configuration Wizar...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2020-08-13T09:00:12", "type": "githubexploit", "title": "Exploit for Path Traversal in Sap Netweaver Application Server Java", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6286"], "modified": "2022-03-16T15:43:59", "id": "BB10DCF1-2FBA-5DDC-B650-CEE45D356728", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:12:56", "description": "# Vulnerability Assessment and Indicator of Compromise (IoC) Sca...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-21T01:22:45", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Sap Netweaver Application Server Java", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6287"], "modified": "2022-02-10T19:07:30", "id": "26FAD860-F058-5B8B-999F-56C318A499D4", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T17:54:35", "description": "This is an educational exercise...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-19T17:32:47", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-10-10T20:39:05", "id": "FB0D7C2A-01EB-5929-A539-96230C17B90F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T17:57:25", "description": "# CVE-2020-1350 (SigRED)\n\nWorkarou...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T19:28:46", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2021-05-06T11:57:25", "id": "5F6BE6F7-C220-5BDD-BE92-A5156F21A1B2", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T17:57:01", "description": "# CVE-2020-1350 (AKA SIGRed) v0.30\n\n## Summary: \nA Zeek package...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-15T05:55:20", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2021-01-14T18:47:12", "id": "CB69BCC3-2317-5740-8B01-4F6F0D320AC3", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T17:57:09", "description": "# CVE-2020-1350\nScanner and Mitigat...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-18T13:49:54", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2021-01-27T17:38:05", "id": "0AF42B8A-DF0D-58F8-AB60-9E7C63ED9EEB", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T17:58:14", "description": "# CVE-2020-1350 SIGRed Denial of Service PoC Exploit\n\nThis repo ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-16T16:46:48", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-01-09T21:16:20", "id": "479FD3C0-1269-5BC3-BD67-CDEE0485485A", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T17:57:10", "description": "# Overview\n\nMicrosoft announced CVE-2020-1350 on July 14 2020. T...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-15T19:43:39", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-10-10T20:38:31", "id": "DD3676BD-E792-5189-86EE-4765FF68EFCB", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-31T19:43:29", "description": "# CVE-2020-1350\nThis Powershell Script is checking if your serve...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-15T05:46:31", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-07-31T16:10:52", "id": "93EEDE73-1DB4-5905-BCAB-CDC6F98831CD", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-07T02:44:35", "description": "# This is an educational exercise. Use at your own risk.\n\n# CVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T19:02:25", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-08-06T02:40:10", "id": "F3CF4A79-402B-56C0-8689-1AF5EBFECF3F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T01:20:40", "description": "# CVE-2020-1350\nCVE-2020-1350 Proof-of-Concept\n\nEnvironment Setu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-17T05:41:19", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-03-16T16:44:01", "id": "9DE76D04-93D7-5923-9AE3-457D591197D6", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T01:20:45", "description": "# [KB4569509: Guidance for DNS Server Vulnerability CVE-2020-135...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-26T02:12:36", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-10-10T20:40:04", "id": "A37C8010-D2C6-52F5-9079-96E8A538B6CA", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T08:21:44", "description": "# Fake_CVE-2020-1350\nThis is the source code for a very crude fa...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T21:55:57", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-08-18T07:05:31", "id": "37D3D343-97C5-5C12-8595-042E337E31C0", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T08:22:16", "description": "# CVE-2020-1350 (SIGRed) - Windows DNS DoS Exploit\n\nCredits for ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-15T23:00:00", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-08-18T06:46:01", "id": "FFF6ABA4-7461-5653-836A-79F11037A7FF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T08:22:38", "description": "# cve-2020-1350\nBash Proof-of-Concept (PoC) script to exploit SI...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T22:45:48", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-08-18T07:04:55", "id": "2A7F5F31-A737-556D-A869-05B87FD1F625", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:12:45", "description": "This is a powershell script that'll grab all the AD servers for ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-22T12:11:33", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-10-10T20:40:26", "id": "FA6C0B5A-E89D-54A7-B603-4D8095BF66DD", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:53:36", "description": "# This is an educational exercise. Use at your own risk.\n\n# CVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-10-14T14:42:52", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350", "CVE-2020-16898"], "modified": "2021-05-17T07:52:28", "id": "C96C8DD1-344C-5476-85AC-6D2865A5C00F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-22893\nTHIS IS NOT A REAL EXPLOIT IT IS A HONEYPOC (ht...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-21T09:48:57", "type": "githubexploit", "title": "Exploit for Improper Authentication in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350", "CVE-2021-22893"], "modified": "2022-02-07T18:34:52", "id": "730EEC4F-BE81-5690-BA8D-B89482C5C3D0", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T18:18:47", "description": "# Contains Custom NSE scripts \n\n\n# CVE-2020-0796\nNSE script to d...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-11T17:51:29", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2020-1350", "CVE-2021-21972", "CVE-2021-21973", "CVE-2021-34473"], "modified": "2022-03-23T17:15:09", "id": "F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:38:39", "description": "A directory traversal vulnerability exists in SAP NetWeaver. Successful exploitation of this vulnerability could lead to disclosure of file contents accessible by the prime user.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-21T00:00:00", "type": "checkpoint_advisories", "title": "SAP NetWeaver Directory Traversal (CVE-2020-6286; CVE-2020-6287)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6286", "CVE-2020-6287"], "modified": "2020-07-21T00:00:00", "id": "CPAI-2020-0681", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:38:28", "description": "A remote code execution vulnerability exists in SAP NetWeaver. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-08-03T00:00:00", "type": "checkpoint_advisories", "title": "SAP NetWeaver Remote Code Execution (CVE-2020-6287)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6287"], "modified": "2020-08-03T00:00:00", "id": "CPAI-2020-0719", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:38:45", "description": "A buffer overflow vulnerability exists in Microsoft Windows DNS Server. Successful exploitation of this vulnerability could lead to execution of arbitrary code on the target server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-14T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows DNS Server Remote Code Execution (CVE-2020-1350)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-14T00:00:00", "id": "CPAI-2020-0658", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hackerone": [{"lastseen": "2021-02-16T14:31:08", "bounty": 0.0, "description": "# Summary:\nHello Team,\nI found two (**redapi.acronis.com** and **redapi2.acronis.com**) sap Netweaver vulnerable services. They do not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity, and Availability of the system, leading to Missing Authentication Check.\n\n# Steps To Reproduce:\n 1. Run the script {F1195428}\n 2. You will see random user created\n\n# POC:\nJust for the POC, I have created a random user with creds\nsapRpoc9049:Secure!PwD6751 (at redapi.acronis.com)\n{F1195413}\n\n# References:\nhttps://github.com/chipik/SAP_RECON\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-6286\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-6287\nhttps://launchpad.support.sap.com/#/notes/2934135\nhttps://launchpad.support.sap.com/#/notes/2939665\n\n**Please lemme know if you need any additional information reagarding this**\n\n## Impact\n\n# Impact:\nThis version of SAP netweaver does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity, and Availability of the system, leading to Missing Authentication Check.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-02-14T14:49:11", "type": "hackerone", "title": "Acronis: Found multiple SAP NetWeaver vulnerable services", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6286", "CVE-2020-6287"], "modified": "2021-02-16T13:06:43", "id": "H1:1103212", "href": "https://hackerone.com/reports/1103212", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-16T15:27:17", "bounty": 0.0, "description": "Hi team.\n\n## Summary\n\nCVE-2020-6287 https://redapi2.acronis.com\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-6287\n\n>SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.\n\n\nYou can check. I created user with role 'Administrator'\n```\nsapRpoc9846:Secure!PwD7849\n```\n\n## Steps To Reproduce\n\n\n 1. clone https://github.com/chipik/SAP_RECON\n 1. `python3 RECON.py -a -H redapi2.acronis.com -P 443 -s`\n \n\nThanks.\n\n## Impact\n\nadministrative user on sap system", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-11-06T15:23:10", "type": "hackerone", "title": "Acronis: CVE-2020-6287 https://redapi2.acronis.com", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6287"], "modified": "2021-02-16T14:04:26", "id": "H1:1028392", "href": "https://hackerone.com/reports/1028392", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T18:47:49", "description": "The insufficient input path validation of certain parameter in the web service of SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to exploit a method to download zip files to a specific directory, leading to Path Traversal.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-07-14T13:15:00", "type": "cve", "title": "CVE-2020-6286", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6286"], "modified": "2020-07-15T18:15:00", "cpe": ["cpe:/a:sap:netweaver_application_server_java:7.40", "cpe:/a:sap:netweaver_application_server_java:7.50", "cpe:/a:sap:netweaver_application_server_java:7.30", "cpe:/a:sap:netweaver_application_server_java:7.31"], "id": "CVE-2020-6286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-6286", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:sap:netweaver_application_server_java:7.30:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.31:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.40:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.50:*:*:*:*:*:*:*"]}, {"lastseen": "2022-04-28T21:39:08", "description": "SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T13:15:00", "type": "cve", "title": "CVE-2020-6287", "cwe": ["CWE-306"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6287"], "modified": "2022-04-28T18:57:00", "cpe": ["cpe:/a:sap:netweaver_application_server_java:7.30", "cpe:/a:sap:netweaver_application_server_java:7.50", "cpe:/a:sap:netweaver_application_server_java:7.40", "cpe:/a:sap:netweaver_application_server_java:7.31"], "id": "CVE-2020-6287", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-6287", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:sap:netweaver_application_server_java:7.40:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.50:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.30:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.31:*:*:*:*:*:*:*"]}, {"lastseen": "2022-07-13T16:00:18", "description": "A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests, aka 'Windows DNS Server Remote Code Execution Vulnerability'.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T23:15:00", "type": "cve", "title": "CVE-2020-1350", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2019:-"], "id": "CVE-2020-1350", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1350", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2021-11-03T22:42:10", "description": "SAP NetWeaver AS JAVA (LM Configuration Wizard), versions \u2013 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at July 14, 2020 7:10am UTC reported:\n\nThis is an incredibly attractive and simple attack target: It\u2019s an easily exploitable vulnerability in a highly-exposed HTTP interface (frequently user- and internet-facing) where successful exploitation allows remote, unauthenticated attackers to create user accounts with the highest possible privileges and generally declare themselves the feudal lords of critical SAP estates.\n\nIt\u2019s difficult to imagine that widespread exploitation would take much time at all. SAP included a mitigation in the patch release details, but with so many mitigation bypasses coming out for other recent critical vulns, it\u2019s definitely advisable to [take CISA\u2019s guidance to heart](<https://us-cert.cisa.gov/ncas/alerts/aa20-195a#:~:text=On%20July%2013,%202020%20EST,%20SAP%20released%20the%20patch%20for,NetWeaver%20AS%20for%20Java%20component.&text=A%20remote,%20unauthenticated%20attacker%20can,cases,%20exposed%20to%20the%20internet>)\u2014i.e., patch over mitigation wherever possible and as quickly as possible.\n\n**Mad-robot** at July 15, 2020 6:34pm UTC reported:\n\nThis is an incredibly attractive and simple attack target: It\u2019s an easily exploitable vulnerability in a highly-exposed HTTP interface (frequently user- and internet-facing) where successful exploitation allows remote, unauthenticated attackers to create user accounts with the highest possible privileges and generally declare themselves the feudal lords of critical SAP estates.\n\nIt\u2019s difficult to imagine that widespread exploitation would take much time at all. SAP included a mitigation in the patch release details, but with so many mitigation bypasses coming out for other recent critical vulns, it\u2019s definitely advisable to [take CISA\u2019s guidance to heart](<https://us-cert.cisa.gov/ncas/alerts/aa20-195a#:~:text=On%20July%2013,%202020%20EST,%20SAP%20released%20the%20patch%20for,NetWeaver%20AS%20for%20Java%20component.&text=A%20remote,%20unauthenticated%20attacker%20can,cases,%20exposed%20to%20the%20internet>)\u2014i.e., patch over mitigation wherever possible and as quickly as possible.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-14T00:00:00", "type": "attackerkb", "title": "CVE-2020-6287: Critical Vulnerability in SAP NetWeaver Application Server (AS) Java", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6287"], "modified": "2020-12-21T00:00:00", "id": "AKB:56338DBB-1286-429B-B980-5AEDD3A6E87C", "href": "https://attackerkb.com/topics/JubO1RiVBP/cve-2020-6287-critical-vulnerability-in-sap-netweaver-application-server-as-java", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-24T02:37:11", "description": "A remote code execution vulnerability codenamed \u201cSigRed\u201d exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.\n\nTo exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.\n\nThe update addresses the vulnerability by modifying how Windows DNS servers handle requests.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at July 14, 2020 6:11pm UTC reported:\n\nImportant Update: This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nUpdate: Checkpoint has since released their blog post at <https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/> with much more details on this vulnerability than when I originally wrote this. I\u2019ll update a few statements here but readers are encouraged to read the paper for more details.\n\nOn July 14th, 2020, Microsoft released CVE-2020-1350, a critical DNS server remote code execution vulnerability that can result in Domain compromise and which is listed as a 10.0 CVE rating. Microsoft also described this vulnerability as wormable and recommended the following mitigation:\n \n \n HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters \n DWORD = TcpReceivePacketSize \n Value = 0xFF00\n \n\nThis is rather odd to me. 0xFF00 looks like a potential mitigation against a integer overflow, as its possible the vulnerability stems from any packets being over 0xFFFF causing an integer overflow in memory, resulting in the allocation of a very small amount of memory to hold a very large buffer. At the very least, the fact that the recommended mitigation forcibly controls the max size of the packet that can be received suggests that this is a buffer overflow of some sort. Given the dynamic nature of DNS and the fact that it has to handle multiple requests at once, my guess is that its a heap buffer overflow.\n\nNow that CheckPoint\u2019s blog post is public one can confirm that this is in fact a integer overflow leading to a heap buffer overflow within the `SigWireRead` function of `dns.exe`, the server component of Microsoft\u2019s DNS implementation. When the DNS server receives a SIG query response, that, when decompressed, incremented by 0x14, and added to the result of an earlier `Name_PacketNameToCountNameEx` call, is greater than 0xFFFF, will result in integer overflow, resulting in the following `RR_AllocateEx` call allocating too small of a heap buffer for the resource record, and a heap buffer overflow occurring when `memcpy` is called to copy the SIG query response into the overly small heap buffer that `RR_AllocateEx` allocated.\n\nA very important point to note here is that whilst there is a RCE potential here by smuggling DNS requests over HTTP, it seems that CheckPoint has noted that only some browsers, notably Microsoft Edge and Internet Explorer, actually support sending HTTP requests to port 53, so whilst their video at <https://youtu.be/PUlMmhD5it8> is certainly pretty cool, its important to note that with Google Chrome taking up over 65% of the browser market share according to <https://gs.statcounter.com/browser-market-share> as of July 2020, and IE and Edge accounting for a combined total of roughly 4% of all browsers, its pretty unlikely that most organizations will be affected by the HTTP smuggling attack vector unless users are forced to use IE/Edge in their networks for some reason (such as support for legacy apps).\n\nEdit: **@cblack-r7** Also pointed out to me that looking at <https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability> they mention this line \u201cAfter the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.\u201d He noticed that the terminology \u201cupstream server\u201d could mean that the malicious overly large DNS response has to come from an upstream resolver, which could complicate this vulnerability a little bit. This is also something that **@busterb**\u2019s assessment seems to reflect concern about and is something that the CheckPoint blog doesn\u2019t really address from what I\u2019ve seen (though feel free to correct me if I am wrong here)\n\nIt should be noted that this vulnerability only affects Microsoft\u2019s DNS implementation, however it goes way back all the way to Windows Server 2008. I wouldn\u2019t be surprised if this also potentially affected Windows Server 2003 as well though, given how these types of vulns tend to be rather systemic, but I could be wrong there.\n\nAnother important point to note is that on Windows the DNS service runs as SYSTEM, so this will essentially be a remote SYSTEM level exploit for any attackers, which is pretty powerful. Unfortunately there is a limitation that if this is a remote RCE on the heap, the attacker will most likely have to deal with a lot of the new heap related mitigations introduced starting with Windows 8 and which were greatly improved with Windows 10. So this likely means that Windows Server 2008 and Windows Server 2008 R2 will be easy to develop an exploit for, but more recent servers like Windows Server 2019 may see a noticeable lag in exploit development time whilst exploit developers work their way around these mitigations. This can be seen in past heap overflow exploits where the Windows 7/Windows Server 2008 exploit came out very quickly but in some cases it took several months or even a year for the Windows 10/Server 2019 exploit to come out.\n\nIt should be noted that whilst this vulnerability has not been used in active attacks according to Microsoft, I\u2019d safely place money on seeing this vulnerability get weaponized very quickly.\n\n**busterb** at July 14, 2020 9:20pm UTC reported:\n\nImportant Update: This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nUpdate: Checkpoint has since released their blog post at <https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/> with much more details on this vulnerability than when I originally wrote this. I\u2019ll update a few statements here but readers are encouraged to read the paper for more details.\n\nOn July 14th, 2020, Microsoft released CVE-2020-1350, a critical DNS server remote code execution vulnerability that can result in Domain compromise and which is listed as a 10.0 CVE rating. Microsoft also described this vulnerability as wormable and recommended the following mitigation:\n \n \n HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters \n DWORD = TcpReceivePacketSize \n Value = 0xFF00\n \n\nThis is rather odd to me. 0xFF00 looks like a potential mitigation against a integer overflow, as its possible the vulnerability stems from any packets being over 0xFFFF causing an integer overflow in memory, resulting in the allocation of a very small amount of memory to hold a very large buffer. At the very least, the fact that the recommended mitigation forcibly controls the max size of the packet that can be received suggests that this is a buffer overflow of some sort. Given the dynamic nature of DNS and the fact that it has to handle multiple requests at once, my guess is that its a heap buffer overflow.\n\nNow that CheckPoint\u2019s blog post is public one can confirm that this is in fact a integer overflow leading to a heap buffer overflow within the `SigWireRead` function of `dns.exe`, the server component of Microsoft\u2019s DNS implementation. When the DNS server receives a SIG query response, that, when decompressed, incremented by 0x14, and added to the result of an earlier `Name_PacketNameToCountNameEx` call, is greater than 0xFFFF, will result in integer overflow, resulting in the following `RR_AllocateEx` call allocating too small of a heap buffer for the resource record, and a heap buffer overflow occurring when `memcpy` is called to copy the SIG query response into the overly small heap buffer that `RR_AllocateEx` allocated.\n\nA very important point to note here is that whilst there is a RCE potential here by smuggling DNS requests over HTTP, it seems that CheckPoint has noted that only some browsers, notably Microsoft Edge and Internet Explorer, actually support sending HTTP requests to port 53, so whilst their video at <https://youtu.be/PUlMmhD5it8> is certainly pretty cool, its important to note that with Google Chrome taking up over 65% of the browser market share according to <https://gs.statcounter.com/browser-market-share> as of July 2020, and IE and Edge accounting for a combined total of roughly 4% of all browsers, its pretty unlikely that most organizations will be affected by the HTTP smuggling attack vector unless users are forced to use IE/Edge in their networks for some reason (such as support for legacy apps).\n\nEdit: **@cblack-r7** Also pointed out to me that looking at <https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability> they mention this line \u201cAfter the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.\u201d He noticed that the terminology \u201cupstream server\u201d could mean that the malicious overly large DNS response has to come from an upstream resolver, which could complicate this vulnerability a little bit. This is also something that **@busterb**\u2019s assessment seems to reflect concern about and is something that the CheckPoint blog doesn\u2019t really address from what I\u2019ve seen (though feel free to correct me if I am wrong here)\n\nIt should be noted that this vulnerability only affects Microsoft\u2019s DNS implementation, however it goes way back all the way to Windows Server 2008. I wouldn\u2019t be surprised if this also potentially affected Windows Server 2003 as well though, given how these types of vulns tend to be rather systemic, but I could be wrong there.\n\nAnother important point to note is that on Windows the DNS service runs as SYSTEM, so this will essentially be a remote SYSTEM level exploit for any attackers, which is pretty powerful. Unfortunately there is a limitation that if this is a remote RCE on the heap, the attacker will most likely have to deal with a lot of the new heap related mitigations introduced starting with Windows 8 and which were greatly improved with Windows 10. So this likely means that Windows Server 2008 and Windows Server 2008 R2 will be easy to develop an exploit for, but more recent servers like Windows Server 2019 may see a noticeable lag in exploit development time whilst exploit developers work their way around these mitigations. This can be seen in past heap overflow exploits where the Windows 7/Windows Server 2008 exploit came out very quickly but in some cases it took several months or even a year for the Windows 10/Server 2019 exploit to come out.\n\nIt should be noted that whilst this vulnerability has not been used in active attacks according to Microsoft, I\u2019d safely place money on seeing this vulnerability get weaponized very quickly.\n\n**ccondon-r7** at July 28, 2020 8:24pm UTC reported:\n\nImportant Update: This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nUpdate: Checkpoint has since released their blog post at <https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/> with much more details on this vulnerability than when I originally wrote this. I\u2019ll update a few statements here but readers are encouraged to read the paper for more details.\n\nOn July 14th, 2020, Microsoft released CVE-2020-1350, a critical DNS server remote code execution vulnerability that can result in Domain compromise and which is listed as a 10.0 CVE rating. Microsoft also described this vulnerability as wormable and recommended the following mitigation:\n \n \n HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters \n DWORD = TcpReceivePacketSize \n Value = 0xFF00\n \n\nThis is rather odd to me. 0xFF00 looks like a potential mitigation against a integer overflow, as its possible the vulnerability stems from any packets being over 0xFFFF causing an integer overflow in memory, resulting in the allocation of a very small amount of memory to hold a very large buffer. At the very least, the fact that the recommended mitigation forcibly controls the max size of the packet that can be received suggests that this is a buffer overflow of some sort. Given the dynamic nature of DNS and the fact that it has to handle multiple requests at once, my guess is that its a heap buffer overflow.\n\nNow that CheckPoint\u2019s blog post is public one can confirm that this is in fact a integer overflow leading to a heap buffer overflow within the `SigWireRead` function of `dns.exe`, the server component of Microsoft\u2019s DNS implementation. When the DNS server receives a SIG query response, that, when decompressed, incremented by 0x14, and added to the result of an earlier `Name_PacketNameToCountNameEx` call, is greater than 0xFFFF, will result in integer overflow, resulting in the following `RR_AllocateEx` call allocating too small of a heap buffer for the resource record, and a heap buffer overflow occurring when `memcpy` is called to copy the SIG query response into the overly small heap buffer that `RR_AllocateEx` allocated.\n\nA very important point to note here is that whilst there is a RCE potential here by smuggling DNS requests over HTTP, it seems that CheckPoint has noted that only some browsers, notably Microsoft Edge and Internet Explorer, actually support sending HTTP requests to port 53, so whilst their video at <https://youtu.be/PUlMmhD5it8> is certainly pretty cool, its important to note that with Google Chrome taking up over 65% of the browser market share according to <https://gs.statcounter.com/browser-market-share> as of July 2020, and IE and Edge accounting for a combined total of roughly 4% of all browsers, its pretty unlikely that most organizations will be affected by the HTTP smuggling attack vector unless users are forced to use IE/Edge in their networks for some reason (such as support for legacy apps).\n\nEdit: **@cblack-r7** Also pointed out to me that looking at <https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability> they mention this line \u201cAfter the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.\u201d He noticed that the terminology \u201cupstream server\u201d could mean that the malicious overly large DNS response has to come from an upstream resolver, which could complicate this vulnerability a little bit. This is also something that **@busterb**\u2019s assessment seems to reflect concern about and is something that the CheckPoint blog doesn\u2019t really address from what I\u2019ve seen (though feel free to correct me if I am wrong here)\n\nIt should be noted that this vulnerability only affects Microsoft\u2019s DNS implementation, however it goes way back all the way to Windows Server 2008. I wouldn\u2019t be surprised if this also potentially affected Windows Server 2003 as well though, given how these types of vulns tend to be rather systemic, but I could be wrong there.\n\nAnother important point to note is that on Windows the DNS service runs as SYSTEM, so this will essentially be a remote SYSTEM level exploit for any attackers, which is pretty powerful. Unfortunately there is a limitation that if this is a remote RCE on the heap, the attacker will most likely have to deal with a lot of the new heap related mitigations introduced starting with Windows 8 and which were greatly improved with Windows 10. So this likely means that Windows Server 2008 and Windows Server 2008 R2 will be easy to develop an exploit for, but more recent servers like Windows Server 2019 may see a noticeable lag in exploit development time whilst exploit developers work their way around these mitigations. This can be seen in past heap overflow exploits where the Windows 7/Windows Server 2008 exploit came out very quickly but in some cases it took several months or even a year for the Windows 10/Server 2019 exploit to come out.\n\nIt should be noted that whilst this vulnerability has not been used in active attacks according to Microsoft, I\u2019d safely place money on seeing this vulnerability get weaponized very quickly.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T00:00:00", "type": "attackerkb", "title": "CVE-2020-1350 Windows DNS Server Remote Code Execution (SigRed)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-12-28T00:00:00", "id": "AKB:1DE0ADEC-8107-491A-BC8F-DCC3BF6EB3AB", "href": "https://attackerkb.com/topics/egp32neD6z/cve-2020-1350-windows-dns-server-remote-code-execution-sigred", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "SAP Netweaver JAVA remote unauthenticated access vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6287"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-6287", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T17:26:47", "description": "A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "\"SigRed\" - Microsoft Windows Domain Name System (DNS) Server Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-1350", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:40:15", "description": "[![](https://thehackernews.com/images/-z8Uzw7Wp2Zk/Xw1bORR-XAI/AAAAAAAAAjM/4WKXCZsAtEw0zA9nzsUj0BUhmpjsEtR6wCLcBGAsYHQ/s728-e100/sap.jpg)](<https://thehackernews.com/images/-z8Uzw7Wp2Zk/Xw1bORR-XAI/AAAAAAAAAjM/4WKXCZsAtEw0zA9nzsUj0BUhmpjsEtR6wCLcBGAsYHQ/s728-e100/sap.jpg>)\n\nSAP has patched a [critical vulnerability](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675>) impacting the LM Configuration Wizard component in NetWeaver Application Server (AS) Java platform, allowing an unauthenticated attacker to take control of SAP applications. \n \nThe bug, dubbed RECON and tracked as **CVE-2020-6287**, is rated with a maximum CVSS score of 10 out of 10, potentially affecting over 40,000 SAP customers, according to cybersecurity firm Onapsis, which [uncovered the flaw](<https://www.onapsis.com/recon-sap-cyber-security-vulnerability>). \n \n\"If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account, which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications,\" the US Cybersecurity and Infrastructure Security Agency (CISA) said in an [advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-195a>). \n \n\"The confidentiality, integrity, and availability of the data and processes hosted by the SAP application are at risk by this vulnerability,\" it added. \n \nThe vulnerability is present by default in SAP applications running on top of SAP NetWeaver AS Java 7.3 and newer (up to SAP NetWeaver 7.5), putting several SAP business solutions at risk, including but not limited to SAP Enterprise Resource Planning, SAP Product Lifecycle Management, SAP Customer Relationship Management, SAP Supply Chain Management, SAP Business Intelligence, and SAP Enterprise Portal. \n \nAccording to Onapsis, RECON is caused due to a lack of authentication in the web component of the SAP NetWeaver AS for Java, thus granting an attacker to perform high-privileged activities on the susceptible SAP system. \n \n\"A remote, unauthenticated attacker can exploit this vulnerability through an HTTP interface, which is typically exposed to end users and, in many cases, exposed to the internet,\" CISA said. \n \nBy exploiting the flaw to create a new SAP user with maximum privileges, the intruder can compromise SAP installations to execute arbitrary commands, such as modifying or extracting highly sensitive information as well as disrupting critical business processes. \n \nAlthough there's no evidence of any active exploitation of the vulnerability, CISA cautioned that the patches' availability could make it easier for adversaries to reverse-engineer the flaw to create exploits and target unpatched systems. \n \nGiven the severity of RECON, it's recommended that organizations apply critical patches as soon as possible and scan SAP systems for all known vulnerabilities and analyze systems for malicious or excessive user authorizations.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T07:17:00", "type": "thn", "title": "New Highly-Critical SAP Bug Could Let Attackers Take Over Corporate Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6287"], "modified": "2020-07-14T07:17:22", "id": "THN:D01CFEFA5701B3385F989E1BE705F6AA", "href": "https://thehackernews.com/2020/07/sap-netweaver-vulnerability.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:40:15", "description": "[![hacking windows dns server](https://thehackernews.com/images/-CFswC_0BsxM/Xw3l4OFeD0I/AAAAAAAA3BU/WOcga12uuyA8n43M9fyL5rlNdMXOc7CTwCLcBGAsYHQ/s728-e100/windows-dns-server-hacking.jpg)](<https://thehackernews.com/images/-CFswC_0BsxM/Xw3l4OFeD0I/AAAAAAAA3BU/WOcga12uuyA8n43M9fyL5rlNdMXOc7CTwCLcBGAsYHQ/s728-e100/windows-dns-server-hacking.jpg>)\n\nCybersecurity researchers today disclosed a new highly critical \"wormable\" vulnerability\u2014carrying a severity score of 10 out of 10 on the CVSS scale\u2014affecting Windows Server versions 2003 to 2019. \n \nThe 17-year-old remote code execution flaw ([CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>)), dubbed '**SigRed**' by Check Point, could allow an unauthenticated, remote attacker to gain domain administrator privileges over targeted servers and seize complete control of an organization's IT infrastructure. \n \nA threat actor can exploit SigRed vulnerability by sending crafted malicious DNS queries to a Windows DNS server and achieve arbitrary code execution, enabling the hacker to intercept and manipulate users' emails and network traffic, make services unavailable, harvest users' credentials and much more. \n \nIn a detailed [report](<https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/>) shared with The Hacker News, Check Point researcher Sagi Tzadik confirmed that the flaw is wormable in nature, allowing attackers to launch an attack that can spread from one vulnerable computer to another without any human interaction. \n \n\"A single exploit can start a chain reaction that allows attacks to spread from vulnerable machine to vulnerable machine without requiring any human interaction,\" the researcher said. \n \n\"This means that a single compromised machine could be a 'super spreader,' enabling the attack to spread throughout an organization's network within minutes of the first exploit.\" \n \nAfter the cybersecurity firm responsibly disclosed its findings to Microsoft, the Windows maker prepared a patch for the vulnerability and began rolling it out starting today as part of its July Patch Tuesday, which also includes security updates for 122 other vulnerabilities, with a total 18 flaws listed as critical, and 105 as important in severity. \n \nMicrosoft [said](<https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/>) it found no evidence to show that the bug has been actively exploited by attackers, and advised users to install the patches immediately. \n \n\"Windows DNS Server is a core networking component. While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible,\" Microsoft said. \n \n\n\n## Crafting Malicious DNS Responses\n\n \nStating that the objective was to identify a vulnerability that would let an unauthenticated attacker compromise a Windows Domain environment, Check Point researchers said they focused on Windows DNS, specifically taking a closer look at how a DNS server parses an incoming query or a response for a forwarded query. \n \nA forwarded query happens when a DNS server cannot resolve the IP address for a given domain name (e.g., www.google.com), resulting in the query being forwarded to an authoritative DNS name server (NS). \n \n\n\n \nTo exploit this architecture, SigRed involves configuring a domain's (\"deadbeef.fun\") [NS resource records](<https://en.wikipedia.org/wiki/List_of_DNS_record_types>) to point to a malicious name server (\"ns1.41414141.club\"), and querying the target DNS server for the domain in order to have the latter parse responses from the name server for all subsequent queries related to the domain or its subdomains. \n \nWith this setup in place, an attacker can trigger an integer overflow flaw in the function that parses incoming responses for forwarded queries (\"dns.exe!SigWireRead\") to send a DNS response that contains a [SIG resource record](<https://tools.ietf.org/html/rfc2535#section-2.3.1>) larger than 64KB and induce a \"controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer.\" \n \nPut differently; the flaw targets the function responsible for allocating memory for the resource record (\"RR_AllocateEx\") to generate a result bigger than 65,535 bytes to cause an integer overflow that leads to a much smaller allocation than expected. \n \nBut with a single DNS message limited to 512 bytes in UDP (or 4,096 bytes if the server supports [extension mechanisms](<https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS>)) and 65,535 bytes in TCP, the researchers found that a SIG response with a lengthy signature alone wasn't enough to trigger the vulnerability. \n \nTo achieve this, the attack cleverly takes advantage of [DNS name compression](<https://powerdns.org/hello-dns/basic.md.html#dnsbasics>) in DNS responses to create a buffer overflow using the aforementioned technique to increase the allocation's size by a significant amount. \n \n\n\n## Remote Exploitation of the Flaw\n\n \nThat's not all. SigRed can be triggered remotely via a browser in limited scenarios (e.g., Internet Explorer and non-Chromium based Microsoft Edge browsers), allowing an attacker to abuse Windows DNS servers' support for [connection reuse and query pipelining](<https://tools.ietf.org/html/rfc7766#section-6.2.1>) features to \"smuggle\" a DNS query inside an HTTP request payload to a target DNS server upon visiting a website under their control. \n \nWhat's more, the bug can be further exploited to leak memory addresses by corrupting the metadata of a DNS resource record and even achieve [write-what-where](<https://cwe.mitre.org/data/definitions/123.html>) capabilities, allowing an adversary to hijack the execution flow and cause it to execute unintended instructions. \n \n\n\n[![](https://thehackernews.com/images/-HEx60rYsUag/Xw28tH1tAeI/AAAAAAAAAjg/NJQx1bGwsz4XXVX6VMdIZz_fT6pv4UyxACLcBGAsYHQ/s728-e100/dns-hacking.jpg)](<https://thehackernews.com/images/-HEx60rYsUag/Xw28tH1tAeI/AAAAAAAAAjg/NJQx1bGwsz4XXVX6VMdIZz_fT6pv4UyxACLcBGAsYHQ/s728-e100/dns-hacking.jpg>)\n\n \nSurprisingly, DNS clients (\"dnsapi.dll\") are not susceptible to the same bug, leading the researchers to suspect that \"Microsoft manages two completely different code bases for the DNS server and the DNS client, and does not synchronize bug patches between them.\" \n \nGiven the severity of the vulnerability and the high chances of active exploitation, it's recommended that users patch their affected Windows DNS Servers to mitigate the risk. \n \nAs a temporary workaround, the maximum length of a DNS message (over TCP) can be set to \"0xFF00\" to eliminate the chances of a buffer overflow: \n \n\n\n> reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters\" /v \"TcpReceivePacketSize\" /t REG_DWORD /d 0xFF00 /f \n \nnet stop DNS && net start DNS\n\n \n\"A DNS server breach is a very serious thing. Most of the time, it puts the attacker just one inch away from breaching the entire organization. There are only a handful of these vulnerability types ever released,\" Check Point's Omri Herscovici told The Hacker News. \n \n\"Every organization, big or small using Microsoft infrastructure is at major security risk, if left unpatched. The risk would be a complete breach of the entire corporate network.\"\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T17:13:00", "type": "thn", "title": "17-Year-Old Critical 'Wormable' RCE Vulnerability Impacts Windows DNS Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2021-04-13T11:27:23", "id": "THN:DBFCCEBE2752BA05D9181D55D3477666", "href": "https://thehackernews.com/2020/07/windows-dns-server-hacking.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:23", "description": "[![](https://thehackernews.com/images/-dxgYH4aIuuw/YGxlNUtGVCI/AAAAAAAACLs/oKpHnFXRhZwabJSwosFF7e-iA0QdpeyNgCLcBGAsYHQ/s0/sap.jpg)](<https://thehackernews.com/images/-dxgYH4aIuuw/YGxlNUtGVCI/AAAAAAAACLs/oKpHnFXRhZwabJSwosFF7e-iA0QdpeyNgCLcBGAsYHQ/s0/sap.jpg>)\n\nCyber attackers are actively setting their sights on unsecured SAP applications in an attempt to steal information and sabotage critical processes, according to new research.\n\n\"Observed exploitation could lead in many cases to full control of the unsecured SAP application, bypassing common security and compliance controls, and enabling attackers to steal sensitive information, perform financial fraud or disrupt mission-critical business processes by deploying ransomware or stopping operations,\" cybersecurity firm Onapsis and SAP [said](<https://onapsis.com/active-cyberattacks-mission-critical-sap-applications>) in a joint report published today.\n\nThe Boston-based company said it detected over 300 successful exploitations out of a total of 1,500 attempts targeting previously known vulnerabilities and insecure configurations specific to SAP systems between mid-2020 to March 2021, with multiple brute-force attempts made by adversaries aimed at high-privilege SAP accounts as well as chaining together several flaws to strike SAP applications.\n\nApplications that have been targeted include, but not limited to enterprise resource planning (ERP), supply chain management (SCM), human capital management (HCM), product lifecycle management (PLM), customer relationship management (CRM), and others.\n\nTroublingly, Onapsis report outlines weaponization of SAP vulnerabilities in less than 72 hours from the release of patches, with new unprotected SAP applications provisioned in cloud environments being discovered and compromised in less than 3 hours.\n\nIn one case, a day after SAP issued a patch for [CVE-2020-6287](<https://us-cert.cisa.gov/ncas/alerts/aa20-195a>) (more below) on July 14, 2020, a proof-of-concept exploit emerged in the wild, which was followed by mass scanning activity on July 16 and the release of a fully-functional public exploit on July 17, 2020.\n\nThe attack vectors were no less sophisticated. The adversaries were found to adopt a varied set of techniques, tools, and procedures to gain initial access, escalate privileges, drop web shells for arbitrary command execution, create SAP administrator users with high privileges, and even extract database credentials. The attacks themselves were launched with the help of TOR nodes and distributed virtual private servers (VPS).\n\n[![](https://thehackernews.com/images/-thOJEuCUSH4/YGxjK5MJGmI/AAAAAAAACLk/k5kYRCll1SYAktNePrl_GDL-cUcYgfNswCLcBGAsYHQ/s0/cyberattack.jpg)](<https://thehackernews.com/images/-thOJEuCUSH4/YGxjK5MJGmI/AAAAAAAACLk/k5kYRCll1SYAktNePrl_GDL-cUcYgfNswCLcBGAsYHQ/s0/cyberattack.jpg>)\n\nThe six flaws exploited by threat actors include \u2014\n\n * [**CVE-2010-5326**](<https://nvd.nist.gov/vuln/detail/CVE-2010-5326>) (CVSS score: 10) - Remote code execution flaw in SAP NetWeaver Application Server (AS) Java\n * [**CVE-2016-3976**](<https://nvd.nist.gov/vuln/detail/CVE-2016-3976>) (CVSS score: 7.5) - Directory traversal vulnerability in SAP NetWeaver AS Java\n * [**CVE-2016-9563**](<https://nvd.nist.gov/vuln/detail/CVE-2016-9563>) (CVSS score: 6.4) - XML External Entity ([XXE](<https://www.acunetix.com/blog/articles/xml-external-entity-xxe-vulnerabilities/>)) expansion vulnerability in BC-BMT-BPM-DSK component of SAP NetWeaver AS Java\n * [**CVE-2018-2380**](<https://nvd.nist.gov/vuln/detail/CVE-2018-2380>) (CVSS score: 6.6) - Directory traversal vulnerability in Internet Sales component in SAP CRM\n * [**CVE-2020-6207**](<https://nvd.nist.gov/vuln/detail/CVE-2020-6207>) (CVSS score: 9.8) - Missing authentication check in SAP Solution Manager\n * [**CVE-2020-6287**](<https://nvd.nist.gov/vuln/detail/CVE-2020-6287>) (CVSS score: 10) - RECON (aka Remotely Exploitable Code On NetWeaver) flaw in LM Configuration Wizard component \n\nFirst disclosed in July 2020, successful exploitation of [CVE-2020-6287](<https://thehackernews.com/2020/07/sap-netweaver-vulnerability.html>) could give an unauthenticated attacker full access to the affected SAP system, counting the \"ability to modify financial records, steal personally identifiable information (PII) from employees, customers and suppliers, corrupt data, delete or modify logs and traces and other actions that put essential business operations, cybersecurity and regulatory compliance at risk.\"\n\nOnapsis also said it was able to detect scanning activity for CVE-2020-6207 dating back to October 19, 2020, almost three months before the public release of a [fully-working exploit](<https://thehackernews.com/2021/01/beware-fully-functional-released-online.html>) on January 14, 2021, implying that threat actors had knowledge of the exploit prior to the public disclosure.\n\nFurthermore, a separate attack observed on December 9 was found to chain exploits for three of the flaws, namely CVE-2020-6287 for creating an admin user and logging in to the SAP system, CVE-2018-2380 for privilege escalation, and CVE-2016-3976 for access to high-privileged accounts and the database.\n\n\"This all happened within 90 minutes,\" Onapsis researchers noted.\n\nWhile no customer breaches have been uncovered, both SAP and Onapsis are urging businesses to perform a compromise assessment of applications, apply relevant patches, and address misconfigurations to prevent unauthorized access.\n\n\"The critical findings [...] describe attacks on vulnerabilities with patches and secure configuration guidelines available for months and even years,\" Onapsis CEO Mariano Nunez said. \"Unfortunately, too many organizations still operate with a major governance gap in terms of the cybersecurity and compliance of their mission-critical applications, allowing external and internal threat actors to access, exfiltrate and gain full control of their most sensitive and regulated information and processes.\"\n\n\"Companies that have not prioritized rapid mitigation for these known risks should consider their systems compromised and take immediate and appropriate action,\" Nunez added.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also published an [alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/06/malicious-cyber-activity-targeting-critical-sap-applications>) warning of ongoing nefarious cyber activity in the SAP threat landscape, stating that \"systems running outdated or misconfigured software are exposed to increased risks of malicious attacks.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-06T13:43:00", "type": "thn", "title": "Watch Out! Mission Critical SAP Applications Are Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-5326", "CVE-2016-3976", "CVE-2016-9563", "CVE-2018-2380", "CVE-2020-6207", "CVE-2020-6287"], "modified": "2021-04-07T04:31:36", "id": "THN:3C21F3359B50A4527A83BD7E63B731B2", "href": "https://thehackernews.com/2021/04/watch-out-mission-critical-sap.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2020-10-29T14:42:12", "description": "![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/Trick-or-Treat--What-We-Can-Learn-from-the-Spookiest-Vulnerabilities-of-the-Year.jpg)\n\nSpooky season is in full swing, and we\u2019re not just talking about Halloween. [Security vulnerabilities](<https://www.rapid7.com/fundamentals/vulnerabilities-exploits-threats/>) can range from tiny errors to large-scale gaps in protection, and all have different consequences. We put together a list of some of the scariest vulnerabilities of the year (the tricks!) and the remediation solutions that can help you stay on guard in the future (the treats!).\n\n## [SMBghost](<https://attackerkb.com/topics/2LCXe3EPAZ/cve-2020-0796---smbghost?referrer=search>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/SMBGhost-1.png)\n\n**The Trick: **SMBghost is a [buffer overflow vulnerability](<https://blog.rapid7.com/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/>) when compression is enabled in Microsoft SMB Servers. The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet. A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application. Yikes!\n\nThe impact that the exploitation of this vulnerability has is very high, due to this having the ability to be exploited remotely and the sense that it grants system-level access in kernel mode. This vulnerability has also been deemed as wormable, which makes it a priority for attackers to utilize.\n\n**The Treat: **Though the attacker value is very high, most [AttackerKB](<https://attackerkb.com/topics/2LCXe3EPAZ/cve-2020-0796---smbghost>) users have noted that the vuln\u2019s exploitability is relatively low. Microsoft has since released a patch for this vulnerability and suggests that users take proper precaution when enabling compression within SMB. Now, with many knowledge workers still stuck at home thanks to the pandemic, and therefore not spending a lot of time hanging out in SMB-heavy environments, this sequestration might actually be limiting the value of this and other SMB vulnerabilities\u2014maybe working from home might actually be good for security!\n\n## [BlueGate](<https://attackerkb.com/topics/Er1dwnOh2a/windows-remote-desktop-gateway-rce-cve-2020-0609?referrer=search>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/BlueGateway-1.png)\n\n**The Trick: **A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. A ghost-like attacker messing with your data? Pretty spooky.\n\n**The Treat: **This ghost is probably going away with regular and timely security patches. Though it goes against expert advice to deploy right smack on the internet, maintainers of such servers just need to keep up on their patches in the same way a typical IIS administrator does. The Microsoft-issued update addresses the vulnerability by correcting how RD Gateway handles connection requests.\n\n## [Ripple20](<https://attackerkb.com/topics/EZhbaWNnwV/ripple20-treck-tcp-ip-stack-vulnerabilities?referrer=search>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/ripple20-1.png)\n\n**The Trick: **In June, security firm JSOF published research on a collection of 19 vulnerabilities in a low-level TP/IP software library developed by Trek, a company that has distributed embedded internet protocols since the \u201990s. The 19 vulnerabilities \u201caffect hundreds of millions of devices (or more),\u201d thanks to the ripple effect of the supply chain. Consider \u201c19\u201d to be quite the opposite of a magic number. The 19 vulnerabilities are not equal in their severity and potential impact and are likely to persist for some time. \n\n\n**The Treat: **Is there any good news? Well, the practical attacker value of this suite of vulnerabilities is, on the whole, relatively low. This is in large part because of the lack of attack scalability: Each attack will, in all likelihood, need to be tailor-made for the target device, and even the value of targeting specific devices is heavily dependent on device capabilities and the context in which that device is used. The Treck TCP/IP stack is geared toward low-resource devices, which makes the Ripple20 vulnerabilities significantly less likely to be targeted in resource-heavy attacks such as crypto-mining or ransomware campaigns. If users want to change course from a scary ending to a happy one, users are best served by applying detections at the edge and internal network level to filter out malformed TCP/IP packets, IP fragments, and other lesser-used networking features, where possible.\n\n## [Bad Neighbor](<https://attackerkb.com/topics/17lFRTT1DO/cve-2020-16898-aka-bad-neighbor-ping-of-death-redux>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/bad-neighbor-1.png)\n\n**The Trick:** Bad Neighbor is a remote code execution vulnerability that arises when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploits this vulnerability could gain the ability to execute code on the target server or client. The vulnerability has garnered broad attention as potentially wormable. This bad neighbor is probably someone who gives out wormable apples instead of candy.\n\n**The Treat: **You can\u2019t call the homeowners association on this one, but we recommend applying the patch for CVE-2020-16898 (Bad Neighbor) as soon as possible. For those who are unable to patch immediately, consider disabling ICMPv6 RDNSS as a workaround.\n\n## [RECON](<https://blog.rapid7.com/2020/07/14/pay-attention-to-your-sap-security/>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/recon-1.png)\n\n**The Trick: **This critical [SAP vulnerability (RECON)](<https://attackerkb.com/topics/JubO1RiVBP/cve-2020-6287-critical-vulnerability-in-sap-netweaver-application-server-as-java#rapid7-analysis>) from July affects the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. Though a few months have passed since its publication, it\u2019s still a big deal, especially since exploit code is publicly available. Businesses rely on SAP for a wide variety of processes, capturing everything from financial data to business intelligence. Most organizations use it as a tool to manage compliance and ensure access is provisioned (and, more importantly, deprovisioned) with urgency. The critical component to this vulnerability is that it does not require authentication to exploit, meaning any SAP NetWeaver system with the vulnerable components exposed to the internet\u2014currently estimated to be at least 4,000\u2014can be trivially compromised to wreak havoc on business systems. _So, yeah, this one is big-time scary._\n\n**The Treat:** This trick feels more like a long con. And how do you unravel the layers and remediate a long con? Conversations should begin with IT by identifying which physical or virtual assets are affected. SAP NetWeaver serves as the base layer for many SAP products, so many applications and processes are likely affected. Understanding how many systems you need to apply this patch to will help you begin to communicate estimated downtime to the business. Treating vulnerabilities, especially severe ones like this, is an exercise in diplomacy, politics, and trade-offs. For some, this will require removing SAP\u2019s direct access to the internet. For others, it will require implementing WAF and/or IPS rules. CISA strongly recommends closely monitoring SAP NetWeaver AS for anomalous activity. SAP customers should be on the lookout for unusual processes spawned under the context of users that match the <sid>adm naming convention. File metadata may also be a good way to identify when SAP NetWeaver software spawns non-SAP binaries. Rapid7 also recommends ensuring that any web service does not run using a privileged account. For others, it will result in accepting the risk. The key message here is to sit down with all stakeholders, including business leaders, to get on the same page about the severity of this vulnerability, develop and activate a treatment plan, and make sure to have, at a minimum, detective controls in place to respond.\n\n## [SigRed](<https://attackerkb.com/topics/egp32neD6z/cve-2020-1350-windows-dns-server-remote-code-execution-sigred>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/sigred-1.png)\n\n**The Trick: **A remote code execution vulnerability codenamed \u201cSigRed\u201d exists in Windows Domain Name System servers when they fail to properly handle requests. Successful exploitation can result in domain administrator privileges, compromising critical business data, assets, and infrastructure. If that wasn\u2019t scary enough, Homeland Security decided to get involved. The U.S. Department of Homeland Security issued an emergency directive on July 16, 2020 requiring federal agencies to patch or mitigate the vulnerability within 24 hours\u2014only the third time CISA\u2019s current director has taken such an action. As with any vulnerability known to be wormable, CVE-2020-1350, or SigRed, will make an attractive target for ransomware campaigns in addition to stealthier threat actors.\n\n**The Treat: **CISA put out urgent guidance to those who have Windows servers running DNS: patch on an emergency basis. Microsoft released guidance on mitigations for those who cannot patch, but as with other recent high-severity, high-urgency vulnerabilities, it is highly recommended that defenders prioritize patching over mitigation wherever possible. When attacker value is this high, don\u2019t just run for the hills\u2014instead, follow the rules and prioritize patching to keep monsters out of your servers.\n\n## [Curveball](<https://blog.rapid7.com/2020/01/16/cve-2020-0601-windows-cryptoapi-spoofing-vulnerability-what-you-need-to-know/>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/curveball-1.png)\n\n**The Trick: **In January,** **a flaw [(CVE-2020-0601 or Curveball)](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2020-0601>) was found in the way the Microsoft Windows CryptoAPI performs certificate validation, allowing attackers to spoof X.509 vulnerabilities. This is core cryptographic functionality used by a number of different software components, with far-reaching impact ranging from programming languages to web browsers.\n\n**The Treat: **This year started out with a fright, but there are some silver linings. The mitigation steps taken by Microsoft and others (e.g., Google Chrome) to detect and alert users to exploitation attempts are a welcome development for defenders and users. Windows Update services were not affected by this due to extended hardening in years past, showing that defense-in-depth is important for maintaining critical infrastructure. This vulnerability also highlights a specification flaw that software projects should heed: Untested features are likely vulnerable features. Because this vulnerability is in an extremely seldom-used feature of the TLS specification that allows users to specify their own elliptical curves, it meant the feature was largely untested. Vulnerability hunters and defenders may be on the lookout for similar bugs in other TLS implementations in the future.\n\nIt\u2019s Halloween, not April fools, and these vulnerabilities are no joke. As with any security scare, it\u2019s important not only to remediate, but to reflect on what we can learn from these mistakes. If you\u2019re looking for more visibility into which of these vulnerabilities is present in your organization, learn more about [our vulnerability management tool, InsightVM](<https://www.rapid7.com/products/insightvm/>).\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2020-10-29T13:59:06", "type": "rapid7blog", "title": "Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0601", "CVE-2020-0609", "CVE-2020-0796", "CVE-2020-1350", "CVE-2020-16898", "CVE-2020-6287"], "modified": "2020-10-29T13:59:06", "id": "RAPID7BLOG:E36C557104ECB6E144C21C3C499B0492", "href": "https://blog.rapid7.com/2020/10/29/trick-or-treat-what-we-can-learn-from-the-spookiest-vulnerabilities-of-the-year/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-08T18:54:35", "description": "![Attackers Targeting Fortinet Devices and SAP Applications](https://blog.rapid7.com/content/images/2021/04/target.jpg)\n\n_The following blog was co-authored by Caitlin Condon and [Bob Rudis](<https://blog.rapid7.com/author/bob-rudis>), also known (in his own words) as \u201csome caveman from Maine.\u201d_\n\nLast week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI [published a joint alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios>) to warn users that APT threat actors were likely exploiting unpatched Fortinet FortiOS devices to gain initial access to government, commercial, technology, and other organizations\u2019 networks. The alert highlighted three FortiOS vulnerabilities, all of which were previously known, and at least one of which (CVE-2018-13379) has been broadly exploited for more than 18 months. This week, CISA [published an additional alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/06/malicious-cyber-activity-targeting-critical-sap-applications>) amplifying a threat report from security firm Onapsis, which describes [ongoing attacks against SAP applications](<https://onapsis.com/active-cyberattacks-mission-critical-sap-applications>).\n\nRapid7 has previously analyzed a number of the highest-severity vulnerabilities enumerated in this latest set of alerts. The CVEs included in these reports have been detailed below, along with recommendations for organizations seeking to defend themselves against ongoing exploitation. Notably, none of these vulnerabilities are new\u2014many of them are a year or more old, which underscores the need for a regular patch cycle, as well as a defined patch cycle exception process.\n\n## FortiOS vulnerabilities\n\nFortinet devices are what we call **network pivots**\u2014that is, the position they occupy in organizations\u2019 networks gives external attackers the ability to access internal networks if exploited successfully, which in turn allows for a range of secondary attacks and other nefarious activities. If at all possible, defenders should strongly consider implementing a \u201czero-day\u201d patch cycle for internet-exposed and other network pivot products, including (but not only) Fortinet and other VPNs. InsightVM and Nexpose customers can assess their exposure to all three FortiOS CVEs below with vulnerability checks.\n\n * CVE-2018-13379 is a pre-authentication information disclosure vulnerability that arises from a path traversal flaw in the web portal component of FortiOS SSL VPNs. The vulnerability allows external attackers to download FortiOS system files through specially crafted HTTP resource requests and has been [exploited in the wild since 2019](<https://us-cert.cisa.gov/ncas/current-activity/2019/10/04/vulnerabilities-exploited-multiple-vpn-applications>). Read our [full analysis of CVE-2018-13379 and its history here](<https://attackerkb.com/topics/VEc81wfDS7/cve-2018-13379-path-traversal-in-fortinet-fortios?referrer=blog#rapid7-analysis>).\n * [CVE-2019-5591](<https://attackerkb.com/topics/sWpteHiN5z/cve-2019-5591?referrer=blog>) is a default configuration vulnerability in FortiOS that allows an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.\n * [CVE-2020-12812](<https://attackerkb.com/topics/8qnr47UsVL/cve-2020-12812?referrer=blog>) is an improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below that gives a user the ability to log in successfully without being prompted for the second factor of authentication (FortiToken) if that user changes the case of their username.\n\nSince the beginning of March, Rapid7 Labs' Heisenberg Honeypot fleet has seen nearly 60 IP addresses attempting common, known single `GET` request exploits against Fortinet devices (we\u2019ve grouped the IP addresses up to the hosting provider/ISP level):\n\n![Attackers Targeting Fortinet Devices and SAP Applications](https://blog.rapid7.com/content/images/2021/04/image2.png)\n\nUnfortunately, our fleet does not emulate Fortinet devices. Since these devices are fairly easy to distinguish on the internet (nearly 1 million of them in the image, below)\u2014due to the common, vendor SSL certificate they use\u2014it is surprising to see opportunistic exploit attempts versus just inventory/discovery scans.\n\n![Attackers Targeting Fortinet Devices and SAP Applications](https://blog.rapid7.com/content/images/2021/04/image1.png)Over 1 million Fortinet devices discovered by the latest Project Sonar scans (geolocated with MaxMind)\n\nThat last sentence should help organizations underscore why CISA and the FBI raised the Fortinet exploitation campaign to the level of a joint alert: Attackers can easily identify legitimate Fortinet endpoints on the internet, and it takes virtually no time from discovery to exploit if a target system is not patched and configured properly.\n\nOn April 3, 2021, Fortinet published [a post on patch and vulnerability management](<https://www.fortinet.com/blog/psirt-blogs/patch-vulnerability-management>) where they outlined their emergency response and patch release practices new alignment to ISO standards and further emphasized the need to keep internet-exposed Fortinet devices patched. They have a special knowledge base article on [how to keep notified about Fortinet patch releases](<https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD50697&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=184200521&stateId=1%200%20184202090%27>) and provide multiple ways for organizations to say current on Fortinet security updates. \n\nAs Fortinet notes in that post, these weaknesses have had patches available for quite some time, so if you\u2019re just getting around to fixing them, you may need to dedicate some further cycles to some forensic activity, as it is very likely one or more attackers have already taken advantage of these vulnerabilities.\n\nTo learn more about other vulnerabilities that functioned as network pivots for attackers, read [Rapid7\u2019s 2020 Vulnerability Intelligence Report](<https://www.rapid7.com/research/report/vulnerability-intelligence-report/>).\n\n## Actively exploited SAP vulnerabilities\n\nThe two most recent SAP vulnerabilities detailed in Onapsis\u2019 threat report are CVE-2020-6287, a CVSS-10 vulnerability in the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard that has been actively exploited in the wild since July 2020, and SAP Solution Manager CVE-2020-6207. Both of these vulnerabilities allow broad compromise of SAP applications and environments.\n\n * CVE-2020-6287 is present by default in SAP applications running on top of SAP NetWeaver AS Java 7.3 and any newer versions (up to SAP NetWeaver 7.5). It allows remote, unauthenticated attackers to exploit and fully compromise vulnerable SAP installations. Exploitation of CVE-2020-6287 through the HTTP interface allows for modification or extraction of highly sensitive information and disruption of critical business processes. For a list of affected applications and additional guidance, read Rapid7\u2019s [full analysis here](<https://attackerkb.com/topics/JubO1RiVBP/cve-2020-6287-critical-vulnerability-in-sap-netweaver-application-server-as-java?referrer=blog#rapid7-analysis>).\n * CVE-2020-6207 arises from a missing authentication check in version 7.2 of SAP\u2019s Solution Manager product, allowing attackers to completely compromise all SMDAgents connected to the Solution Manager. \nSAP customers should pay close attention to their access logs and monitor for unauthorized user account creation; they should also ensure that web services in general do not run using privileged accounts. InsightVM and Nexpose customers can assess their risk to CVE-2020-6287 with a remote vulnerability check. A check for CVE-2020-6207 is currently under development.\n\nOther SAP vulnerabilities noted as being exploited in the wild include:\n\n * CVE-2018-2380 affects SAP CRM versions 7.01, 7.02, 7.30, 7.31, 7.33, and 7.54. The vulnerability allows an attacker to exploit insufficient validation of path information provided by users, letting characters representing "traverse to parent directory" pass through to the file APIs.\n * CVE-2016-9563 is a vulnerability in SAP NetWeaver Application Server (AS) Java 7.5 that allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI.\n * CVE-2016-3976 is a directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 that allows remote attackers to read arbitrary files via a ..\\ (dot dot backslash) in the fileName parameter to `CrashFileDownloadServlet`.\n * CVE-2010-5326 is a CVSS-10 vulnerability in the `Invoker` Servlet on SAP NetWeaver Application Server Java platforms that arises from a lack of authentication and allows remote attackers to execute arbitrary code via an HTTP or HTTPS request. It was used in attacks from 2013 to 2016.\nAttackers have used these vulnerabilities to establish persistence, escalate privileges, and evade detection. It is also possible that threat actors may build exploit chains that extend access beyond SAP applications to underlying operating systems. Further information and recommendations is [available from Onapsis here](<https://www.onapsis.com/active-cyberattacks-mission-critical-sap-applications>). \n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-04-08T17:18:07", "type": "rapid7blog", "title": "Attackers Targeting Fortinet Devices and SAP Applications", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2010-5326", "CVE-2016-3976", "CVE-2016-9563", "CVE-2018-13379", "CVE-2018-2380", "CVE-2019-5591", "CVE-2020-12812", "CVE-2020-6207", "CVE-2020-6287"], "modified": "2021-04-08T17:18:07", "id": "RAPID7BLOG:5109AC30126DB59333F13ED32F7F4713", "href": "https://blog.rapid7.com/2021/04/08/attackers-targeting-fortinet-devices-and-sap-applications/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2022-01-26T11:37:27", "description": "The Cybersecurity and Infrastructure Security Agency (CISA) has released Emergency Directive 20-03 addressing a critical vulnerability\u2014CVE-2020-1350\u2014affecting all versions of Windows Server with the Domain Name System (DNS) role enabled. A remote attacker could exploit this vulnerability to take control of an affected system. This vulnerability is considered \u201cwormable\u201d because malware exploiting it on a system could, without user interaction, propagate to other vulnerable systems.\n\nAlthough Emergency Directive 20-03 applies only to certain Executive Branch departments and agencies, CISA strongly recommends state and local governments, the private sector, and others patch this critical vulnerability as soon as possible. Review the following resources for more information:\n\n * [CISA Emergency Directive 20-03: Mitigate Windows DNS Server Remote Code Execution Vulnerability from July 2020 Patch Tuesday](<https://www.cisa.gov/emergency-directive-20-03>)\n * [CISA Blog on Emergency Directive (ED 20-03) Windows DNS Server Vulnerability](<https://www.cisa.gov/blog/2020/07/16/emergency-directive-ed-20-03-windows-dns-server-vulnerability>)\n * [Microsoft Security Vulnerability Information for CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>)\n * [Microsoft Security Blog Post: CVE-2020-1350 Vulnerability in Windows DNS Server](<https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/>)\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/07/16/cisa-releases-emergency-directive-critical-microsoft-vulnerability>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-16T00:00:00", "type": "cisa", "title": "CISA Releases Emergency Directive on Critical Microsoft Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-01-25T00:00:00", "id": "CISA:72803FA1C7CD81E274A0417B0A34353E", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/07/16/cisa-releases-emergency-directive-critical-microsoft-vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:43", "description": "Microsoft has released a security update to address a remote code execution (RCE) vulnerability\u2014CVE-2020-1350\u2014in Windows DNS Server. A remote attacker could exploit this vulnerability to take control of an affected system. This is considered a \u201cwormable\u201d vulnerability that affects all Windows Server versions.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft\u2019s [Security Advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>) and [Blog](<https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/ >) for more information, and apply the necessary update and workaround.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/07/14/microsoft-addresses-wormable-rce-vulnerability-windows-dns-server>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-14T00:00:00", "type": "cisa", "title": "Microsoft Addresses 'Wormable' RCE Vulnerability in Windows DNS Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-14T00:00:00", "id": "CISA:0A6DEB06CFB7BDA5A3D72E0F236C5665", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/07/14/microsoft-addresses-wormable-rce-vulnerability-windows-dns-server", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "msrc": [{"lastseen": "2020-09-21T18:52:49", "description": "Today we released an update for CVE-2020-1350, a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a \u2018wormable\u2019 vulnerability and has a CVSS base score of 10.0. This issue results from a flaw in Microsoft\u2019s DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected. Wormable vulnerabilities have the potential to spread via malware between vulnerable computers without user interaction. Windows DNS Server is a core networking component. While this \u2026\n\n[ July 2020 Security Update: CVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) Server Read More \u00bb](<https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/>)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-14T17:01:00", "type": "msrc", "title": "July 2020 Security Update:\u202fCVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) Server", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-14T17:01:00", "id": "MSRC:79080D1EA83C3BB4689C763E5FACBDB5", "href": "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-07-16T08:28:41", "description": "A critical Microsoft Windows Server bug opens company networks to hackers, allowing them to potentially seize control of IT infrastructures. Microsoft issued a patch for the bug on Tuesday as part of its July Patch Tuesday roundup.\n\nIt turns out that the bug is 17 years old. Impacted are Windows Server versions from 2003-2019. The bug, found by researchers at Check Point, received a severity warning of 10 \u2013 the highest allowed. Most concerning to researchers however is that the bug is wormable, meaning a single exploit of the flaw can trigger a chain reaction that allows attacks to spread from one computer to another.\n\n\u201c[The] security flaw would enable a hacker to craft malicious DNS queries to the Windows DNS server, and achieve arbitrary code execution that could lead to the breach of the entire infrastructure,\u201d according to Check Point researcher Sagi Tzaik, who is credited for finding the flaw.\n\nMicrosoft released a patch for the vulnerability, identified as [CVE-2020-1350,](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>) and [urged customers](<https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/>) to prioritize an update to their systems. Check Point is calling the bug SigRed \u2013 a nod to the vulnerable DNS component and function \u201cdns.exe\u201d.\n\nA hacker can gain Domain Administrator rights over the server, \u201cenabling the hacker to intercept and manipulate users\u2019 emails and network traffic, make services unavailable, harvest users\u2019 credentials and more. In effect, the hacker could seize complete control of a corporation\u2019s IT,\u201d researchers wrote, in a technical analysis of the bug, posted Tuesday.\n\n## **Patching Is an Imperative **\n\nUpping the chance for exploitation by a hacker is the relatively simple prerequisites needed to exploit the vulnerability. \u201cThe likelihood of this vulnerability being exploited is high, as we internally found all of the primitives required to exploit this bug, which means a determined hacker could also find the same resources,\u201d researchers noted.\n\n\u201cThis issue results from a flaw in Microsoft\u2019s DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected,\u201d [Microsoft wrote in a post Tuesday](<https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/>). \u201cWhile this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible.\u201d\n\nMechele Gruhn, principal security PM manager at the Microsoft Security Response Center, noted that \u201cif applying the update quickly is not practical, a [registry-based workaround is available](<https://support.microsoft.com/en-us/help/4569509>) that does not require restarting the server. The update and the workaround are both detailed in [CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>).\u201d\n\n\u201cCVE-2020-1350, a wormable remote code execution vulnerability in Windows DNS Server, could very well be the most critical Windows vulnerability released this year, receiving a rare 10 out of 10 CVSS score,\u201d Chris Hass, director of information security and research at Automox, told Threatpost.\n\n\u201cA wormable vulnerability like this is an attacker\u2019s dream. An unauthenticated hacker could send specially crafted packets to the vulnerable Windows DNS Server to exploit the machine, allowing for arbitrary code to be run in the context of the local system account. Not only will the attacker have full control of the system, but they will also be able to leverage the server as a distribution point, allowing the attacker to spread malware between systems without any user interaction. This wormable capability adds a whole other layer of severity and impact, allowing malware authors to write ransomware similar to notable wormable malware such as Wannacry and NotPetya,\u201d Hass said.\n\n## **Exploiting a 17-Year-Old Bug**\n\nThe flaw itself is an integer-overflow bug that can trigger a heap-based buffer overflow attack tied to the DNS module called dns.exe, which is responsible for answering DNS queries on Windows Servers.\n\nBy abusing the dns.exe module, two attack surfaces were created by researchers. One is a \u201cbug in the way the DNS server parses an incoming query.\u201d And the second is \u201ca bug in the way the DNS server parses a response (answer) for a forwarded query.\u201d\n\nThe attack requires researchers to first force a Windows DNS Server to parse responses from a malicious DNS NameServer. This employs the dns.exe module, which parses all supported response types. One of those supported response types is for a Secure Internet Access (SIG) query called SIG(O). Researchers focused their attention on creating a request that exceeded the maximum size request of 65,535 bytes, and causing the overflow. By using compressed data, researcher were able to create a successful crash.\n\n\u201cAlthough it seems that we crashed because we were trying to write values to unmapped memory, the heap can be shaped in a way that allows us to overwrite some meaningful values,\u201d they wrote.\n\nThis local attack then was replicated remotely, by \u201csmuggling DNS inside HTTP\u201d requests on Microsoft Explorer and Microsoft Edge browsers (Google Chrome and Firefox are not vulnerable to this type of attack). Because DNS can be transported over TCP \u2014 and Windows DNS Server supports this connection type \u2013 researchers were able to craft a HTTP payload.\n\n\u201cEven though this is an HTTP payload, sending it to our target DNS server on port 53 causes the Windows DNS Server to interpret this payload as if it was a DNS query,\u201d they wrote. Researchers were able to circumvent HTTP protections against similar malicious HTTP payloads by \u201csmuggling\u201d DNS query data inside the POST data located in the HTTP request.\n\nChromium-class browsers (Google Chrome and Mozilla Firefox) do not allow HTTP requests to port 53, therefore the bug can only be exploited Internet Explorer and Microsoft Edge.\n\n\u201cSuccessful exploitation of this vulnerability would have a severe impact, as you can often find unpatched Windows Domain environments, especially Domain Controllers. In addition, some internet service providers (ISPs) may even have set up their public DNS servers as WinDNS,\u201d Check Point wrote.\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-07-14T19:01:04", "type": "threatpost", "title": "Critical DNS Bug Opens Windows Servers to Infrastructure Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-14T19:01:04", "id": "THREATPOST:96E775E045D4DF55CC1B9A3AA0C28F70", "href": "https://threatpost.com/critical-dns-bug-windows-servers-infrastructure-takeover/157427/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-17T21:59:13", "description": "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is ordering all federal executive branch offices to apply a patch for a wormable Windows Server bug within 24 hours, warning of a \u201chigh potential for compromise of agency information systems.\u201d\n\nIn an [Emergency Directive](<https://cyber.dhs.gov/ed/20-03/>), the Department of Homeland Security (DHS) agency ordered the \u201cFederal Civilian Executive Branch\u201d to apply a patch Microsoft released Tuesday for the vulnerability, ([CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>)), by 2:00 pm ET Friday.\n\n\u201cCISA has determined that this vulnerability poses unacceptable significant risk to the Federal Civilian Executive Branch and requires an immediate and emergency action,\u201d the agency said in the directive. \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nSpecifically, the directive requires that by the deadline, all of the aforementioned agencies do the following: \u201cUpdate all endpoints running Windows Server operating systems; ensure the July 2020 Security Update or registry modification workaround is applied to all Windows Servers running the DNS role; ensure the July 2020 Security Update is applied to all Windows Servers and, if necessary and applicable, the registry change workaround is removed; and ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected servers are updated before connecting to agency networks.\u201d\n\nWhile there is no evidence of current active exploitation of the vulnerability, the CISA based its warning on \u201cthe likelihood of the vulnerability being exploited\u201d as well as \u201cthe widespread use of the affected software across the Federal enterprise,\u201d and \u201cthe grave impact of a successful compromise,\u201d according to the directive.\n\nThe CISA emergency directive includes:\n\n * By 2:00 pm EDT, Friday, July 17, 2020, ensure the July 2020 Security Update or registry modification workaround is applied to all Windows Servers running the DNS role.\n * By 2:00 pm EDT, Friday, July 24, 2020, ensure the July 2020 Security Update is applied to all Windows Servers and, if necessary and applicable, the registry change workaround is removed.\n * By 2:00 pm EDT, Friday, July 24, 2020, ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected servers are updated before connecting to agency networks.\n\nThe agency recommends taking equipment offline if it can\u2019t be patched before the CISA deadline.\n\nThe vulnerability, a DNS flaw, was one of 123 bugs Microsoft patch in [July\u2019s Patch Tuesday](<https://threatpost.com/microsoft-tackles-123-fixes-july-patch-tuesday/157440/>), the fifth month in a row the company patched more than 100 vulnerabilities.\n\nCVE-2020-1350 is a remote code-execution vulnerability in the Windows Domain Name System (DNS) Server that was initially [discovered by Sagi Tzaik](<https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/>), a researcher at Check Point. That bug exists due to the improper handling of requests sent to Windows DNS servers, according to researchers.\n\n\u201cA remote, unauthenticated attacker could exploit this vulnerability by sending a malicious request to a vulnerable Windows DNS server,\u201d wrote Satnam Narang, staff research engineer at Tenable, in the company\u2019s [Patch Tuesday analysis](<https://www.tenable.com/blog/microsoft-s-july-2020-patch-tuesday-addresses-123-cves-including-wormable-windows-dns-server>). \u201cSuccessful exploitation would allow the attacker to execute arbitrary code under the local system account context,\u201d\n\nMoreover, the vulnerability is wormable, which means it could spread from computer to computer without user interaction, making it all the more dangerous, he said.\n\nAlthough Emergency Directive 20-03 applies only to certain Executive Branch departments and agencies, the CISA also strongly recommends that all state and local governments, the private sector, and others patch this critical vulnerability as soon as possible.\n\nThe CISA has had its hands full lately warning on the exploit likelihood and danger of critical vulnerabilities that have either been discovered or patched in widely used hardware and software.\n\nOn July 14, the CISA [warned](<https://threatpost.com/critical-sap-bug-enterprise-system-takeover/157392/>) of a critical vulnerability for SAP customers, the successful exploitation of which could open the door for attackers to read and modify financial records; change banking details; read personal identifiable information (PII); and engage in other numerous types of disruptive behavior.\n\nA week before that, the agency urged all administrators to [implement an urgent patch](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>) for a critical vulnerability in F5 Networks\u2019 networking devices, which is being actively exploited by attackers to scrape credentials, launch malware and more.\n\nThe CISA also [warned](<https://threatpost.com/cisa-nation-state-attackers-palo-alto-networks-bug/157013/>) June 30 that foreign hackers were likely to exploit a critical vulnerability, CVE-2020-2021, in a raft of Palo Alto Networks firewalls and enterprise VPN appliances, ordering agencies to patch all affected devices.\n", "cvss3": {}, "published": "2020-07-17T15:43:00", "type": "threatpost", "title": "CISA Emergency Directive Orders Immediate Fix of Windows DNS Server Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1350", "CVE-2020-2021"], "modified": "2020-07-17T15:43:00", "id": "THREATPOST:363C332F7046A481C24C7172C55CF758", "href": "https://threatpost.com/cisa-emergency-directive-orders-immediate-fix-of-windows-dns-server-bug/157529/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:16:50", "description": "A critical vulnerability, carrying a severity score of 10 out of 10 on the CvSS bug-severity scale, has been disclosed for SAP customers.\n\nSAP\u2019s widely deployed collection of enterprise resource planning (ERP) software is used to manage their financials, logistics, customer-facing organizations, human resources and other business areas. As such, the systems contain plenty of sensitive information.\n\nAccording to [an alert](<https://us-cert.cisa.gov/ncas/alerts/aa20-195a>) from the Department of Homeland Security, successful exploitation of the bug opens the door for attackers to read and modify financial records; change banking details; read personal identifiable information (PII); administer purchasing processes; sabotage or disrupt operations; achieve operating system command execution; and delete or modify traces, logs and other files.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe bug ([CVE-2020-6287](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6287>)) has been named RECON by the Onapsis Research Labs researchers that found it, and it affects more than 40,000 SAP customers, they noted. SAP [delivered a patch](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675>) for the issue on Tuesday as part of its July 2020 Security Note.\n\n\u201cIt stands for Remotely Exploitable Code On NetWeaver,\u201d Mariano Nunez, CEO of Onapsis, told Threatpost. \u201cThis vulnerability resides inside SAP NetWeaver Java versions 7.30 to 7.50 (the latest version as of [our analysis publication]. All Support Packages tested to date were vulnerable. SAP NetWeaver is the base layer for several SAP products and solutions.\u201d\n\nAn attacker leveraging this vulnerability will have unrestricted access to critical business information and processes in a variety of different scenarios, according to the firm.\n\n## **NetWeaver Java Woes**\n\nThe bug affects a default component present in every SAP application running the SAP NetWeaver Java technology stack, according to Onapsis. This technical component is used in many SAP business solutions, such as SAP S/4HANA, SAP SCM, SAP CRM, SAP CRM, SAP Enterprise Portal, SAP Solution Manager (SolMan) and many others, the researchers said.\n\nAccording to DHS, the vulnerability is introduced due to the lack of authentication in a web component of the SAP NetWeaver AS for Java, allowing for several high-privileged activities on the SAP system. A remote, unauthenticated attacker can exploit this vulnerability through an HTTP interface, which is typically exposed to end users and, in many cases, exposed to the internet.\n\n\u201cIf successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account (`<sid>adm`), which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications,\u201d according to the alert.\n\n## Impact\n\nPut another way, an unauthenticated attacker could create a new SAP user with maximum privileges, bypassing all access and authorization controls (such as segregation of duties, identity management, and governance, risk and compliance solutions) and gaining full control of SAP systems, Nunez said.\n\n\u201cWith SAP NetWeaver Java being a fundamental base layer for several SAP products, the specific impact would vary depending on the affected system,\u201d according to Onapsis, in a [technical analysis](<https://www.onapsis.com/recon-sap-cyber-security-vulnerability>) released on Tuesday. \u201cIn particular, there are different SAP solutions running on top of NetWeaver Java which share a common particularity: they are hyper-connected through APIs and interfaces. In other words, these applications are attached to other systems, both internal and external, usually leveraging high-privileged trust relationships.\u201d\n\nAnd while this is bad enough, the RECON vulnerability\u2019s risk increases when the affected solutions are exposed to the internet, to connect companies with business partners, employees and customers. These systems \u2013 Onapsis estimates there are at least 2,500 of them \u2013 have an increased likelihood of remote attacks, researchers said. Out of those vulnerable installations, 33 percent are in North America, 29 percent are in Europe and 27 percent are in Asia-Pacific.\n\n\u201cBecause of the type of unrestricted access an attacker would obtain by exploiting unpatched systems, this vulnerability also may constitute a deficiency in an enterprise\u2019s IT controls for regulatory mandates\u2014potentially impacting financial (Sarbanes-Oxley) and privacy (GDPR) compliance,\u201d according to the writeup.\n\n## Patch Available\n\nSAP\u2019s patch should be applied immediately, researchers recommended. While for now there is no indication that this has been exploited yet, Nunez told Threatpost that SAP customers should be on high alert now that the vulnerability has been announced and the DHS has sent out its US CERT alert warning.____\n\n\u201cNow that the vulnerability and patch have been released, skilled hackers can quickly develop exploit code,\u201d he said. \u201cBecause there are many vulnerable Internet exposed SAP systems, the complexity of the attack is significantly less.\u201d\n\nThat said, because of the complexity of mission-critical applications and limited maintenance windows, organizations are often challenged to rapidly apply SAP security notes, the Onapsis team acknowledged.\n\n\u201cIt\u2019s difficult to patch mission-critical applications such as those from SAP because they need to be constantly available,\u201d Nunez told Threatpost. \u201cTesting can take a long time depending upon complexity and customization of the apps. Also, there are limited maintenance windows available to apply the patches.\u201d\n\nHe added, \u201cFor SAP customers, critical vulnerabilities such as RECON highlight the need to protect mission-critical applications, by extending existing cybersecurity and compliance programs to ensure these applications are no longer in a blind spot. These systems are the lifeblood of the business and under the scope of strict compliance requirements, so there is simply nothing more important to secure.\u201d\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n\n_ _\n", "cvss3": {}, "published": "2020-07-14T11:45:02", "type": "threatpost", "title": "Critical SAP Bug Allows Full Enterprise System Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-6287"], "modified": "2020-07-14T11:45:02", "id": "THREATPOST:AA1F3088D813F95D476A024378F27010", "href": "https://threatpost.com/critical-sap-bug-enterprise-system-takeover/157392/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:22:35", "description": "A critical DNS bug and a publicly known elevation-of-privilege flaw top Microsoft\u2019s July Patch Tuesday list of 123 fixes. The [DNS flaw is a remote code-execution bug and is touted](<https://threatpost.com/critical-dns-bug-windows-servers-infrastructure-takeover/157427/>) as one of the most critical Windows vulnerabilities released this year, earning the highest-severity CVSS score of 10.\n\nThe elevation-of-privilege bug ([CVE-2020-1463](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1463>)) bug received a less-severe \u201cimportant\u201d rating, and impacts the Windows 10 and Windows Server SharedStream Library component. It stems from the way it handles objects in memory. Researchers expressed concern because the bug is publicly known, making it ripe for exploitation.\n\n\u201cThe [SharedStream] vulnerability could allow an attacker to execute code with elevated permissions,\u201d said Todd Schell, senior product manager, security, Ivanti. However, \u201cthe attacker would need to be locally authenticated to exploit,\u201d he said. \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe more severe DNS flaw ([CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>)) is a remote code-execution vulnerability in the Windows Domain Name System (DNS) Server and was found by Sagi Tzaik, a researcher at Check Point. That bug exists due to the improper handling of requests sent to Windows DNS servers, according to researchers.\n\n\u201cA remote, unauthenticated attacker could exploit this vulnerability by sending a malicious request to a vulnerable Windows DNS server. Successful exploitation would allow the attacker to execute arbitrary code under the local system account context,\u201d wrote Satnam Narang, staff research engineer at Tenable, in the company\u2019s Patch Tuesday analysis.\n\nHe noted that Microsoft warned that this vulnerability is wormable, meaning it could spread from computer to computer without user interaction. \u201cOrganizations are strongly encouraged to patch their systems as soon as possible to address this vulnerability, as we expect that it won\u2019t be long before attackers begin to probe for and target vulnerable systems,\u201d he wrote as part of Tenable\u2019s analysis of the flaw.\n\n[Related content: [Critical DNS Bug Opens Windows Servers to Infrastructure Hijacking](<https://threatpost.com/critical-dns-bug-windows-servers-infrastructure-takeover/157427/>)]\n\n## **123 Fixes: Another Triple-Digit Month**\n\nIn all, Microsoft patched 123 bugs, 18 listed as critical and 105 listed as important in severity. Microsoft\u2019s advisories covered a wide swath of products, including Windows 10, Microsoft\u2019s new Chromium-based Edge browser, Internet Explorer (IE), Office and Office Services and Web Apps, Windows Defender, Skype for Business, Visual Studio, .NET Framework, OneDrive, Azure DevOp and Open Source Software.\n\n\u201cThat makes five straight months of 110+ CVEs released and brings the total for 2020 up to 742,\u201d wrote Zero Day Initiative (ZDI) researchers in their [Patch Tuesday analysis](<https://www.thezdi.com/blog/2020/7/14/the-july-2020-security-update-review>). \u201cFor comparison, Microsoft released patches for 851 CVEs in all of 2019. At this pace, Microsoft will eclipse that number next month. They have already passed their totals for 2017 (665) and 2018 (691).\u201d\n\nResearchers at ZDI singled out a \u201crare\u201d critical elevation-of-privilege vulnerability ([CVE-2020-1025](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1025>)) in Microsoft Office: \u201cIt\u2019s rare to see an elevation-of-privilege bug rated critical in severity, but this vulnerability in SharePoint and Skype for Business servers certainly earns its rating.\u201d The flaw allows attackers to gain access to impacted servers through the improper handling of an [OAuth](<https://threatpost.com/microsoft-warns-oauth-attacks-cloud-app/157331/>) token.\n\n## **Patch Tuesday Bug Parade**\n\nMeanwhile, Adobe released five patches covering 13 CVEs in Adobe Cold Fusion, Download Manager, Genuine Service, Media Encoder and the Creative Cloud Desktop Application. Adobe patches included fixes for four critical vulnerabilities, as [outlined by Threatpost](<https://threatpost.com/adobe-critical-code-execution-bugs-july/157420/>).\n\nAlso on Tuesday, Google updated its [Google Chrome browser](<https://chromereleases.googleblog.com/2020/07/stable-channel-update-for-desktop.html>) with a security update tackling 38 vulnerabilities \u2014 including one critical. The critical bug (CVE-2020-6510) is a Chrome heap buffer overflow vulnerability tied to Chrome\u2019s background fetch function.\n\nThe Chrome security update is part of the release of Chrome 84 (84.0.4147.89), which notably includes deprecated support for TLS 1.0 and TLS 1.1.\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a _**[**_FREE webinar_**](<https://helpx.adobe.com/security/products/integrity_service/apsb20-42.html>)**_, \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. _**[**_Click here to register_**](<https://helpx.adobe.com/security/products/integrity_service/apsb20-42.html>)**_ for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-07-14T21:32:06", "type": "threatpost", "title": "Microsoft Tackles 123 Fixes for July Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1025", "CVE-2020-1350", "CVE-2020-1463", "CVE-2020-6510"], "modified": "2020-07-14T21:32:06", "id": "THREATPOST:7E6D2DBA11B2CCCE264B0982306FBEB1", "href": "https://threatpost.com/microsoft-tackles-123-fixes-july-patch-tuesday/157440/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-07T18:10:44", "description": "Active cyberattacks on known vulnerabilities in SAP systems could lead to full control of unsecured SAP applications, researchers are warning.\n\nAdversaries are carrying out a range of attacks, according to [an alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/06/malicious-cyber-activity-targeting-critical-sap-applications>) from SAP and security firm Onapsis issued Tuesday \u2013 including theft of sensitive data, financial fraud, disruption of mission-critical business processes and other operational disruptions, and delivery of ransomware and other malware.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nSAP applications help organizations manage critical business processes \u2013 including enterprise resource planning (ERP), product lifecycle management, customer relationship management (CRM) and supply-chain management.\n\nFrom mid-2020 until today, Onapsis researchers have recorded more than 300 successful exploit attempts on unprotected SAP instances.\n\n## Who\u2019s at Risk?\n\nUnfortunately, the ongoing attacks could have far-reaching consequences, as SAP noted in the warning:\n\n\u201cThese are the applications that 92 percent of the Forbes Global 2000 have standardized on SAP to power their operations and fuel the global economy,\u201d the alert noted. \u201cWith more than 400,000 organizations using SAP, 77 percent of the world\u2019s transactional revenue touches an SAP system. These organizations include the vast majority of pharmaceutical, critical infrastructure and utility companies, food distributors, defense and many more.\u201d\n\nGovernment agencies should take particular notice of the spate of attacks, researchers said.\n\n\u201cSAP systems are a prominent attack vector for bad actors,\u201d Kevin Dunne, president at Pathlock, told Threatpost. \u201cMost federal agencies are running on SAP, as it has become the industry standard for government entities. However, these SAP implementations are often on-premise, and managed by the government entities themselves due to security concerns. These systems then become increasingly vulnerable when updates and patches are not applied in a timely fashion, leaving them wide open for interested hackers.\u201d\n\nThe technology sector is another hot target for attacks, according to Setu Kulkarni, vice president of strategy at WhiteHat Security.\n\n\u201cOur reporting has found that independent software vendors (ISVs) and technology companies have and inordinately high window of exposure,\u201d he told Threatpost. \u201cWe are seeing that ISVs and technology companies are lacking in their security rigor as they ultimately may pass on the security responsibilities to the companies that use the ISV to build products for their customers.\u201d\n\n## **Active Exploitation**\n\nThe attacks are brute-forcing high-privilege SAP user accounts, as well as exploiting a raft of known bugs: [CVE-2020-6287](<https://nvd.nist.gov/vuln/detail/CVE-2020-6287>), [CVE-2020-6207](<https://nvd.nist.gov/vuln/detail/CVE-2020-6207>), [CVE-2018-2380](<https://nvd.nist.gov/vuln/detail/CVE-2018-2380>), [CVE-2016-9563](<https://nvd.nist.gov/vuln/detail/CVE-2016-9563>), [CVE-2016-3976](<https://nvd.nist.gov/vuln/detail/CVE-2016-3976>) and [CVE-2010-5326](<https://nvd.nist.gov/vuln/detail/CVE-2010-5326>), according to the warning.\n\nThe adversaries are \u201cadvanced threat actors,\u201d according to Onapsis, as evidenced by how quickly they\u2019ve been able to develop exploits, among other things.\n\nThere is \u201cconclusive evidence that cyberattackers are actively targeting and exploiting unsecured SAP applications, through a varied set of techniques, tools and procedures and clear indications of sophisticated knowledge of mission-critical applications,\u201d the alert reads. \u201cThe window for defenders is significantly smaller than previously thought, with examples of SAP vulnerabilities being weaponized in less than 72 hours since the release of patches, and new unprotected SAP applications provisioned in cloud (IaaS) environments being discovered and compromised in less than three hours.\u201d\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/06130028/SAp-1024x319.png)\n\nSource: Onapsis.\n\nThe issues are as follows:\n\n * CVE-2020-6287 is a [critical authentication bypass issue](<https://threatpost.com/critical-sap-bug-enterprise-system-takeover/157392/>) in SAP NetWeaver Application Server Java allowing full account takeover;\n * CVE-2020-6207 is another critical authentication bypass bug, in SAP Solution Manager;\n * CVE-2018-2380 is a medium-severity flaw in SAP CRM, which allows an attacker to exploit insufficient validation of path information provided by users;\n * CVE-2016-9563 is also a medium-severity bug, this time in SAP NetWeaver AS Java. Remote authenticated users can exploit it to conduct XML External Entity (XXE) attacks, which allow them to interfere with XML processing;\n * CVE-2016-3976 is a high-severity directory traversal vulnerability in SAP NetWeaver AS Java that allows remote attackers to read arbitrary files;\n * And CVE-2010-5326 is an 11-year-old critical issue in the Invoker Servlet on SAP NetWeaver AS Java. It doesn\u2019t require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/06141350/SAP-vulnerability-groups-300x169.png)\n\nExploit uses \u2013 click to enlarge. Source: Onapsis.\n\nAfter initial access, Onapsis observed threat actors using the vulnerabilities to establish persistence, for privilege escalation, evasion and, ultimately, complete control of SAP systems, including financial, human capital management and supply-chain applications.\n\n\u201cAdditionally, attempts at chaining vulnerabilities to achieve privilege escalation for OS-level access were observed, expanding potential impact beyond SAP systems and applications,\u201d according to the analysis.\n\nAs an example, Onapsis said that one actor was able to scan and create an admin user utilizing an exploit utility for CVE-2020-6287. Upon successfully creating the profile and logging in, additional exploits were executed against CVE-2018-2380 for shell upload, as the attackers tried to access the operating system layer. Following that, exploits for CVE-2016-3976 were executed, targeting the download of a \u201ccredential store,\u201d which provides access to logins for high-privileged accounts and the core database. Worryingly, this all happened within 90 minutes, according to Onapsis.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/06132248/SAP-chaining-1024x568.png)\n\nExploit chaining. Source: Onapsis.\n\nInterestingly, the cyberattackers in some cases are patching the exploited vulnerabilities after they\u2019ve gained access to a victim\u2019s environment, Onapsis said.\n\n\u201cThis action illustrates the threat actors\u2019 advanced domain knowledge of SAP applications, access to the manufacturer\u2019s patches and their ability to reconfigure these systems,\u201d according to the firm. \u201cThis technique is often used by threat actors to deploy backdoors on seemingly patched systems to maintain persistence or to evade detection.\u201d\n\n## **Who\u2019s Behind the SAP Attacks?**\n\nThe activity is being mounted by multiple groups, who appear to be engaged in coordinated activity across vast swathes of infrastructure, according to the alert.\n\n\u201cAttackers [are] triggering exploitation from different source systems from the ones used to perform subsequent manual logins were detected, indicating the possibility of coordinated groups and/or actors leveraging wide-spread attack infrastructure,\u201d it reads. \u201cWhile this behavior is common when analyzing operating system and network-based attacks, this data provides evidence that the same approach is also used when targeting mission-critical applications, as these actors use TOR nodes and distributed VPS infrastructures to launch the attacks and escalate privileges.\u201d\n\nThe activity is originating from all over the world, including Hong Kong, India, Japan, the Netherlands, Singapore, South Korea, Sweden, Taiwan, United States, Vietnam and Yemen.\n\n## **How Can I Prevent an Attack?**\n\nThe main way to thwart these kinds of attacks is to patch the vulnerabilities. Also, any web-facing accounts should have unique passwords to disallow automated brute-force attempts to break in; and any systems that don\u2019t need to face the public web should be taken offline.\n\n\u201cAll observed exploited critical weaknesses have been promptly patched by SAP, and have been available to customers for months and years in some cases,\u201d the alert noted. \u201cUnfortunately, both SAP and Onapsis continue to observe many organizations that have still not applied the proper mitigations\u2026allowing unprotected SAP systems to continue to operate and, in many cases, remain visible to attackers via the internet.\u201d\n\nAlso, while applying security patches in a timely fashion is critical to closing down the risk from major, known vulnerabilities, Pathlock\u2019s Dunne pointed out that patching can only remedy issues that are in the rear-view. With cyberattackers patching the bugs behind them, there also needs to be a way to detect malicious activity.\n\n\u201cFor a comprehensive, forward looking approach to SAP security, organizations need to implement a comprehensive solution to monitor user activities within the system, including interactions with sensitive data,\u201d he told Threatpost. \u201cThis way, even attackers that are able to breach SAP systems by known or unknown vulnerabilities can still be identified and their damage can be mitigated in real-time.\u201d\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _****_[FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _****_[Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-06T18:47:57", "type": "threatpost", "title": "SAP Bugs Under Active Cyberattack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2010-5326", "CVE-2016-3976", "CVE-2016-9563", "CVE-2018-2380", "CVE-2020-6207", "CVE-2020-6287"], "modified": "2021-04-06T18:47:57", "id": "THREATPOST:4CFA3A7AC21D83FC03B1B74B2DA261BD", "href": "https://threatpost.com/sap-bugs-cyberattack-compromise/165265/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "huawei": [{"lastseen": "2021-12-30T12:26:01", "description": "Microsoft's security update in July 2020 addresses the CVE-2020-1350 vulnerability. To exploit the vulnerability, an unauthenticated attacker could send specially crafted requests to a Windows DNS server. An attacker who successfully exploited the vulnerability could run arbitrary code remotely. (Vulnerability ID: HWPSIRT-2020-59863)\n\nHuawei has released software updates to fix this vulnerability. This advisory is available at the following link:\n\n[http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200716-01-dns-en](<http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200716-01-dns-en>)\n\n \n\n\n[](<http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200701-01-upnp-en>)\n\n[](<http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200610-02-phone-en>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-16T00:00:00", "type": "huawei", "title": "Security Advisory - Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-16T00:00:00", "id": "HUAWEI-SA-20200716-01-DNS", "href": "https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200716-01-dns-en", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2020-08-07T08:03:43", "description": "On July 14, 2020, Microsoft issued a new security advisory on [Microsoft Windows Patch Day](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>) \u2013 addressing **CVE-2020-1350, **also known as **SigRed** \u2013 a remote code execution vulnerability in Windows Domain Name System (DNS) servers. The security issue has received a critical severity rating score of 10.0 based on CVSS v3.1 Scoring system. \n\n**SigRed** affects Windows servers that are configured to run the DNS Server role as described in the advisory.\n\n#### **The Vulnerability**\n\nMicrosoft mentioned that \u201cit found no evidence to show that the bug has been actively exploited by attackers and advised users to install patches immediately.\u201d Furthermore, it added that the vulnerability has the potential to spread via malware between vulnerable computers without any user interaction. No authentication is mandatory to execute this wormable vulnerability. A nefarious actor who is successful in exploiting this vulnerability could run arbitrary code in the Local System account.\n\nThe flaw impacts only Windows DNS servers and not DNS server clients. Check Point Research team members Sagi Tzadik and Eyal Itkin have presented their research to Microsoft and shown it in a video [here](<https://www.youtube.com/watch?v=PUlMmhD5it8>).\n\nThe following components are vulnerable to CVE-2020-1350:\n\nFunction: _dns.exe!SigWireRead_\n\nVulnerability Type: _Integer Overflow leading to Heap-Based Buffer Overflow_\n\n![](https://threatprotect.qualys.com/wp-content/uploads/2020/07/2020-1320.jpg)\n\nImage Source: [Check Point](<https://www.youtube.com/watch?v=PUlMmhD5it8>)\n\n\u201cWithout any human interaction or authentication, a single exploit can start a chain reaction that would allow attacks to spread from one vulnerable machine to another,\u201d the researcher said. \u201cThis means that a single compromised machine could spread this attack throughout an organization\u2019s network within minutes of the first exploit.\u201d\n\n**Affected Windows Products**\n\nWindows Server 2004, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019\n\n### Identify Assets, Discover, Prioritize and Remediate Using Qualys VMDR\u00ae\n\nQualys VMDR, all-in-one vulnerability management, detection and response enables: \n\n * Identification of known and unknown hosts running vulnerable Windows servers with DNS service\n * Automatic detection of vulnerabilities and misconfigurations for Windows servers\n * Prioritization of threats based on risk \n * Integrated patch deployment \n\n#### Identification of Windows Assets with DNS Running\n\nThe first step in managing vulnerabilities and reducing risk is identification of assets. VMDR enables easy identification of windows server hosts with DNS service running\n\n_operatingSystem.category1:`Windows` and services.name:`DNS` _\n\n![](https://blog.qualys.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-20-at-12.43.50-PM-1-1070x418.png)\n\nOnce the hosts are identified, they can be grouped together with a \u2018dynamic tag\u2019, let\u2019s say \u2013 SIGRED. This helps in automatically grouping existing Windows hosts SIGRED as well as any new host that spins up with this vulnerability. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>). \n\n#### Discover SIGRED CVE-2020-1350 Vulnerability and Misconfigurations \n\nNow that the windows hosts with SIGRED are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like SIGRED based on the always-updated Knowledgebase.\n\nYou can see all your impacted hosts for this vulnerability tagged with the \u2018SIGRED\u2019 asset tag in the vulnerabilities view by using QQL query:\n\n_vulnerabilities.vulnerability.qid: 916_62\n\nThis will return a list of all impacted hosts.\n\n![](https://blog.qualys.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-20-at-12.21.05-PM-1070x192.png)\n\nAlong with the QID 91662, Qualys released the following IG QID 45451 to help customers track assets on which they have the mitigation applied. This QID can be detected using authenticated scanning or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>).\n\n_QID 45451: Microsoft KB4569509 Mitigation Guidance for DNS Server Applied (CVE-2020-1350). _\n\nThese QIDs are included in signature version VULNSIGS-2.4.942-2 and above.\n\nUsing VMDR, QID 91662 can be prioritized for the following RTIs:\n\n * Remote Code Execution\n * Unauthenticated Exploitation\n * Public Exploit\n * Denial of Service\n * Easy Exploit\n * High Data Loss\n * Wormable\n * Predicted High Risk\n * Privilege Escalation\n * High Lateral Movement\n![](https://blog.qualys.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-20-at-12.20.16-PM-2-1070x522.png)\n\nVMDR also enables you to stay on top of these threats proactively via the \u2018live feed\u2019 provided for threat prioritization. With \u2018live feed\u2019 updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats. \n\n![](https://blog.qualys.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-20-at-12.46.51-PM-1070x667.png)\n\nSimply click on the impacted assets for the SIGRED threat feed to see the vulnerability and impacted host details. \n\nWith VM Dashboard, you can track SIGRED, impacted hosts, their status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of SIGRED vulnerability trends in your environment using [Microsoft SIGRED RCE Vulnerability Dashboard](<https://qualys-secure.force.com/customers/articles/Knowledge/000006377>).\n\n![](https://blog.qualys.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-15-at-1.34.59-PM-1070x915.png)\n\n**Configuration management adds context to overall vulnerability management**\n\nTo reduce the overall security risk, it is important to take care of Windows system misconfigurations as well. Qualys VMDR shows your Windows system misconfiguration posture in context with your vulnerability posture, allowing you to see which hosts have SIGRED RCE vulnerability. \n\nWith the [Qualys Policy Compliance](<https://community.qualys.com/policy-compliance/>) module of VMDR, you can automatically discover the status of the \u2018DNS\u2019 service and if they have misconfigurations in context to the SIGRED vulnerability. \n\n * Qualys configuration ID \u2013 18935 "Status of the 'TcpReceivePacketSize' parameter within the 'HKLM\\System\\CurrentControlSet\\Services\\DNS\\Parameters' registry key" would be evaluated against all Windows DNS servers as shown below\n![](https://blog.qualys.com/wp-content/uploads/2020/07/18935-Pass-1-1070x354.png)\n\n#### Risk-Based Prioritization of SIGRED RCE Vulnerability \n\nNow that you have identified the hosts, versions and context of detected vulnerabilities and misconfigurations, you may want to prioritize your remediation based on the risk, as each vulnerable asset might not pose the same risk. \n\n**High Risk: ** \n\n * Hosts with DNS enabled and patch or workaround not applied are at high risk. \n * If due to business reasons it is not possible to apply the patch on the hosts for which CVE-2020-1350 is detected. Customers can check for misconfigurations (CID 18935 controls are failing) as shown below. \n![](https://blog.qualys.com/wp-content/uploads/2020/07/18935-Fail-1070x353.png)\n\n**Medium Risk:** \n\n * Hosts with DNS enabled for which CVE-2020-1350 is detected, however, the configuration 18935 is detected as hardened are at medium risk.\n\n### Response by Patching and Remediation \n\nVMDR rapidly remediates the Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select \u201ccve:`CVE-2020-1350`\u201d in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go for hosts grouped together by a tag \u2013 SIGRED. \n\nFor proactive, continuous patching, you can create a daily job with a 24-hour \u201cPatch Window\u201d to ensure all hosts will continue to receive the required patches as new patches become available for emerging vulnerabilities. \n\nUsers are encouraged to apply patches as soon as possible.\n\n![](https://blog.qualys.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-20-at-12.52.47-PM-1070x675.png)\n\nIn cases where due to business reasons it is not possible to apply patches, it is recommended that you reduce your security risk by remediating the related configuration settings for all running DNS Windows servers as provided in [Qualys Policy Compliance](<https://community.qualys.com/policy-compliance/>) by applying the following workarounds:\n\n**Workarounds**\n\nRegistry modification\n\n_HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters_\n\n_DWORD = TcpReceivePacketSize_\n\n_Value = 0xFF00_\n\nNote: You must restart the DNS Service for the workaround to take effect.\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching critical SIGRED RCE vulnerability CVE-2020-1350.", "cvss3": {}, "published": "2020-07-20T20:45:55", "type": "qualysblog", "title": "Automatically Discover, Prioritize and Remediate Windows DNS Vulnerability (SigRed \u2013 CVE-2020-1350) Using Qualys VMDR\u00ae", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-20T20:45:55", "id": "QUALYSBLOG:8028F138635C78F91B08AB2CF72FA154", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-07T08:03:43", "description": "This month\u2019s Microsoft Patch Tuesday addresses 123 vulnerabilities with 18 of them labeled as Critical. The 18 Critical vulnerabilities cover Hyper-V, DNS Server, PerformancePoint, SharePoint Server, Office, Outlook, Remote Desktop, and several other workstation vulnerabilities. Adobe issued patches today for Download Manager, Media Encoder, Genuine Service, ColdFusion, and Creative Cloud.\n\n## Workstation Patches\n\nToday's patch Tuesday fixes many vulnerabilities that would impact workstations. The Office, Outlook, Remote Desktop Client, DirectWrite, Address Book, LNK, GDI+, Font Library, and VBScript vulnerabilities should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.\n\n## Windows DNS Server RCE\n\nAn extremely critical Remote Code Execution vulnerability ([CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>)) is fixed today in all versions of Windows DNS Server. Microsoft ranks this vulnerability as "Exploitation More Likely," and according to Microsoft and the researchers at [Check Point](<https://research.checkpoint.com/>), the vulnerability is wormable. It is highly recommended to prioritize these patches on all Microsoft DNS servers, including Active Directory servers.\n\nIn a [guidance document](<https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability>), Microsoft provides a workaround that involves setting the maximum TcpReceivePacketSize to prevent exploitation. If patches cannot be deployed immediately, this workaround should be considered.\n\n## Hyper-V RemoteFX vGPU RCE\n\nMicrosoft patched six similar RCE vulnerabilities ([CVE-2020-1032](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1032>), [CVE-2020-1036](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1036>), [CVE-2020-1040](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1040>), [CVE-2020-1041](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1041>), [CVE-2020-1042](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1042>), [CVE-2020-1043](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1043>)) related to the way graphics drivers are handled in Hyper-V. Since the vulnerabilities involve directly attacking the host's graphics drivers, this patch simply disables RemoteFX functionality. According to Microsoft: "RemoteFX vGPU has been deprecated in Windows Server 2019 and customers are advised to use Discrete Device Assignment (DDA) instead of RemoteFX vGPU. DDA was introduced in Windows Server 2016."\n\n## Deserialization RCEs in PerformancePoint Services, SharePoint, .NET, and Visual Studio\n\nMicrosoft also patched two RCEs in PerformancePoint Services for SharePoint Server ([CVE-2020-1439](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1439>)) along with .NET Framework, SharePoint Server, and Visual Studio ([CVE-2020-1147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147>)). These vulnerabilities both involve the deserialization of XML content and could lead to Remote Code Execution if exploited.\n\n## Adobe\n\nAdobe issued patches today covering multiple vulnerabilities in [Download Manager](<https://helpx.adobe.com/security/products/adm/apsb20-49.html>), [Media Encoder](<https://helpx.adobe.com/security/products/media-encoder/apsb20-36.html>), [Genuine Service](<https://helpx.adobe.com/security/products/integrity_service/apsb20-42.html>), [ColdFusion](<https://helpx.adobe.com/security/products/coldfusion/apsb20-43.html>), and [Creative Cloud](<https://helpx.adobe.com/security/products/creative-cloud/apsb20-33.html>). The patches for Creative Cloud and ColdFusion are labeled as [Priority 2](<https://helpx.adobe.com/security/severity-ratings.html>), while the remaining patches are set to [Priority 3](<https://helpx.adobe.com/security/severity-ratings.html>).\n\nWhile none of the vulnerabilities disclosed in Adobe\u2019s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed.\n\n## About Patch Tuesday\n\nPatch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>).", "cvss3": {}, "published": "2020-07-14T18:58:08", "type": "qualysblog", "title": "July 2020 Patch Tuesday \u2013 123 Vulnerabilities, 18 Critical, Hyper-V RemoteFX, DNS Server, Workstation, Adobe", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-1032", "CVE-2020-1036", "CVE-2020-1040", "CVE-2020-1041", "CVE-2020-1042", "CVE-2020-1043", "CVE-2020-1147", "CVE-2020-1350", "CVE-2020-1439"], "modified": "2020-07-14T18:58:08", "id": "QUALYSBLOG:F343178EEC11B54CFAFBD0B4D505010B", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-23T16:02:16", "description": "On October 20, 2020, the United States National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) on Chinese state-sponsored malicious cyber activity. The NSA alert provided a list of 25 publicly known vulnerabilities that are known to be recently leveraged by cyber actors for various hacking operations.\n\n"Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and \nmitigation efforts," said the NSA advisory. It also recommended "critical system owners consider these actions a priority, in order to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, and competitive advantage."\n\nEarlier this year, the NSA also announced Sandworm actors exploiting the [Exim MTA Vulnerability](<https://blog.qualys.com/product-tech/2020/05/29/nsa-announces-sandworm-actors-exploiting-exim-mta-vulnerability-cve-2019-10149>). Similar alerts have been published by the Cybersecurity and Infrastructure Security Agency (CISA) over the last year. CISA also issued an [advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>) notifying about vulnerabilities that were exploited in the wild to retrieve sensitive data such as intellectual property, economic, political, and military information. \n\nHere is a list of 25 publicly known vulnerabilities (CVEs) published by the NSA, along affected products and associated Qualys VMDR QID(s) for each vulnerability:\n\n**CVE-ID(s)**| **Affected products**| **Qualys QID(s)** \n---|---|--- \nCVE-2020-5902| Big-IP devices| 38791, 373106 \nCVE-2019-19781| Citrix Application Delivery Controller \nCitrix Gateway \nCitrix SDWAN WANOP| 150273, 372305, 372685 \nCVE-2019-11510| Pulse Connect Secure| 38771 \nCVE-2020-8193 \nCVE-2020-8195 \nCVE-2020-8196| Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 \nCitrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7| 13833, 373116 \nCVE-2019-0708| Microsoft Windows multiple products| 91541, 91534 \nCVE-2020-15505| MobileIron Core & Connector| 13998 \nCVE-2020-1350| Microsoft Windows multiple products| 91662 \nCVE-2020-1472| Microsoft Windows multiple products| 91688 \nCVE-2019-1040| Microsoft Windows multiple products| 91653 \nCVE-2018-6789| Exim before 4.90.1| 50089 \nCVE-2020-0688| Multiple Microsoft Exchange Server| 50098 \nCVE-2018-4939| Adobe ColdFusion| 370874 \nCVE-2015-4852| Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0| 86362, 86340 \nCVE-2020-2555| Oracle Coherence product of Oracle Fusion Middleware Middleware; versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.| 372345 \nCVE-2019-3396| Atlassian Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3), and from version 6.14.0 before 6.14.2| 13459 \nCVE-2019-11580| Atlassian Crowd and Crowd Data Center| 13525 \nCVE-2020-10189| Zoho ManageEngine Desktop Central before 10.0.474| 372442 \nCVE-2019-18935| Progress Telerik UI for ASP.NET AJAX through 2019.3.1023| 372327, 150299 \nCVE-2020-0601| Microsoft Windows multiple products| 91595 \nCVE-2019-0803| Microsoft Windows multiple products| 91522 \nCVE-2017-6327| Symantec Messaging Gateway before 10.6.3-267| 11856 \nCVE-2020-3118| Cisco IOS XR, NCS| 316792 \nCVE-2020-8515| DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices| 13730 \n \n## Detect 25 Publicly Known Vulnerabilities using VMDR\n\nQualys released several remote and authenticated QIDs for commonly exploited vulnerabilities. You can search for these QIDs in VMDR Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.cveIds: [CVE-2019-11510,CVE-2020-5902,CVE-2019-19781,CVE-2020-8193,CVE-2020-8195,CVE-2020-8196,CVE-2019-0708,CVE-2020-15505,CVE-2020-1472,CVE-2019-1040,CVE-2020-1350,CVE-2018-6789,CVE-2018-4939,CVE-2020-0688,CVE-2015-4852,CVE-2020-2555,CVE-2019-3396,CVE-2019-11580,CVE-2020-10189,CVE-2019-18935,CVE-2020-0601,CVE-2019-0803,CVE-2017-6327,CVE-2020-3118,CVE-2020-8515]_\n\n * ![](https://blog.qualys.com/wp-content/uploads/2020/10/Screen-Shot-2020-10-22-at-10.32.04-AM-1-1070x479.png)\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for "Active Attack" RTI:\n\n![](https://blog.qualys.com/wp-content/uploads/2020/10/Screen-Shot-2020-10-22-at-10.43.47-AM-1-1070x535.png)\n\n### Identify Vulnerable Assets using Qualys Threat Protection\n\nIn addition, Qualys customers can locate vulnerable host through [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) by simply clicking on the impacted hosts. This helps in effectively identifying and tracking this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2020/10/Screen-Shot-2020-10-22-at-1.41.35-PM-1070x828.png)\n\nWith VMDR Dashboard, you can track 25 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the ["NSA's Top 25 Vulnerabilities from China" dashboard](<https://qualys-secure.force.com/customer/s/article/000006429>).\n\n![](https://blog.qualys.com/wp-content/uploads/2020/10/2020-10-22_12-45-21-1070x2407.png)\n\n### **Recommendations**\n\nAs guided by CISA, to protect assets from exploiting, one must do the following:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Vigilance team of an organization should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n\n#### **Remediation and Mitigation**\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching the high-priority commonly exploited vulnerabilities.\n\n### References\n\n<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>\n\n<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\n<https://us-cert.cisa.gov/ncas/current-activity/2020/10/20/nsa-releases-advisory-chinese-state-sponsored-actors-exploiting>", "cvss3": {}, "published": "2020-10-22T23:10:29", "type": "qualysblog", "title": "NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-10149", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "modified": "2020-10-22T23:10:29", "id": "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:"true"_**\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-Actual-1.jpg)\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-3.jpg)\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-4-scaled.jpg)\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/patch-mgmt-windows2.jpg)\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-6.jpg)\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-09T06:36:02", "description": "[Start your VMDR 30-day, no-cost trial today](<https://www.qualys.com/forms/vmdr/>)\n\n## Overview\n\nOn November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>), "Reducing the Significant Risk of Known Exploited Vulnerabilities." [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires agencies to review and update agency internal vulnerability management procedures within 60 days according to this directive and remediate each vulnerability according to the timelines outlined in 'CISA's vulnerability catalog.\n\nQualys helps customers to identify and assess risk to organizations' digital infrastructure and automate remediation. Qualys' guidance for rapid response to Operational Directive is below.\n\n## Directive Scope\n\nThis directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency's behalf.\n\nHowever, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA's public catalog.\n\n## CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [291 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. The Qualys Research team has mapped all these CVEs to applicable QIDs. You can view the complete list of CVEs and the corresponding QIDs [here](<https://success.qualys.com/discussions/s/article/000006791>).\n\n### Not all vulnerabilities are created equal\n\nOur quick review of the 291 CVEs posted by CISA suggests that not all vulnerabilities hold the same priority. CISA has ordered U.S. federal enterprises to apply patches as soon as possible. The remediation guidance can be grouped into three distinct categories:\n\n#### Category 1 \u2013 Past Due\n\nRemediation of 15 CVEs (~5%) are already past due. These vulnerabilities include some of the most significant exploits in the recent past, including PrintNightmare, SigRed, ZeroLogon, and vulnerabilities in CryptoAPI, Pulse Secure, and more. Qualys Patch Management can help you remediate most of these vulnerabilities.\n\n#### Category 2 \u2013 Patch in less than two weeks\n\n100 (34%) Vulnerabilities need to be patched in the next two weeks, or by **November 17, 2022**.\n\n#### Category 3 \u2013 Patch within six months\n\nThe remaining 176 vulnerabilities (60%) must be patched within the next six months or by **May 3, 2022**.\n\n## Detect CISA's Vulnerabilities Using Qualys VMDR\n\nThe Qualys Research team has released several remote and authenticated detections (QIDs) for the vulnerabilities. Since the directive includes 291 CVEs, we recommend executing your search based on vulnerability criticality, release date, or other categories.\n\nFor example, to detect critical CVEs released in 2021:\n\n_vulnerabilities.vulnerability.criticality:CRITICAL and vulnerabilities.vulnerability.cveIds:[ `CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]_\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture1.jpg)\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using the VMDR Prioritization report.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture3.png)\n\nWith Qualys Unified Dashboard, you can track your exposure to the CISA Known Exploited Vulnerabilities and gather your status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of the status of the vulnerabilities in your environment using the ["CISA 2010-21| KNOWN EXPLOITED VULNERABILITIES"](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture4.png)\n\n### Summary Dashboard High Level Structured by Vendor:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture5.png)\n\n## Remediation\n\nTo comply with this directive, federal agencies must remediate most "Category 2" vulnerabilities by **November 17, 2021**, and "Category 3" by May 3, 2021. Qualys Patch Management can help streamline the remediation of many of these vulnerabilities.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive's aggressive remediation date of November 17, 2021. Running this query will find all required patches and allow quick and efficient deployment of those missing patches to all assets directly from within the Qualys Cloud Platform.\n\ncve:[`CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture6.jpg)\n\nQualys patch content covers many Microsoft, Linux, and third-party applications; however, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch the remaining CVEs in this list.\n\nNote that the due date for \u201cCategory 1\u201d patches has already passed. To find missing patches in your environment for \u201cCategory 1\u201d past due CVEs, copy the following query into the Patch Management app:\n\ncve:['CVE-2021-1732\u2032,'CVE-2020-1350\u2032,'CVE-2020-1472\u2032,'CVE-2021-26855\u2032,'CVE-2021-26858\u2032,'CVE-2021-27065\u2032,'CVE-2020-0601\u2032,'CVE-2021-26857\u2032,'CVE-2021-22893\u2032,'CVE-2020-8243\u2032,'CVE-2021-22900\u2032,'CVE-2021-22894\u2032,'CVE-2020-8260\u2032,'CVE-2021-22899\u2032,'CVE-2019-11510']\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture7.jpg)\n\n## Federal Enterprises and Agencies Can Act Now\n\nFor federal enterprises and agencies, it's a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>).\n\nHere are a few steps Federal enterprises can take immediately:\n\n * Run vulnerability assessments against all your assets by leveraging various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Patch Management to apply patches and other configurations changes\n * Track remediation progress through Unified Dashboards\n\n## Summary\n\nUnderstanding vulnerabilities is a critical but partial part of threat mitigation. Qualys VMDR helps customers discover, assess threats, assign risk, and remediate threats in one solution. Qualys customers rely on the accuracy of Qualys' threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any organization efficiently respond to the CISA directive.\n\n## Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-09T06:15:01", "type": "qualysblog", "title": "Qualys Response to CISA Alert: Binding Operational Directive 22-01", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-0601", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-20016", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-22502", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22986", "CVE-2021-26084", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40444", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42258"], "modified": "2021-11-09T06:15:01", "id": "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "impervablog": [{"lastseen": "2020-07-21T16:02:08", "description": "Recently, [Check Point researchers](<https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin:-exploiting-a-17-year-old-bug-in-windows-dns-servers/>) found a 17-year-old high-profile flaw, SIGRed (CVE-2020-1350). The flaw is a wormable, critical vulnerability in the Windows DNS server, and can be triggered by a malicious DNS response.\n\nOn a zero to 10 scale, this vulnerability has received a CVSS base score of 10 in terms of how easy it is to exploit and how damaging it can be. Successful exploitation could lead to a critical RCE on Windows DNS servers due to the improper handling of DNS requests - effectively compromising the entire corporate infrastructure.\n\nFortunately, Imperva [DDoS Protection for Domain Name Servers (DNS)](<https://www.imperva.com/products/dns-ddos-protection-services/>) can shield against this vulnerability and ensure the attack is not forwarded to the origin name server. Customers using our protected DNS service are safe provided that their DNS server accepts incoming requests from Imperva\u2019s proxies only (this configuration should be done in the onboarding process); thus, they should block incoming requests from other IPs and block requests that are not for this domain.\n\n## **How do we protect against this vulnerability? **\n\nThe Imperva service checks the requested DNS name and forwards the request to the origin (authoritative DNS server) only if the name matches the authoritative domain name.\n\nFor example: If our protected DNS customer protects a DNS domain, d1.com, so that only DNS queries that match: *.d1.com will be forwarded to the origin server; any other domain name will not be forwarded. \n\nIn an attempt to exploit this vulnerability, an attacker would send a malicious DNS query with a domain name that is under the attacker\u2019s control (Ex: *.attacker.com). However, this query will not be forwarded to the origin because it doesn\u2019t match *.d1.com.\n\nMore focus on DNS is also on the docket at Imperva, in the form of a complete DNS offering later this year. The offering will include a fully managed secured DNS service, where you\u2019ll be able to administrate and secure your DNS zones, mitigating L3/4 volumetric, protocol & DNS DDoS attacks.\n\nThe goal is to provide a best-in-class secured DNS solution with maximum reliability, security and visibility, complemented by the kind of full management capabilities you\u2019d expect from a world-class DNS solution.\n\nIn the meantime, if you have further questions about CVE-2020-1350, or need additional information on how Imperva can offer you top-notch, edge to end protection, [contact us](<https://www.imperva.com/contact-us/>) today.\n\nThe post [Imperva Shields Against Windows DNS Server RCE Vulnerability (CVE-2020-1350)](<https://www.imperva.com/blog/imperva-shields-against-windows-dns-server-rce-vulnerability-cve-2020-1350/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-21T11:24:14", "type": "impervablog", "title": "Imperva Shields Against Windows DNS Server RCE Vulnerability (CVE-2020-1350)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-21T11:24:14", "id": "IMPERVABLOG:020B268DFC760B88704D35A6F4CF30D7", "href": "https://www.imperva.com/blog/imperva-shields-against-windows-dns-server-rce-vulnerability-cve-2020-1350/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2021-12-06T18:25:10", "description": "A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.\n\nTo exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.\n\nThe update addresses the vulnerability by modifying how Windows DNS servers handle requests.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-14T07:00:00", "type": "mscve", "title": "Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-28T07:00:00", "id": "MS:CVE-2020-1350", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1350", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "pentestpartners": [{"lastseen": "2020-09-23T14:54:17", "description": "### ![](https://www.pentestpartners.com/content/uploads/2018/09/zerologon-headline.png)\n\n### TL;DR\n\nYes, apply the update from Microsoft.\n\n### The new MS08-067?\n\nCVE-2020-1472 is an elevation of privilege vulnerability in a cryptographic authentication scheme used by the Netlogon service and was discovered (and named Zerologon) by Tom Tervoort at [Secura](<https://www.secura.com/blog/zero-logon>). It does not require authentication. It can be used by an attacker to remotely compromise a domain controller, the result being domain admin access. That pretty much as bad as it gets, naturally it is rated critical by [Microsoft](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>).\n\nThe vulnerability was patched in August 2020 in the first of a 2 part update, the first mitigates, the second (coming in 2021) fully closes it.\n\n### What\u2019s affected?\n\nAll flavours of Microsoft Windows Server, including server core. Though the impact is predominantly going to affect your domain controllers.\n\nSome versions of Linux are also vulnerable, [SUSE](<https://www.suse.com/support/kb/doc/?id=000019713>), [Red Hat](<https://access.redhat.com/security/cve/CVE-2020-1472>)\n\n### Is it a risk for me?\n\nCommonly when Microsoft release a critical update the Infosec community make a big deal out of the vulnerability, rightly so in some cases, but in others often there is not actual public exploit code available. Now that doesn\u2019t mean there isn\u2019t code available in private groups and that those risks shouldn\u2019t be taken seriously, but the absence of exploit code does make the bar of exploit that little bit higher. Unlike [some cases](<https://blog.zsec.uk/cve-2020-1350-research/>), in Zerologon\u2019s case there are currently 31 repositories on Github which purport to reference the vulnerability:\n\n![](https://www.pentestpartners.com/content/uploads/2020/09/zerologon-1-841x1024.png)\n\nThese range from a basic detection type script through to full takeover of a domain. Whilst we cannot confirm the authenticity of all of these, some are known to function as expected, they should be taken seriously.\n\nAs exploits develop they are getting more advanced, the early attacks would render the domain controller the exploit was run on unusable, this is now getting refined to allow the attacker to recover the domain controller. The code is even being added to the popular [Mimikatz](<https://github.com/gentilkiwi/mimikatz>) exploitation tool.\n\nThere is a risk that disgruntled internal staff will exploit this, right now there are no known PowerShell versions of this exploit and so short of an internal staff member using their own laptop it\u2019s unlikely that they will have the toolset to exploit it\u2026however, this will change.\n\nThe threat is real. This is becoming a \u2018point and click\u2019 type exploit.\n\n### What mitigating factors are there?\n\nIn order to exploit the vulnerability the attacker does need to be on the local area network, however, does not need credentials. This does mean an attacker needs to be inside your network boundary, but this could be achieved in many ways, most obviously through a phishing attach, but that may not be necessary\u2026 Have you got wired network points in public meeting rooms? How secure is your wireless?\n\nA read only domain controller is also likely affected, but it is unclear in what way. Read only domain controllers may increase the risk to your organisation as commonly these are placed outside the trust boundaries.\n\nThe exploit currently breaks the domain controller it is exploited on and so it is unlikely that responsible security consultants will execute the exploit, however, unknown threat actors are likely to. This is also likely to be improved as time goes on.\n\nThen\u2026well\u2026 there is the patch obviously.\n\nOnce you have applied the patch you can enable some [registry keys](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>) that will enable DC enforcement, this will deny vulnerable Netlogon connections unless the account is allowed. Note, this will become the default in early 2021 as Microsoft will release a second update to implement this.\n\n### Detecting the exploit\n\nThere are a handful of rules you can add to your security monitoring server (thank you [Corelight](<https://corelight.blog/2020/09/16/detecting-zerologon-cve-2020-1472-with-zeek/>) for these links).\n\n * [Splunk](<https://www.linkedin.com/feed/update/urn:li:activity:6711471711751168000/>)\n * [Sigma](<https://twitter.com/andriinb/status/1304676530350628864?s=1>)\n * [Zeek](<https://github.com/corelight/zerologon>)\n\nEvent ID 4742 is worth monitoring, that will show changes to a computer account which is what Zerologon is doing. Though sadly this will likely only show you have already been compromised\n\nThere are a number of other detection options in [this blog from Lares](<https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/>). Though sadly, like the above, this will likely only show you have already been compromised\n\n### Conclusion\n\nSo in short, yes you should worry, this will be exploited for many years to come, we are still seeing MS08-067 in use, the exploits will get more reliable. The risk is very much real and the impact is as severe as it gets for an enterprise domain.\n\nThis is currently a changing threat, more and more researchers are looking at this and finding novel ways to exploit it.\n\nGet patching!\n\nThe post [CVE-2020-1472/Zerologon. As an IT manager should I worry?](<https://www.pentestpartners.com/security-blog/cve-2020-1472-zerologon-as-an-it-manager-should-i-worry/>) first appeared on [Pen Test Partners](<https://www.pentestpartners.com/>).", "cvss3": {}, "published": "2020-09-23T05:05:06", "type": "pentestpartners", "title": "CVE-2020-1472/Zerologon. As an IT manager should I worry?", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-1350", "CVE-2020-1472"], "modified": "2020-09-23T05:05:06", "id": "PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0", "href": "https://www.pentestpartners.com/security-blog/cve-2020-1472-zerologon-as-an-it-manager-should-i-worry/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "krebs": [{"lastseen": "2020-07-16T10:01:23", "description": "**Microsoft** today released updates to plug a whopping 123 security holes in **Windows** and related software, including fixes for a critical, \"wormable\" flaw in **Windows Server** versions that Microsoft says is likely to be exploited soon. While this particular weakness mainly affects enterprises, July's care package from Redmond has a little something for everyone. So if you're a Windows (ab)user, it's time once again to back up and patch up (preferably in that order).\n\n![](https://krebsonsecurity.com/wp-content/uploads/2020/07/cworm.png)Top of the heap this month in terms of outright scariness is [CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>), which concerns a remotely exploitable bug in more or less all versions of Windows Server that attackers could use to install malicious software simply by sending a specially crafted DNS request.\n\nMicrosoft said it is not aware of reports that anyone is exploiting the weakness (yet), but the flaw has been assigned a [CVSS score](<https://www.first.org/cvss/user-guide>) of 10, which translates to \"easy to attack\" and \"likely to be exploited.\"\n\n\"We consider this to be a wormable vulnerability, meaning that it has the potential to spread via malware between vulnerable computers without user interaction,\" Microsoft wrote in its documentation of CVE-2020-1350. \"DNS is a foundational networking component and commonly installed on Domain Controllers, so a compromise could lead to significant service interruptions and the compromise of high level domain accounts.\"\n\nCVE-2020-1350 is just the latest worry for enterprise system administrators in charge of patching dangerous bugs in widely-used software. Over the past couple of weeks, fixes for flaws with high severity ratings have been released for a broad array of software products typically used by businesses, [including Citrix, F5, Juniper, Oracle and SAP](<https://www.zdnet.com/article/recon-bug-lets-hackers-create-admin-accounts-on-sap-servers/>). This at a time when many organizations are already short-staffed and dealing with employees working remotely thanks to the COVID-19 pandemic.\n\nThe Windows Server vulnerability isn't the only nasty one addressed this month that malware or malcontents can use to break into systems without any help from users. A full 17 other critical flaws fixed in this release tackle security weaknesses that Microsoft assigned its most dire \"critical\" rating, such as in **Office**, **Internet Exploder**, **SharePoint**, **Visual Studio**, and Microsoft's **.NET Framework**.\n\nSome of the more eyebrow-raising critical bugs addressed this month include [CVE-2020-1410](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1410>), which according to **Recorded Future** concerns the Windows Address Book and could be exploited via a malicious vcard file. Then there's [CVE-2020-1421](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1421>), which protects against potentially malicious .LNK files (think [Stuxnet](<https://krebsonsecurity.com/2010/07/microsoft-to-issue-emergency-patch-for-critical-windows-bug/>)) that could be exploited via an infected removable drive or remote share. And we have the dynamic duo of [CVE-2020-1435](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1435>) and [CVE-2020-1436](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1436>), which involve problems with the way Windows handles images and fonts that could both be exploited to install malware just by getting a user to click a booby-trapped link or document.\n\nNot to say flaws rated \"important\" as opposed to critical aren't also a concern. Chief among those is [CVE-2020-1463](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1463>), a problem within **Windows 10** and **Server 2016** or later that was detailed publicly prior to this month's Patch Tuesday.\n\nBefore you update with this month\u2019s patch batch, please make sure you have backed up your system and/or important files. It\u2019s not uncommon for a particular Windows update to hose one\u2019s system or prevent it from booting properly, and some updates even have been known to erase or corrupt files. Last month's bundle of joy from Microsoft sent my Windows 10 system into a perpetual crash state. Thankfully, I was able to restore from a recent backup.\n\nSo do yourself a favor and backup _before_ installing any patches. Windows 10 even has [some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.\n\nAlso, keep in mind that Windows 10 is set to apply patches on its own schedule, which means if you delay backing up you could be in for a wild ride. If you wish to ensure the operating system has been set to pause updating so you can back up your files and/or system _before_ the operating system decides to reboot and install patches whenever it sees fit, see [this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nAs always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on [the AskWoody blog from Woody Leonhard](<https://www.askwoody.com/>), who keeps a reliable lookout for buggy Microsoft updates each month.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-14T21:45:28", "type": "krebs", "title": "\u2018Wormable\u2019 Flaw Leads July Microsoft Patches", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350", "CVE-2020-1410", "CVE-2020-1421", "CVE-2020-1435", "CVE-2020-1436", "CVE-2020-1463"], "modified": "2020-07-14T21:45:28", "id": "KREBS:1A886B22AAF8ADC53874F0E126C5A96D", "href": "https://krebsonsecurity.com/2020/07/wormable-flaw-leads-july-microsoft-patches/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2021-03-26T00:33:35", "description": "Hello everyone! It has been 3 months since [my last review of Microsoft vulnerabilities for Q4 2020](<https://avleonov.com/2021/01/11/vulristics-vulnerability-score-automated-data-collection-and-microsoft-patch-tuesdays-q4-2020/>). In this episode I want to review the Microsoft vulnerabilities for the first quarter of 2021. There will be 4 parts: January, February, March and the vulnerabilities that were released between the Patch Tuesdays.\n\n![](https://avleonov.com/wp-content/uploads/2021/03/vulristics.png)\n\nI will be using the reports that I created with my [Vulristics tool](<https://github.com/leonov-av/vulristics>). This time I'll try to make the episodes shorter. I will describe only the most critical vulnerabilities. Links to the full reports are at the bottom of the blog post.\n\n## January 2021\n\n * All vulnerabilities: 83\n * Urgent: 0\n * Critical: 1\n * High: 28\n * Medium: 51\n * Low: 3\n\nSo, what was interesting in January. The only critical vulnerability was Microsoft Defender Remote Code Execution (CVE-2021-1647). "Microsoft stated that this vulnerability was exploited before the patches were made available. This patch should be prioritized."\n\nThe most interesting High level vulnerability is Microsoft splwow64 Elevation of Privilege (CVE-2021-1648). "According to Maddie Stone, a researcher at Google Project Zero credited with identifying this vulnerability, CVE-2021-1648 is a patch bypass for CVE-2020-0986, which was exploited in the wild as a zero-day."\n\nAlso, vendors paid attention to a large number of Remote Procedure Call Runtime Remote Code Executions (CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701) and Windows Remote Desktop Security Feature Bypass (CVE-2021-1669). But there are still no signs of exploitation for them. They are all labeled High in the Vulristics report.\n\nThere were no public exploits for any of the January vulnerabilities. January was a quiet and calm month.\n\n## February 2021\n\n * All vulnerabilities: 57\n * Urgent: 1\n * Critical: 2\n * High: 21\n * Medium: 31\n * Low: 2\n\nOne Urgent level vulnerability is Elevation of Privilege in Win32k component of Windows 10 and Windows Server 2019 (CVE-2021-1732). According to Microsoft, this vulnerability has been exploited in the wild. "Successful exploitation would elevate the privileges of an attacker, potentially allowing them to create new accounts, install programs, and view, modify or delete data". Public exploit in a form of Metasploit Module is found at Vulners ([Win32k ConsoleControl Offset Confusion](<https://vulners.com/packetstorm/packetstorm:161880>)).\n\nBut the situation with other critical vulnerabilities is interesting. None of the VM vendors mentioned them in their Patch Tuesday reviews.\n\n * This is Microsoft Exchange Server Spoofing Vulnerability (CVE-2021-24085), which is mentioned on [AttackerKB](<https://attackerkb.com/topics/taeSMPFD8J/cve-2021-24085>) and for which public exploit is found at Vulners ([Microsoft Exchange Server msExchEcpCanary CSRF / Privilege Escalation](<https://vulners.com/packetstorm/packetstorm:161528>)). This is not the same vulnerability that was exploited in HAFNIUM. We'll get to those vulnerabilities later.\n * Two other vulnerabilities, Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1698) and Microsoft Exchange Server (CVE-2021-1730), were exploitated in the wild. Therefore, the Vulristics Vulnerability Score is higher for them.\n\nIf vendors ignored these vulnerabilities, what vulnerabilities did they mention in their reports? \n\n * Primarily they wrote about Windows TCP/IP Remote Code Execution Vulnerabilities. "Microsoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074 and CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086). While there is no evidence that these vulnerabilities are exploited in wild, these vulnerabilities should be prioritized given their impact."\n * Also about Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-24078). "RCE flaw within Windows server installations when configured as a DNS server. Affecting Windows Server versions from 2008 to 2019, including server core installations, this severe flaw is considered \u201cmore likely\u201d to be exploited and received a CVSSv3 score of 9.8. This bug is exploitable by a remote attacker with no requirements for user interaction or a privileged account. As the vulnerability affects DNS servers, it is possible this flaw could be wormable and spread within a network."\n\nBut for these 2 vulnerabilities, there are still no public exploits or signs of active exploitation in the wild. This, of course, does not mean that these vulnerabilities do not need to be fixed. When we see the exploitation of these vulnerabilities the wild, it will be a disaster.\n\n## March 2021\n\n * All vulnerabilities: 82\n * Urgent: 0\n * Critical: 0\n * High: 36\n * Medium: 43\n * Low: 3\n\nAnd again, we see in the top not exactly the same vulnerabilities that VM vendors pointed out in their reviews.\n\n * Windows Container Execution Agent Elevation of Privilege Vulnerability (CVE-2021-26891). Just because a public exploit was found at Vulners ([Microsoft Windows Containers Privilege Escalation](<https://vulners.com/packetstorm/packetstorm:161734>)). \n * Internet Explorer Memory Corruption (CVE-2021-26411). "A memory corruption vulnerability in Internet Explorer that was exploited in the wild as a zero-day. In order to exploit the flaw, an attacker would need to host the exploit code on a malicious website and convince a user through social engineering tactics to visit the page, or the attacker could inject the malicious payload into a legitimate website". Exploitation in the wild is mentioned at [AttackerKB](<https://attackerkb.com/topics/WZgkdqe2vN/cve-2021-26411>).\n\nBut we also see several Windows DNS Server Remote Code Executions . "All five of these CVEs were assigned 9.8 CVSSv3 scores and can be exploited by an unauthenticated attacker when dynamic updates are enabled. According to an analysis by researchers at McAfee, these CVEs are not considered \u201cwormable,\u201d yet they do evoke memories of CVE-2020-1350 (SIGRed), a 17-year-old wormable flaw patched in July 2020." In general, updating DNS Server is never a bad thing.\n\nAnd where is the most important thing? Naturally these are Exchange vulnerabilities and they were published between Patch Tuesdays. I made a special script to get such CVEs.\n\n## Other Q1 2021\n\n * All vulnerabilities: 85\n * Urgent: 0\n * Critical: 7\n * High: 5\n * Medium: 27\n * Low: 46\n\nThe 7 critical vulnerabilities are those Microsoft Exchange Server Remote Code Executions exploited in recent attacks. They have signs of exploitation in the wild at [AttackerKB](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855>) and [Microsoft](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>). However, we still don't see public exploits.\n\n"[ProxyLogon](<https://proxylogon.com/>) is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin. We have also chained this bug with another post-auth arbitrary-file-write vulnerability, CVE-2021-27065, to get code execution. All affected components are vulnerable by default! As a result, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server through an only opened 443 port!"\n\nEverything is extremely serious with these vulnerabilities and if you have public unpatched Exchange servers, then there is a good chance that you have already been hacked. For example, by HAFNIUM.\n\n"Hafnium is a state-sponsored threat actor identified by the Microsoft Threat Intelligence Center (MSTIC)".\n\n"Recently, Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. To date, Hafnium is the primary actor we\u2019ve seen use these exploits, which are discussed in detail [by MSTIC here](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what\u2019s called a web shell to control the compromised server remotely. Third, it would use that remote access \u2013 run from the U.S.-based private servers \u2013 to steal data from an organization\u2019s network."\n\nIn short, these Exchange vulnerabilities are the top.\n\nThe rest are Chrome vulnerabilities, simply because Microsoft's browser is now based on Chrome.\n\nYou can download full versions of reports here:\n\n * [ms_patch_tuesday_january2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_january2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_february2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_february2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_march2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_march2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_other_Q1_2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_other_Q1_2021_report_avleonov_comments.html>)\n![](http://feeds.feedburner.com/~r/avleonov/~4/poQoyaBweKg)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-03-26T02:47:52", "type": "avleonov", "title": "Vulristics: Microsoft Patch Tuesdays Q1 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986", "CVE-2020-1350", "CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1658", "CVE-2021-1660", "CVE-2021-1664", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1669", "CVE-2021-1671", "CVE-2021-1673", "CVE-2021-1698", "CVE-2021-1700", "CVE-2021-1701", "CVE-2021-1730", "CVE-2021-1732", "CVE-2021-24074", "CVE-2021-24078", "CVE-2021-24085", "CVE-2021-24086", "CVE-2021-24094", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26891", "CVE-2021-27065"], "modified": "2021-03-26T02:47:52", "id": "AVLEONOV:13BED8E5AD26449401A37E1273217B9A", "href": "http://feedproxy.google.com/~r/avleonov/~3/poQoyaBweKg/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-20T04:20:58", "description": "I am doing this episode about July vulnerabilities already in August. There are 2 reasons for this. First of all, July Microsoft Patch Tuesday was published in the middle of the month, as late as possible. Secondly, in the second half of July I spent my free time mostly on coding. And I would like to talk more about this.\n\n![Microsoft Patch Tuesday July 2020: my new open source project Vulristics, DNS SIGRed, RDP Client and SharePoint](https://avleonov.com/wp-content/uploads/2020/08/Microsoft-Patch-Tuesday-July-2020.png)\n\n## Vulristics\n\nI decided to release my Microsoft Patch Tuesday reporting tool as part of a larger open source project ([github](<https://github.com/leonov-av/vulristics>)). I named it _Vulristics _(from \u201cVulnerability\u201d and \u201cHeuristics\u201d). I want this to be an extensible framework for analyzing publicly available information about vulnerabilities.\n\nLet's say we have a vulnerability ID (CVE ID) and we need to decide whether it is really critical or not. We will probably go to some vulnerability databases ([NVD](<https://nvd.nist.gov/vuln/detail/CVE-2020-1350>), [CVE page on the Microsoft website](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>), [Vulners.com](<https://vulners.com/cve/CVE-2020-1350>), etc.) and somehow analyze the descriptions and parameters. Right? Such analysis can be quite complex and not so obvious. My idea is to formalize it and make it shareable. It may not be the most efficient way to process data, but it should reflect real human experience, the things that real vulnerability analysts do. This is the main goal.\n\nCurrently, there are the following scripts available:\n\n 1. [report_ms_patch_tuesday.py](<https://github.com/leonov-av/vulristics/blob/master/report_ms_patch_tuesday.py>) - analyze and group Microsoft Patch Tuesday CVEs.\n 2. [report_cve.py](<https://github.com/leonov-av/vulristics/blob/master/report_cve.py>) - collect and preprocess CVE ID-related data from NVD, Microsoft.com and Vulners.\n 3. [report_ms_patch_tuesday_exploits.py](<https://github.com/leonov-av/vulristics/blob/master/report_ms_patch_tuesday_exploits.py>) - get Microsoft Patch Tuesday CVEs and filter vulnerabilities with public exploits (based on Vulners.com).\n\nOf course, we can do much more than that. I have plans to add:\n\n * analysis of the vulnerability description based on keywords and phrases (it's good that such descriptions usually have a fairly regular structure)\n * analysis of references\n * danger and relevance metrics counting ([vulnerability quadrants](<https://avleonov.com/2017/05/10/vulnerability-quadrants/>)) \nand so on.\n\nIf you have good ideas please [share them in the chat](<https://t.me/avleonovchat>). The help in coding will be also pretty much appreciated. ![\ud83d\ude09](https://s.w.org/images/core/emoji/13.0.1/72x72/1f609.png)\n\nFinally, some obvious warnings:\n\n * This tool is NOT an interface to any particular database.\n * The tool makes requests to third-party sources.\n\nSo keep in mind that if you actively use it for bulk operations, you may have problems with the owners of these third-party sources, for example, your IP address will simply be banned. So be careful and reasonable!\n\n## July MS Patch Tuesday Report\n\nBut enough about my tool, let's talk about the results for July MS Patch Tuesday. There were 123 vulnerabilities in July. 18 are critical and 105 are important. As for the public exploits, I checked the vulnerabilities with a report_ms_patch_tuesday_exploits.py and found nothing.\n\nThere are no exploits for these vulnerabilities on Vulners. Microsoft also believes that there are no _Exploitation detected_ vulnerabilities this time.\n\n### Exploitation more likely\n\nBut we see 8 _Exploitation of more likely_ vulnerabilities:\n\n#### ![]( http://www.avleonov.com/vulnicons/rce.png)Remote Code Execution\n\n * .NET Framework, SharePoint Server, and Visual Studio ([CVE-2020-1147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147>))\n * Remote Desktop Client ([CVE-2020-1374](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1374>))\n * VBScript ([CVE-2020-1403](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1403>))\n * Windows DNS Server ([CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>))\n\n#### ![]( http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege\n\n * Windows Graphics Component ([CVE-2020-1381](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1381>), [CVE-2020-1382](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1382>))\n * Windows Runtime ([CVE-2020-1399](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1399>))\n\n#### ![]( http://www.avleonov.com/vulnicons/infdis.png)Information Disclosure\n\n * Windows Kernel ([CVE-2020-1426](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1426>))\n\nWindows DNS Server RCE ([CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>)), called SIGRed, is the star of this Patch Tuesday. It's extremely critical and has existed for 17 years, affecting Windows Server versions from 2003 to 2019. Getting RCE with only a DNS request is really impressive. Checkpoint guys made a [great article about this vulnerability](<https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/>) with [video of PoC](<https://www.youtube.com/watch?v=PUlMmhD5it8>) . When this vulnerability was released, there was a feeling that there would be a public RCE exploit soon. But still there are only several [Rickroll jokes](<https://github.com/ZephrFish/CVE-2020-1350>) and DoS exploit by [maxpl0it](<https://github.com/maxpl0it/CVE-2020-1350-DoS/commits?author=maxpl0it>), which looks workable, but for some reason is not present in the exploit databases, for example in [exploit-db](<https://www.exploit-db.com/>).Therefore, [Vulners does not see it](<https://vulners.com/cve/CVE-2020-1350>), as I mentioned above. Indeed, searching for exploits and exploit validation are important tasks!\n\nIn second place, of course, RDP Client RCE ([CVE-2020-1374](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1374>)). When a client connects to an infected server it become susceptible to an RCE attack. All versions from Windows 7 (and possibly earlier!) to the latest version of Windows 10 (2004) are vulnerable. Of course, the exploitation of this vulnerability requires social engineering or Man-in-the-Middle attack.\n\nNET Framework, SharePoint Server, and Visual Studio RCE ([CVE-2020-1147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147>)) involves the deserialization of XML content. To exploit this vulnerability, an attacker could upload a specially crafted document to a server utilizing an affected product to process content.\n\nVBScript RCE ([CVE-2020-1403](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1403>)). An attacker would have to convince a user to execute malicious code through phishing or to visit a malicious website, where the user would download and execute a crafted file. In fact, we see tons of these vulnerabilities every Patch Tuesday, but still no exploits.\n\nWindows Graphics Component Elevation of Privilege vulnerabilities ([CVE-2020-1381](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1381>), [CVE-2020-1382](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1382>)). An attacker logs onto a vulnerable system and executes a specially crafted application to run processes in an elevated context.\n\n### Other Product based (14)\n\nLooking at other vulnerabilities, the products with the most vulnerabilities are Hyper-V RemoteFX vGPU (RCEs) and Windows Runtime (EoPs). \n\n#### Hyper-V RemoteFX vGPU\n\n * ![]( http://www.avleonov.com/vulnicons/rce.png)Remote Code Execution ([CVE-2020-1032](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1032>), [CVE-2020-1036](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1036>), [CVE-2020-1040](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1040>), [CVE-2020-1041](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1041>), [CVE-2020-1042](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1042>), [CVE-2020-1043](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1043>))\n\n#### Windows Runtime\n\n * ![]( http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege ([CVE-2020-1249](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1249>), [CVE-2020-1353](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1353>), [CVE-2020-1370](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1370>), [CVE-2020-1404](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1404>), [CVE-2020-1413](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1413>), [CVE-2020-1414](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1414>), [CVE-2020-1415](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1415>), [CVE-2020-1422](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1422>))\n\nRCEs in Hyper-V RemoteFX vGPU ([CVE-2020-1032](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1032>), [CVE-2020-1036](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1036>), [CVE-2020-1040](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1040>), [CVE-2020-1041](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1041>), [CVE-2020-1042](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1042>), [CVE-2020-1043](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1043>)). Microsoft patch simply disables RemoteFX functionality. According to Microsoft: \u201cRemoteFX vGPU has been deprecated in Windows Server 2019 and customers are advised to use Discrete Device Assignment (DDA) instead of RemoteFX vGPU. DDA was introduced in Windows Server 2016.\u201d\n\n### Other Vulnerability Type based (101)\n\n#### ![]( http://www.avleonov.com/vulnicons/rce.png)Remote Code Execution\n\n * DirectWrite ([CVE-2020-1409](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1409>))\n * GDI+ ([CVE-2020-1435](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1435>))\n * Jet Database Engine ([CVE-2020-1400](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1400>), [CVE-2020-1401](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1401>), [CVE-2020-1407](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1407>))\n * LNK ([CVE-2020-1421](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1421>))\n * Microsoft Excel ([CVE-2020-1240](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1240>))\n * Microsoft Graphics ([CVE-2020-1408](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1408>))\n * Microsoft Graphics Components ([CVE-2020-1412](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1412>))\n * Microsoft Office ([CVE-2020-1458](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1458>))\n * Microsoft Outlook ([CVE-2020-1349](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1349>))\n * Microsoft Project ([CVE-2020-1449](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1449>))\n * Microsoft SharePoint ([CVE-2020-1444](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1444>))\n * Microsoft Word ([CVE-2020-1446](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1446>), [CVE-2020-1447](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1447>), [CVE-2020-1448](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1448>))\n * PerformancePoint Services ([CVE-2020-1439](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1439>))\n * Visual Studio Code ESLint Extention ([CVE-2020-1481](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1481>))\n * Windows Address Book ([CVE-2020-1410](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1410>))\n * Windows Font Driver Host ([CVE-2020-1355](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1355>))\n * Windows Font Library ([CVE-2020-1436](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1436>))\n\n#### ![]( http://www.avleonov.com/vulnicons/dos.png)Denial of Service\n\n * Bond ([CVE-2020-1469](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1469>))\n * Local Security Authority Subsystem Service ([CVE-2020-1267](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1267>))\n * Windows WalletService ([CVE-2020-1364](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1364>))\n\n#### ![]( http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege\n\n * Group Policy Services Policy Processing ([CVE-2020-1333](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1333>))\n * Microsoft Defender ([CVE-2020-1461](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1461>))\n * Microsoft Office ([CVE-2020-1025](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1025>))\n * Microsoft OneDrive ([CVE-2020-1465](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1465>))\n * Visual Studio and Visual Studio Code ([CVE-2020-1416](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1416>))\n * Windows ([CVE-2020-1388](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1388>), [CVE-2020-1392](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1392>), [CVE-2020-1394](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1394>), [CVE-2020-1395](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1395>))\n * Windows ALPC ([CVE-2020-1396](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1396>))\n * Windows ActiveX Installer Service ([CVE-2020-1402](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1402>))\n * Windows AppX Deployment Extensions ([CVE-2020-1431](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1431>))\n * Windows CNG Key Isolation Service ([CVE-2020-1359](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1359>), [CVE-2020-1384](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1384>))\n * Windows COM Server ([CVE-2020-1375](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1375>))\n * Windows Credential Enrollment Manager Service ([CVE-2020-1368](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1368>))\n * Windows Credential Picker ([CVE-2020-1385](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1385>))\n * Windows Diagnostics Hub ([CVE-2020-1393](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1393>), [CVE-2020-1418](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1418>))\n * Windows Error Reporting Manager ([CVE-2020-1429](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1429>))\n * Windows Event Logging Service ([CVE-2020-1365](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1365>), [CVE-2020-1371](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1371>))\n * Windows Function Discovery Service ([CVE-2020-1085](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1085>))\n * Windows Kernel ([CVE-2020-1336](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1336>), [CVE-2020-1411](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1411>))\n * Windows Lockscreen ([CVE-2020-1398](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1398>))\n * Windows Mobile Device Management Diagnostics ([CVE-2020-1372](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1372>), [CVE-2020-1405](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1405>))\n * Windows Modules Installer ([CVE-2020-1346](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1346>))\n * Windows Network Connections Service ([CVE-2020-1373](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1373>), [CVE-2020-1390](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1390>), [CVE-2020-1427](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1427>), [CVE-2020-1428](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1428>), [CVE-2020-1438](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1438>))\n * Windows Network List Service ([CVE-2020-1406](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1406>))\n * Windows Network Location Awareness Service ([CVE-2020-1437](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1437>))\n * Windows Picker Platform ([CVE-2020-1363](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1363>))\n * Windows Print Workflow Service ([CVE-2020-1366](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1366>))\n * Windows Profile Service ([CVE-2020-1360](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1360>))\n * Windows Push Notification Service ([CVE-2020-1387](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1387>))\n * Windows SharedStream Library ([CVE-2020-1463](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1463>))\n * Windows Storage Services ([CVE-2020-1347](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1347>))\n * Windows Subsystem for Linux ([CVE-2020-1423](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1423>))\n * Windows Sync Host Service ([CVE-2020-1434](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1434>))\n * Windows System Events Broker ([CVE-2020-1357](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1357>))\n * Windows UPnP Device Host ([CVE-2020-1354](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1354>), [CVE-2020-1430](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1430>))\n * Windows USO Core Worker ([CVE-2020-1352](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1352>))\n * Windows Update Stack ([CVE-2020-1424](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1424>))\n * Windows WalletService ([CVE-2020-1344](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1344>), [CVE-2020-1362](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1362>), [CVE-2020-1369](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1369>))\n * Windows iSCSI Target Service ([CVE-2020-1356](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1356>))\n\n#### ![]( http://www.avleonov.com/vulnicons/infdis.png)Information Disclosure\n\n * Connected User Experiences and Telemetry Service ([CVE-2020-1386](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1386>))\n * Microsoft Edge PDF ([CVE-2020-1433](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1433>))\n * Microsoft Graphics Component ([CVE-2020-1351](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1351>))\n * Microsoft Office ([CVE-2020-1342](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1342>), [CVE-2020-1445](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1445>))\n * Skype for Business via Internet Explorer ([CVE-2020-1432](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1432>))\n * Skype for Business via Microsoft Edge (EdgeHTML-based) ([CVE-2020-1462](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1462>))\n * Windows Agent Activation Runtime ([CVE-2020-1391](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1391>))\n * Windows Error Reporting ([CVE-2020-1420](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1420>))\n * Windows GDI ([CVE-2020-1468](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1468>))\n * Windows Imaging Component ([CVE-2020-1397](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1397>))\n * Windows Kernel ([CVE-2020-1367](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1367>), [CVE-2020-1389](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1389>), [CVE-2020-1419](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1419>))\n * Windows Mobile Device Management Diagnostics ([CVE-2020-1330](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1330>))\n * Windows Resource Policy ([CVE-2020-1358](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1358>))\n * Windows WalletService ([CVE-2020-1361](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1361>))\n\n#### ![]( http://www.avleonov.com/vulnicons/xss.png)Cross Site Scripting\n\n * Azure DevOps Server ([CVE-2020-1326](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1326>))\n * Microsoft SharePoint ([CVE-2020-1450](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1450>), [CVE-2020-1451](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1451>), [CVE-2020-1456](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1456>))\n * Microsoft SharePoint Reflective ([CVE-2020-1454](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1454>))\n * Office Web Apps ([CVE-2020-1442](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1442>))\n\n#### ![]( http://www.avleonov.com/vulnicons/spoofing.png)Spoofing\n\n * Microsoft SharePoint ([CVE-2020-1443](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1443>))\n\nAmong other vulnerabilities, vulnerability management vendors highlight\n\nRCE in PerformancePoint Services ([CVE-2020-1439](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1439>)). PerformancePoint is a SharePoint component and the vulnerability is similar to the _Exploitation more likely_ SharePoint vulnerability ([CVE-2020-1147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147>)) we discussed above.\n\nMicrosoft Word RCEs ([CVE-2020-1446](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1446>), [CVE-2020-1447](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1447>), [CVE-2020-1448](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1448>)). Exploitation of this vulnerability requires an attacker to send a specially crafted file to a victim, or to convince a user to visit a crafted website hosting a malicious file which the user must open with a vulnerable version of Microsoft Word. Obviously, this is good for phishing.\n\nJet Database Engine RCEs ([CVE-2020-1400](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1400>), [CVE-2020-1401](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1401>), [CVE-2020-1407](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1407>)). To exploit this vulnerability, an attacker must convince a victim to open a specially crafted file or visit a malicious website.\n\nVisual Studio Code ESLint Extention RCE ([CVE-2020-1481](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1481>)). To exploit this vulnerability, an attacker would need to convince a user to clone a repository and open it in Visual Studio Code. Attacker-specified code would execute in the context of the current user, with the same rights and permissions.\n\nWindows Modules Installer Elevation of Privilege ([CVE-2020-1346](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1346>)) was mentioned by rapid7: "In this particular case, the Servicing Stack Updates released this month should been installed prior to installing the cumulative update/monthly rollup or security update patch. While it was not explicitly outlined, following these directions from Microsoft for CVE-2020-1346 may have a direct impact on the order of operations when resolving other issues such as CVE-2020-1350."\n\n![](http://feeds.feedburner.com/~r/avleonov/~4/BltzY4Fi__s)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-08-02T04:05:22", "type": "avleonov", "title": "Microsoft Patch Tuesday July 2020: my new open source project Vulristics, DNS SIGRed, RDP Client and SharePoint", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1025", "CVE-2020-1032", "CVE-2020-1036", "CVE-2020-1040", "CVE-2020-1041", "CVE-2020-1042", "CVE-2020-1043", "CVE-2020-1085", "CVE-2020-1147", "CVE-2020-1240", "CVE-2020-1249", "CVE-2020-1267", "CVE-2020-1326", "CVE-2020-1330", "CVE-2020-1333", "CVE-2020-1336", "CVE-2020-1342", "CVE-2020-1344", "CVE-2020-1346", "CVE-2020-1347", "CVE-2020-1349", "CVE-2020-1350", "CVE-2020-1351", "CVE-2020-1352", "CVE-2020-1353", "CVE-2020-1354", "CVE-2020-1355", "CVE-2020-1356", "CVE-2020-1357", "CVE-2020-1358", "CVE-2020-1359", "CVE-2020-1360", "CVE-2020-1361", "CVE-2020-1362", "CVE-2020-1363", "CVE-2020-1364", "CVE-2020-1365", "CVE-2020-1366", "CVE-2020-1367", "CVE-2020-1368", "CVE-2020-1369", "CVE-2020-1370", "CVE-2020-1371", "CVE-2020-1372", "CVE-2020-1373", "CVE-2020-1374", "CVE-2020-1375", "CVE-2020-1381", "CVE-2020-1382", "CVE-2020-1384", "CVE-2020-1385", "CVE-2020-1386", "CVE-2020-1387", "CVE-2020-1388", "CVE-2020-1389", "CVE-2020-1390", "CVE-2020-1391", "CVE-2020-1392", "CVE-2020-1393", "CVE-2020-1394", "CVE-2020-1395", "CVE-2020-1396", "CVE-2020-1397", "CVE-2020-1398", "CVE-2020-1399", "CVE-2020-1400", "CVE-2020-1401", "CVE-2020-1402", "CVE-2020-1403", "CVE-2020-1404", "CVE-2020-1405", "CVE-2020-1406", "CVE-2020-1407", "CVE-2020-1408", "CVE-2020-1409", "CVE-2020-1410", "CVE-2020-1411", "CVE-2020-1412", "CVE-2020-1413", "CVE-2020-1414", "CVE-2020-1415", "CVE-2020-1416", "CVE-2020-1418", "CVE-2020-1419", "CVE-2020-1420", "CVE-2020-1421", "CVE-2020-1422", "CVE-2020-1423", "CVE-2020-1424", "CVE-2020-1426", "CVE-2020-1427", "CVE-2020-1428", "CVE-2020-1429", "CVE-2020-1430", "CVE-2020-1431", "CVE-2020-1432", "CVE-2020-1433", "CVE-2020-1434", "CVE-2020-1435", "CVE-2020-1436", "CVE-2020-1437", "CVE-2020-1438", "CVE-2020-1439", "CVE-2020-1442", "CVE-2020-1443", "CVE-2020-1444", "CVE-2020-1445", "CVE-2020-1446", "CVE-2020-1447", "CVE-2020-1448", "CVE-2020-1449", "CVE-2020-1450", "CVE-2020-1451", "CVE-2020-1454", "CVE-2020-1456", "CVE-2020-1458", "CVE-2020-1461", "CVE-2020-1462", "CVE-2020-1463", "CVE-2020-1465", "CVE-2020-1468", "CVE-2020-1469", "CVE-2020-1481"], "modified": "2020-08-02T04:05:22", "id": "AVLEONOV:7DAB33D28205885E8979C4C664958CDC", "href": "http://feedproxy.google.com/~r/avleonov/~3/BltzY4Fi__s/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-07-21T19:50:57", "description": "This host is missing a critical security\n update according to Microsoft KB4565536", "cvss3": {}, "published": "2020-07-15T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4565536)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1373", "CVE-2020-1354", "CVE-2020-1438", "CVE-2020-1401", "CVE-2020-1403", "CVE-2020-1436", "CVE-2020-1085", "CVE-2020-1390", "CVE-2020-1371", "CVE-2020-1350", "CVE-2020-1468", "CVE-2020-1360", "CVE-2020-1419", "CVE-2020-1333", "CVE-2020-1389", "CVE-2020-1396", "CVE-2020-1397", "CVE-2020-1407", "CVE-2020-1384", "CVE-2020-1427", "CVE-2020-1267", "CVE-2020-1430", "CVE-2020-1412", "CVE-2020-1409", "CVE-2020-1421", "CVE-2020-1365", "CVE-2020-1435", "CVE-2020-1408", "CVE-2020-1437", "CVE-2020-1400", "CVE-2020-1359", "CVE-2020-1428", "CVE-2020-1410"], "modified": "2020-07-20T00:00:00", "id": "OPENVAS:1361412562310817232", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817232", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817232\");\n script_version(\"2020-07-20T05:00:04+0000\");\n script_cve_id(\"CVE-2020-1085\", \"CVE-2020-1267\", \"CVE-2020-1333\", \"CVE-2020-1350\",\n \"CVE-2020-1354\", \"CVE-2020-1359\", \"CVE-2020-1360\", \"CVE-2020-1365\",\n \"CVE-2020-1371\", \"CVE-2020-1373\", \"CVE-2020-1384\", \"CVE-2020-1389\",\n \"CVE-2020-1390\", \"CVE-2020-1396\", \"CVE-2020-1397\", \"CVE-2020-1400\",\n \"CVE-2020-1401\", \"CVE-2020-1403\", \"CVE-2020-1407\", \"CVE-2020-1408\",\n \"CVE-2020-1409\", \"CVE-2020-1410\", \"CVE-2020-1412\", \"CVE-2020-1419\",\n \"CVE-2020-1421\", \"CVE-2020-1427\", \"CVE-2020-1428\", \"CVE-2020-1430\",\n \"CVE-2020-1435\", \"CVE-2020-1436\", \"CVE-2020-1437\", \"CVE-2020-1438\",\n \"CVE-2020-1468\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-20 05:00:04 +0000 (Mon, 20 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-15 20:23:57 +0530 (Wed, 15 Jul 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4565536)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4565536\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Windows Domain Name System servers fail to properly handle requests (SIGRed, CVE-2020-1350).\n\n - DirectWrite fails to properly handle objects in memory.\n\n - Windows Address Book (WAB) fails to properly processes vcard files.\n\n - Windows Graphics Device Interface (GDI) fails to properly handle\n objects in the memory.\n\n - Windows Network Connections Service fails to handle objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information\n and denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows Server 2008 for 32-bit Systems Service Pack 2\n\n - Microsoft Windows Server 2008 for x64-based Systems Service Pack 2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4565536\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008:3, win2008x64:3) <= 0){\n exit(0);\n}\n\ndllPath = smb_get_system32root();\nif(!dllPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:dllPath, file_name:\"Gdiplus.dll\");\nif(!fileVer)\n exit(0);\n\nif(version_is_less(version:fileVer, test_version:\"5.2.6003.20883\")) {\n report = report_fixed_ver(file_checked:dllPath + \"\\Gdiplus.dll\",\n file_version:fileVer, vulnerable_range:\"Less than 5.2.6003.20883\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:37", "description": "This host is missing a critical security\n update according to Microsoft KB4565524", "cvss3": {}, "published": "2020-07-15T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4565524)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1373", "CVE-2020-1354", "CVE-2020-1438", "CVE-2020-1432", "CVE-2020-1401", "CVE-2020-1403", "CVE-2020-1436", "CVE-2020-1085", "CVE-2020-1390", "CVE-2020-1402", "CVE-2020-1371", "CVE-2020-1350", "CVE-2020-1468", "CVE-2020-1360", "CVE-2020-1419", "CVE-2020-1333", "CVE-2020-1389", "CVE-2020-1396", "CVE-2020-1397", "CVE-2020-1407", "CVE-2020-1384", "CVE-2020-1427", "CVE-2020-1267", "CVE-2020-1430", "CVE-2020-1412", "CVE-2020-1409", "CVE-2020-1374", "CVE-2020-1421", "CVE-2020-1365", "CVE-2020-1435", "CVE-2020-1408", "CVE-2020-1437", "CVE-2020-1400", "CVE-2020-1359", "CVE-2020-1428", "CVE-2020-1351", "CVE-2020-1410"], "modified": "2020-07-20T00:00:00", "id": "OPENVAS:1361412562310817230", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817230", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817230\");\n script_version(\"2020-07-20T05:00:04+0000\");\n script_cve_id(\"CVE-2020-1085\", \"CVE-2020-1267\", \"CVE-2020-1333\", \"CVE-2020-1350\",\n \"CVE-2020-1351\", \"CVE-2020-1354\", \"CVE-2020-1359\", \"CVE-2020-1360\",\n \"CVE-2020-1365\", \"CVE-2020-1371\", \"CVE-2020-1373\", \"CVE-2020-1374\",\n \"CVE-2020-1384\", \"CVE-2020-1389\", \"CVE-2020-1390\", \"CVE-2020-1396\",\n \"CVE-2020-1397\", \"CVE-2020-1400\", \"CVE-2020-1401\", \"CVE-2020-1402\",\n \"CVE-2020-1403\", \"CVE-2020-1407\", \"CVE-2020-1408\", \"CVE-2020-1409\",\n \"CVE-2020-1410\", \"CVE-2020-1412\", \"CVE-2020-1419\", \"CVE-2020-1421\",\n \"CVE-2020-1427\", \"CVE-2020-1428\", \"CVE-2020-1430\", \"CVE-2020-1432\",\n \"CVE-2020-1435\", \"CVE-2020-1436\", \"CVE-2020-1437\", \"CVE-2020-1438\",\n \"CVE-2020-1468\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-20 05:00:04 +0000 (Mon, 20 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-15 18:26:24 +0530 (Wed, 15 Jul 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4565524)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4565524\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Windows Domain Name System servers fail to properly handle requests (SIGRed, CVE-2020-1350).\n\n - Windows Event Logging Service fails to properly handle memory.\n\n - Windows Network Location Awareness Service fails to properly\n handle objects in memory.\n\n - Windows Jet Database Engine fails to properly handle objects in memory.\n\n - Windows Network Connections Service fails to properly handle\n objects in memory.\n\n - Windows Cryptography Next Generation (CNG) Key Isolation service\n fails to properly handle memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information\n and denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1\n\n - Microsoft Windows Server 2012\n\n - Microsoft Windows 7 for x64-based Systems Service Pack 1\n\n - Microsoft Windows 7 for 32-bit Systems Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4565524\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008r2:2, win2012:1, win7x64:2, win7:2) <= 0){\n exit(0);\n}\n\ndllPath = smb_get_system32root();\nif(!dllPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:dllPath, file_name:\"Gdiplus.dll\");\nif(!fileVer)\n exit(0);\n\nif(version_is_less(version:fileVer, test_version:\"5.2.7601.24557\")) {\n report = report_fixed_ver(file_checked:dllPath + \"\\Gdiplus.dll\",\n file_version:fileVer, vulnerable_range:\"Less than 5.2.7601.24557\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:31", "description": "This host is missing a critical security\n update according to Microsoft KB4565541", "cvss3": {}, "published": "2020-07-15T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4565541)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1373", "CVE-2020-1354", "CVE-2020-1438", "CVE-2020-1432", "CVE-2020-1401", "CVE-2020-1403", "CVE-2020-1436", "CVE-2020-1085", "CVE-2020-1390", "CVE-2020-1402", "CVE-2020-1406", "CVE-2020-1371", "CVE-2020-1350", "CVE-2020-1468", "CVE-2020-1360", "CVE-2020-1419", "CVE-2020-1333", "CVE-2020-1356", "CVE-2020-1389", "CVE-2020-1385", "CVE-2020-1396", "CVE-2020-1397", "CVE-2020-1407", "CVE-2020-1384", "CVE-2020-1427", "CVE-2020-1267", "CVE-2020-1399", "CVE-2020-1368", "CVE-2020-1249", "CVE-2020-1430", "CVE-2020-1412", "CVE-2020-1409", "CVE-2020-1374", "CVE-2020-1421", "CVE-2020-1365", "CVE-2020-1435", "CVE-2020-1408", "CVE-2020-1437", "CVE-2020-1400", "CVE-2020-1359", "CVE-2020-1428", "CVE-2020-1351", "CVE-2020-1410"], "modified": "2020-07-20T00:00:00", "id": "OPENVAS:1361412562310817231", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817231", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817231\");\n script_version(\"2020-07-20T05:00:04+0000\");\n script_cve_id(\"CVE-2020-1085\", \"CVE-2020-1249\", \"CVE-2020-1267\", \"CVE-2020-1333\",\n \"CVE-2020-1350\", \"CVE-2020-1351\", \"CVE-2020-1354\", \"CVE-2020-1356\",\n \"CVE-2020-1359\", \"CVE-2020-1360\", \"CVE-2020-1365\", \"CVE-2020-1368\",\n \"CVE-2020-1371\", \"CVE-2020-1373\", \"CVE-2020-1374\", \"CVE-2020-1384\",\n \"CVE-2020-1385\", \"CVE-2020-1389\", \"CVE-2020-1390\", \"CVE-2020-1396\",\n \"CVE-2020-1397\", \"CVE-2020-1399\", \"CVE-2020-1400\", \"CVE-2020-1401\",\n \"CVE-2020-1402\", \"CVE-2020-1403\", \"CVE-2020-1406\", \"CVE-2020-1407\",\n \"CVE-2020-1408\", \"CVE-2020-1409\", \"CVE-2020-1410\", \"CVE-2020-1412\",\n \"CVE-2020-1419\", \"CVE-2020-1421\", \"CVE-2020-1427\", \"CVE-2020-1428\",\n \"CVE-2020-1430\", \"CVE-2020-1432\", \"CVE-2020-1435\", \"CVE-2020-1436\",\n \"CVE-2020-1437\", \"CVE-2020-1438\", \"CVE-2020-1468\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-20 05:00:04 +0000 (Mon, 20 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-15 19:22:27 +0530 (Wed, 15 Jul 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4565541)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4565541\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Windows Domain Name System servers fail to properly handle requests (SIGRed, CVE-2020-1350).\n\n - DirectWrite fails to properly handle objects in memory.\n\n - Windows Address Book (WAB) fails to properly processes vcard files.\n\n - Windows Graphics Device Interface (GDI) fails to properly handle\n objects in the memory.\n\n - Windows Network Connections Service fails to handle objects in memory.\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information\n and denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8.1 32-bit Systems\n\n - Microsoft Windows 8.1 for x64-based Systems\n\n - Microsoft Windows Server 2012 R2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4565541\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0)\n exit(0);\n\ndllPath = smb_get_system32root();\nif(!dllPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:dllPath, file_name:\"Gdiplus.dll\");\nif(!fileVer)\n exit(0);\n\nif(version_is_less(version:fileVer, test_version:\"6.3.9600.19756\")) {\n report = report_fixed_ver(file_checked:dllPath + \"\\Gdiplus.dll\",\n file_version:fileVer, vulnerable_range:\"Less than 6.3.9600.19756\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:39", "description": "This host is missing a critical security\n update according to Microsoft KB4565511", "cvss3": {}, "published": "2020-07-15T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4565511)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1373", "CVE-2020-1354", "CVE-2020-1438", "CVE-2020-1404", "CVE-2020-1432", "CVE-2020-1401", "CVE-2020-1403", "CVE-2020-1420", "CVE-2020-1413", "CVE-2020-1344", "CVE-2020-1433", "CVE-2020-1353", "CVE-2020-1436", "CVE-2020-1085", "CVE-2020-1390", "CVE-2020-1358", "CVE-2020-1402", "CVE-2020-1406", "CVE-2020-1371", "CVE-2020-1352", "CVE-2020-1350", "CVE-2020-1411", "CVE-2020-1393", "CVE-2020-1468", "CVE-2020-1370", "CVE-2020-1360", "CVE-2020-1419", "CVE-2020-1333", "CVE-2020-1356", "CVE-2020-1336", "CVE-2020-1389", "CVE-2020-1385", "CVE-2020-1396", "CVE-2020-1362", "CVE-2020-1388", "CVE-2020-1397", "CVE-2020-1407", "CVE-2020-1384", "CVE-2020-1463", "CVE-2020-1427", "CVE-2020-1395", "CVE-2020-1267", "CVE-2020-1399", "CVE-2020-1368", "CVE-2020-1249", "CVE-2020-1430", "CVE-2020-1357", "CVE-2020-1412", "CVE-2020-1409", "CVE-2020-1147", "CVE-2020-1462", "CVE-2020-1374", "CVE-2020-1421", "CVE-2020-1365", "CVE-2020-1435", "CVE-2020-1369", "CVE-2020-1408", "CVE-2020-1437", "CVE-2020-1434", "CVE-2020-1361", "CVE-2020-1400", "CVE-2020-1398", "CVE-2020-1359", "CVE-2020-1428", "CVE-2020-1351", "CVE-2020-1429", "CVE-2020-1364", "CVE-2020-1410"], "modified": "2020-07-20T00:00:00", "id": "OPENVAS:1361412562310817226", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817226", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817226\");\n script_version(\"2020-07-20T05:00:04+0000\");\n script_cve_id(\"CVE-2020-1085\", \"CVE-2020-1147\", \"CVE-2020-1249\", \"CVE-2020-1267\",\n \"CVE-2020-1333\", \"CVE-2020-1336\", \"CVE-2020-1344\", \"CVE-2020-1350\",\n \"CVE-2020-1351\", \"CVE-2020-1352\", \"CVE-2020-1353\", \"CVE-2020-1354\",\n \"CVE-2020-1356\", \"CVE-2020-1357\", \"CVE-2020-1358\", \"CVE-2020-1359\",\n \"CVE-2020-1360\", \"CVE-2020-1361\", \"CVE-2020-1362\", \"CVE-2020-1364\",\n \"CVE-2020-1365\", \"CVE-2020-1368\", \"CVE-2020-1369\", \"CVE-2020-1370\",\n \"CVE-2020-1371\", \"CVE-2020-1373\", \"CVE-2020-1374\", \"CVE-2020-1384\",\n \"CVE-2020-1385\", \"CVE-2020-1388\", \"CVE-2020-1389\", \"CVE-2020-1390\",\n \"CVE-2020-1393\", \"CVE-2020-1395\", \"CVE-2020-1396\", \"CVE-2020-1397\",\n \"CVE-2020-1398\", \"CVE-2020-1399\", \"CVE-2020-1400\", \"CVE-2020-1401\",\n \"CVE-2020-1402\", \"CVE-2020-1403\", \"CVE-2020-1404\", \"CVE-2020-1406\",\n \"CVE-2020-1407\", \"CVE-2020-1408\", \"CVE-2020-1409\", \"CVE-2020-1410\",\n \"CVE-2020-1411\", \"CVE-2020-1412\", \"CVE-2020-1413\", \"CVE-2020-1419\",\n \"CVE-2020-1420\", \"CVE-2020-1421\", \"CVE-2020-1427\", \"CVE-2020-1428\",\n \"CVE-2020-1429\", \"CVE-2020-1430\", \"CVE-2020-1432\", \"CVE-2020-1433\",\n \"CVE-2020-1434\", \"CVE-2020-1435\", \"CVE-2020-1436\", \"CVE-2020-1437\",\n \"CVE-2020-1438\", \"CVE-2020-1462\", \"CVE-2020-1463\", \"CVE-2020-1468\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-20 05:00:04 +0000 (Mon, 20 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-15 15:23:26 +0530 (Wed, 15 Jul 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4565511)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4565511\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Windows Domain Name System servers fail to properly handle requests (SIGRed, CVE-2020-1350).\n\n - Windows System Events Broker fails to properly handle file operations.\n\n - Windows WalletService fails to properly handle objects in memory.\n\n - Windows Runtime fails to properly handle objects in memory.\n\n - Windows Jet Database Engine fails to properly handle objects in memory.\n\n - Windows Network Connections Service fails to properly handle\n objects in memory.\n\n - SharedStream Library fails to handle objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information\n and denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1607 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1607 for x64-based Systems\n\n - Microsoft Windows Server 2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4565511\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) <= 0)\n exit(0);\n\ndllPath = smb_get_system32root();\nif(!dllPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:dllPath, file_name:\"Gdiplus.dll\");\nif(!fileVer)\n exit(0);\n\nif(version_in_range(version:fileVer, test_version:\"10.0.14393.0\", test_version2:\"10.0.14393.3807\")) {\n report = report_fixed_ver(file_checked:dllPath + \"\\Gdiplus.dll\",\n file_version:fileVer, vulnerable_range:\"10.0.14393.0 - 10.0.14393.3807\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:36", "description": "This host is missing a critical security\n update according to Microsoft KB4558998", "cvss3": {}, "published": "2020-07-15T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4558998)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1373", "CVE-2020-1367", "CVE-2020-1330", "CVE-2020-1354", "CVE-2020-1438", "CVE-2020-1404", "CVE-2020-1432", "CVE-2020-1401", "CVE-2020-1372", "CVE-2020-1403", "CVE-2020-1420", "CVE-2020-1413", "CVE-2020-1392", "CVE-2020-1405", "CVE-2020-1344", "CVE-2020-1414", "CVE-2020-1433", "CVE-2020-1353", "CVE-2020-1415", "CVE-2020-1436", "CVE-2020-1375", "CVE-2020-1085", "CVE-2020-1390", "CVE-2020-1358", "CVE-2020-1402", "CVE-2020-1406", "CVE-2020-1371", "CVE-2020-1352", "CVE-2020-1350", "CVE-2020-1411", "CVE-2020-1393", "CVE-2020-1386", "CVE-2020-1468", "CVE-2020-1422", "CVE-2020-1370", "CVE-2020-1347", "CVE-2020-1360", "CVE-2020-1419", "CVE-2020-1333", "CVE-2020-1356", "CVE-2020-1336", "CVE-2020-1389", "CVE-2020-1418", "CVE-2020-1385", "CVE-2020-1396", "CVE-2020-1362", "CVE-2020-1431", "CVE-2020-1388", "CVE-2020-1426", "CVE-2020-1397", "CVE-2020-1407", "CVE-2020-1384", "CVE-2020-1463", "CVE-2020-1427", "CVE-2020-1363", "CVE-2020-1395", "CVE-2020-1267", "CVE-2020-1399", "CVE-2020-1368", "CVE-2020-1249", "CVE-2020-1430", "CVE-2020-1357", "CVE-2020-1412", "CVE-2020-1409", "CVE-2020-1462", "CVE-2020-1374", "CVE-2020-1421", "CVE-2020-1365", "CVE-2020-1435", "CVE-2020-1369", "CVE-2020-1408", "CVE-2020-1394", "CVE-2020-1437", "CVE-2020-1434", "CVE-2020-1366", "CVE-2020-1361", "CVE-2020-1400", "CVE-2020-1398", "CVE-2020-1359", "CVE-2020-1424", "CVE-2020-1428", "CVE-2020-1351", "CVE-2020-1429", "CVE-2020-1364", "CVE-2020-1387", "CVE-2020-1410"], "modified": "2020-07-20T00:00:00", "id": "OPENVAS:1361412562310817228", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817228", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817228\");\n script_version(\"2020-07-20T05:00:04+0000\");\n script_cve_id(\"CVE-2020-1085\", \"CVE-2020-1249\", \"CVE-2020-1267\", \"CVE-2020-1330\",\n \"CVE-2020-1333\", \"CVE-2020-1336\", \"CVE-2020-1344\", \"CVE-2020-1347\",\n \"CVE-2020-1350\", \"CVE-2020-1351\", \"CVE-2020-1352\", \"CVE-2020-1353\",\n \"CVE-2020-1354\", \"CVE-2020-1356\", \"CVE-2020-1357\", \"CVE-2020-1358\",\n \"CVE-2020-1359\", \"CVE-2020-1360\", \"CVE-2020-1361\", \"CVE-2020-1362\",\n \"CVE-2020-1363\", \"CVE-2020-1364\", \"CVE-2020-1365\", \"CVE-2020-1366\",\n \"CVE-2020-1367\", \"CVE-2020-1368\", \"CVE-2020-1369\", \"CVE-2020-1370\",\n \"CVE-2020-1371\", \"CVE-2020-1372\", \"CVE-2020-1373\", \"CVE-2020-1374\",\n \"CVE-2020-1375\", \"CVE-2020-1384\", \"CVE-2020-1385\", \"CVE-2020-1386\",\n \"CVE-2020-1387\", \"CVE-2020-1388\", \"CVE-2020-1389\", \"CVE-2020-1390\",\n \"CVE-2020-1392\", \"CVE-2020-1393\", \"CVE-2020-1394\", \"CVE-2020-1395\",\n \"CVE-2020-1396\", \"CVE-2020-1397\", \"CVE-2020-1398\", \"CVE-2020-1399\",\n \"CVE-2020-1400\", \"CVE-2020-1401\", \"CVE-2020-1402\", \"CVE-2020-1403\",\n \"CVE-2020-1404\", \"CVE-2020-1405\", \"CVE-2020-1406\", \"CVE-2020-1407\",\n \"CVE-2020-1408\", \"CVE-2020-1409\", \"CVE-2020-1410\", \"CVE-2020-1411\",\n \"CVE-2020-1412\", \"CVE-2020-1413\", \"CVE-2020-1414\", \"CVE-2020-1415\",\n \"CVE-2020-1418\", \"CVE-2020-1419\", \"CVE-2020-1420\", \"CVE-2020-1421\",\n \"CVE-2020-1422\", \"CVE-2020-1424\", \"CVE-2020-1426\", \"CVE-2020-1427\",\n \"CVE-2020-1428\", \"CVE-2020-1429\", \"CVE-2020-1430\", \"CVE-2020-1431\",\n \"CVE-2020-1432\", \"CVE-2020-1433\", \"CVE-2020-1434\", \"CVE-2020-1435\",\n \"CVE-2020-1436\", \"CVE-2020-1437\", \"CVE-2020-1438\", \"CVE-2020-1462\",\n \"CVE-2020-1463\", \"CVE-2020-1468\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-20 05:00:04 +0000 (Mon, 20 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-15 17:15:21 +0530 (Wed, 15 Jul 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4558998)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4558998\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Windows Domain Name System servers fail to properly handle requests (SIGRed, CVE-2020-1350).\n\n - Windows System Events Broker fails to properly handle file operations.\n\n - Windows WalletService fails to properly handle objects in memory.\n\n - Windows Mobile Device Management (MDM) Diagnostics fails to\n properly handle objects in memory.\n\n - Windows Jet Database Engine fails to properly handle objects in memory.\n\n - Windows Network Connections Service fails to properly handle\n objects in memory.\n\n - SharedStream Library fails to handle objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information\n and denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1809 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1809 for x64-based Systems\n\n - Microsoft Windows Server 2019\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4558998\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2019:1) <= 0){\n exit(0);\n}\n\ndllPath = smb_get_system32root();\nif(!dllPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:dllPath, file_name:\"Gdiplus.dll\");\nif(!fileVer)\n exit(0);\n\nif(version_in_range(version:fileVer, test_version:\"10.0.17763.0\", test_version2:\"10.0.17763.1338\")) {\n report = report_fixed_ver(file_checked:dllPath + \"\\Gdiplus.dll\",\n file_version:fileVer, vulnerable_range:\"10.0.17763.0 - 10.0.17763.1338\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:50:57", "description": "This host is missing a critical security\n update according to Microsoft KB4565483", "cvss3": {}, "published": "2020-07-15T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4565483)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1373", "CVE-2020-1382", "CVE-2020-1367", "CVE-2020-1330", "CVE-2020-1354", "CVE-2020-1438", "CVE-2020-1404", "CVE-2020-1432", "CVE-2020-1401", "CVE-2020-1372", "CVE-2020-1403", "CVE-2020-1420", "CVE-2020-1413", "CVE-2020-1392", "CVE-2020-1405", "CVE-2020-1344", "CVE-2020-1414", "CVE-2020-1433", "CVE-2020-1353", "CVE-2020-1355", "CVE-2020-1415", "CVE-2020-1436", "CVE-2020-1375", "CVE-2020-1085", "CVE-2020-1390", "CVE-2020-1358", "CVE-2020-1402", "CVE-2020-1406", "CVE-2020-1371", "CVE-2020-1352", "CVE-2020-1350", "CVE-2020-1391", "CVE-2020-1411", "CVE-2020-1393", "CVE-2020-1386", "CVE-2020-1468", "CVE-2020-1422", "CVE-2020-1370", "CVE-2020-1347", "CVE-2020-1360", "CVE-2020-1419", "CVE-2020-1333", "CVE-2020-1356", "CVE-2020-1336", "CVE-2020-1389", "CVE-2020-1418", "CVE-2020-1385", "CVE-2020-1396", "CVE-2020-1362", "CVE-2020-1431", "CVE-2020-1388", "CVE-2020-1426", "CVE-2020-1397", "CVE-2020-1407", "CVE-2020-1384", "CVE-2020-1463", "CVE-2020-1427", "CVE-2020-1363", "CVE-2020-1381", "CVE-2020-1395", "CVE-2020-1267", "CVE-2020-1399", "CVE-2020-1368", "CVE-2020-1249", "CVE-2020-1430", "CVE-2020-1357", "CVE-2020-1412", "CVE-2020-1409", "CVE-2020-1462", "CVE-2020-1374", "CVE-2020-1421", "CVE-2020-1365", "CVE-2020-1435", "CVE-2020-1369", "CVE-2020-1408", "CVE-2020-1394", "CVE-2020-1437", "CVE-2020-1434", "CVE-2020-1366", "CVE-2020-1361", "CVE-2020-1400", "CVE-2020-1398", "CVE-2020-1359", "CVE-2020-1424", "CVE-2020-1428", "CVE-2020-1351", "CVE-2020-1429", "CVE-2020-1364", "CVE-2020-1387", "CVE-2020-1410"], "modified": "2020-07-20T00:00:00", "id": "OPENVAS:1361412562310817088", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817088", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817088\");\n script_version(\"2020-07-20T05:00:04+0000\");\n script_cve_id(\"CVE-2020-1085\", \"CVE-2020-1249\", \"CVE-2020-1267\", \"CVE-2020-1330\",\n \"CVE-2020-1333\", \"CVE-2020-1336\", \"CVE-2020-1344\", \"CVE-2020-1347\",\n \"CVE-2020-1350\", \"CVE-2020-1351\", \"CVE-2020-1352\", \"CVE-2020-1353\",\n \"CVE-2020-1354\", \"CVE-2020-1355\", \"CVE-2020-1356\", \"CVE-2020-1357\",\n \"CVE-2020-1358\", \"CVE-2020-1359\", \"CVE-2020-1360\", \"CVE-2020-1361\",\n \"CVE-2020-1362\", \"CVE-2020-1363\", \"CVE-2020-1364\", \"CVE-2020-1365\",\n \"CVE-2020-1366\", \"CVE-2020-1367\", \"CVE-2020-1368\", \"CVE-2020-1369\",\n \"CVE-2020-1370\", \"CVE-2020-1371\", \"CVE-2020-1372\", \"CVE-2020-1373\",\n \"CVE-2020-1374\", \"CVE-2020-1375\", \"CVE-2020-1381\", \"CVE-2020-1382\",\n \"CVE-2020-1384\", \"CVE-2020-1385\", \"CVE-2020-1386\", \"CVE-2020-1387\",\n \"CVE-2020-1388\", \"CVE-2020-1389\", \"CVE-2020-1390\", \"CVE-2020-1391\",\n \"CVE-2020-1392\", \"CVE-2020-1393\", \"CVE-2020-1394\", \"CVE-2020-1395\",\n \"CVE-2020-1396\", \"CVE-2020-1397\", \"CVE-2020-1398\", \"CVE-2020-1399\",\n \"CVE-2020-1400\", \"CVE-2020-1401\", \"CVE-2020-1402\", \"CVE-2020-1403\",\n \"CVE-2020-1404\", \"CVE-2020-1405\", \"CVE-2020-1406\", \"CVE-2020-1407\",\n \"CVE-2020-1408\", \"CVE-2020-1409\", \"CVE-2020-1410\", \"CVE-2020-1411\",\n \"CVE-2020-1412\", \"CVE-2020-1413\", \"CVE-2020-1414\", \"CVE-2020-1415\",\n \"CVE-2020-1418\", \"CVE-2020-1419\", \"CVE-2020-1420\", \"CVE-2020-1421\",\n \"CVE-2020-1422\", \"CVE-2020-1424\", \"CVE-2020-1426\", \"CVE-2020-1427\",\n \"CVE-2020-1428\", \"CVE-2020-1429\", \"CVE-2020-1430\", \"CVE-2020-1431\",\n \"CVE-2020-1432\", \"CVE-2020-1433\", \"CVE-2020-1434\", \"CVE-2020-1435\",\n \"CVE-2020-1436\", \"CVE-2020-1437\", \"CVE-2020-1438\", \"CVE-2020-1462\",\n \"CVE-2020-1463\", \"CVE-2020-1468\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-20 05:00:04 +0000 (Mon, 20 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-15 14:47:24 +0530 (Wed, 15 Jul 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4565483)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4565483\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Windows Domain Name System servers fail to properly handle requests (SIGRed, CVE-2020-1350).\n\n - Windows System Events Broker fails to properly handle file operations.\n\n - Windows WalletService fails to properly handle objects in memory.\n\n - Windows Mobile Device Management (MDM) Diagnostics fails to\n properly handle objects in memory.\n\n - Windows Jet Database Engine fails to properly handle objects in memory.\n\n - Windows Network Connections Service fails to properly handle\n objects in memory.\n\n - SharedStream Library fails to handle objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information\n and denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1903 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1909 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1903 for x64-based Systems\n\n - Microsoft Windows 10 Version 1909 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4565483\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0)\n exit(0);\n\ndllPath = smb_get_system32root();\nif(!dllPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:dllPath, file_name:\"Gdiplus.dll\");\nif(!fileVer)\n exit(0);\n\nif(version_in_range(version:fileVer, test_version:\"10.0.18362.0\", test_version2:\"10.0.18362.959\")) {\n report = report_fixed_ver(file_checked:dllPath + \"\\Gdiplus.dll\",\n file_version:fileVer, vulnerable_range:\"10.0.18362.0 - 10.0.18362.959\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:32", "description": "This host is missing a critical security\n update according to Microsoft KB4565503", "cvss3": {}, "published": "2020-07-15T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4565503)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1373", "CVE-2020-1382", "CVE-2020-1367", "CVE-2020-1330", "CVE-2019-1469", "CVE-2020-1354", "CVE-2020-1438", "CVE-2020-1404", "CVE-2020-1432", "CVE-2020-1401", "CVE-2020-1372", "CVE-2020-1403", "CVE-2020-1420", "CVE-2020-1413", "CVE-2020-1392", "CVE-2020-1405", "CVE-2020-1344", "CVE-2020-1414", "CVE-2020-1433", "CVE-2020-1353", "CVE-2020-1355", "CVE-2020-1415", "CVE-2020-1436", "CVE-2020-1375", "CVE-2020-1085", "CVE-2020-1390", "CVE-2020-1358", "CVE-2020-1402", "CVE-2020-1406", "CVE-2020-1371", "CVE-2020-1352", "CVE-2020-1350", "CVE-2020-1391", "CVE-2020-1411", "CVE-2020-1393", "CVE-2020-1386", "CVE-2020-1468", "CVE-2020-1422", "CVE-2020-1370", "CVE-2020-1347", "CVE-2020-1360", "CVE-2020-1419", "CVE-2020-1333", "CVE-2020-1356", "CVE-2020-1336", "CVE-2020-1389", "CVE-2020-1418", "CVE-2020-1385", "CVE-2020-1396", "CVE-2020-1362", "CVE-2020-1431", "CVE-2020-1388", "CVE-2020-1423", "CVE-2020-1426", "CVE-2020-1397", "CVE-2020-1407", "CVE-2020-1384", "CVE-2020-1463", "CVE-2020-1427", "CVE-2020-1363", "CVE-2020-1381", "CVE-2020-1395", "CVE-2020-1267", "CVE-2020-1399", "CVE-2020-1368", "CVE-2020-1249", "CVE-2020-1430", "CVE-2020-1357", "CVE-2020-1412", "CVE-2020-1409", "CVE-2020-1462", "CVE-2020-1374", "CVE-2020-1421", "CVE-2020-1365", "CVE-2020-1435", "CVE-2020-1369", "CVE-2020-1408", "CVE-2020-1394", "CVE-2020-1437", "CVE-2020-1434", "CVE-2020-1366", "CVE-2020-1361", "CVE-2020-1400", "CVE-2020-1398", "CVE-2020-1359", "CVE-2020-1424", "CVE-2020-1428", "CVE-2020-1351", "CVE-2020-1429", "CVE-2020-1364", "CVE-2020-1387", "CVE-2020-1410"], "modified": "2020-07-20T00:00:00", "id": "OPENVAS:1361412562310817224", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817224", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817224\");\n script_version(\"2020-07-20T05:00:04+0000\");\n script_cve_id(\"CVE-2019-1469\", \"CVE-2020-1085\", \"CVE-2020-1249\", \"CVE-2020-1267\",\n \"CVE-2020-1330\", \"CVE-2020-1333\", \"CVE-2020-1336\", \"CVE-2020-1344\",\n \"CVE-2020-1347\", \"CVE-2020-1350\", \"CVE-2020-1351\", \"CVE-2020-1352\",\n \"CVE-2020-1353\", \"CVE-2020-1354\", \"CVE-2020-1355\", \"CVE-2020-1356\",\n \"CVE-2020-1357\", \"CVE-2020-1358\", \"CVE-2020-1359\", \"CVE-2020-1360\",\n \"CVE-2020-1361\", \"CVE-2020-1362\", \"CVE-2020-1363\", \"CVE-2020-1364\",\n \"CVE-2020-1365\", \"CVE-2020-1366\", \"CVE-2020-1367\", \"CVE-2020-1368\",\n \"CVE-2020-1369\", \"CVE-2020-1370\", \"CVE-2020-1371\", \"CVE-2020-1372\",\n \"CVE-2020-1373\", \"CVE-2020-1374\", \"CVE-2020-1375\", \"CVE-2020-1381\",\n \"CVE-2020-1382\", \"CVE-2020-1384\", \"CVE-2020-1385\", \"CVE-2020-1386\",\n \"CVE-2020-1387\", \"CVE-2020-1388\", \"CVE-2020-1389\", \"CVE-2020-1390\",\n \"CVE-2020-1391\", \"CVE-2020-1392\", \"CVE-2020-1393\", \"CVE-2020-1394\",\n \"CVE-2020-1395\", \"CVE-2020-1396\", \"CVE-2020-1397\", \"CVE-2020-1398\",\n \"CVE-2020-1399\", \"CVE-2020-1400\", \"CVE-2020-1401\", \"CVE-2020-1402\",\n \"CVE-2020-1403\", \"CVE-2020-1404\", \"CVE-2020-1405\", \"CVE-2020-1406\",\n \"CVE-2020-1407\", \"CVE-2020-1408\", \"CVE-2020-1409\", \"CVE-2020-1410\",\n \"CVE-2020-1411\", \"CVE-2020-1412\", \"CVE-2020-1413\", \"CVE-2020-1414\",\n \"CVE-2020-1415\", \"CVE-2020-1418\", \"CVE-2020-1419\", \"CVE-2020-1420\",\n \"CVE-2020-1421\", \"CVE-2020-1422\", \"CVE-2020-1423\", \"CVE-2020-1424\",\n \"CVE-2020-1426\", \"CVE-2020-1427\", \"CVE-2020-1428\", \"CVE-2020-1429\",\n \"CVE-2020-1430\", \"CVE-2020-1431\", \"CVE-2020-1432\", \"CVE-2020-1433\",\n \"CVE-2020-1434\", \"CVE-2020-1435\", \"CVE-2020-1436\", \"CVE-2020-1437\",\n \"CVE-2020-1438\", \"CVE-2020-1462\", \"CVE-2020-1463\", \"CVE-2020-1468\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-20 05:00:04 +0000 (Mon, 20 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-15 12:33:34 +0530 (Wed, 15 Jul 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4565503)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4565503\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Windows Domain Name System servers fail to properly handle requests (SIGRed, CVE-2020-1350).\n\n - Windows System Events Broker fails to properly handle file operations.\n\n - Windows WalletService fails to properly handle objects in memory.\n\n - Windows Mobile Device Management (MDM) Diagnostics fails to\n properly handle objects in memory.\n\n - Windows Jet Database Engine fails to properly handle objects in memory.\n\n - Windows Network Connections Service fails to properly handle\n objects in memory.\n\n - SharedStream Library fails to handle objects in memory.\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information\n and denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 2004 for 32-bit Systems\n\n - Microsoft Windows 10 Version 2004 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4565503\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0)\n exit(0);\n\ndllPath = smb_get_system32root();\nif(!dllPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:dllPath, file_name:\"Gdiplus.dll\");\nif(!fileVer)\n exit(0);\n\nif(version_in_range(version:fileVer, test_version:\"10.0.19041.0\", test_version2:\"10.0.19041.387\")) {\n report = report_fixed_ver(file_checked:dllPath + \"\\Gdiplus.dll\",\n file_version:fileVer, vulnerable_range:\"10.0.19041.0 - 10.0.19041.387\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2021-12-22T23:31:37", "description": "### *Detect date*:\n07/14/2020\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Support Update). Malicious users can exploit these vulnerabilities to gain privileges, obtain sensitive information, execute arbitrary code, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 2004 for ARM64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 1903 for 32-bit Systems \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2012 R2 \nWindows Server 2012 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server, version 2004 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows Server 2016 (Server Core installation) \nWindows 8.1 for x64-based systems \nWindows Server 2012 (Server Core installation) \nWindows 10 Version 1709 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 1709 for ARM64-based Systems \nWindows 8.1 for 32-bit systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2016 \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 1903 for x64-based Systems \nInternet Explorer 11 \nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 2004 for 32-bit Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server, version 1903 (Server Core installation) \nWindows 10 Version 1803 for x64-based Systems \nMicrosoft Office 2019 for Mac \nWindows RT 8.1 \nWindows 10 Version 2004 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nMicrosoft Office 2016 for Mac \nWindows Server 2019 \nInternet Explorer 9 \nWindows 10 Version 1803 for ARM64-based Systems \nWindows Server, version 1909 (Server Core installation) \nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1709 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-1333](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1333>) \n[CVE-2020-1384](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1384>) \n[CVE-2020-1346](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1346>) \n[CVE-2020-1389](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1389>) \n[CVE-2020-1032](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1032>) \n[CVE-2020-1036](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1036>) \n[CVE-2020-1360](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1360>) \n[CVE-2020-1267](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1267>) \n[CVE-2020-1365](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1365>) \n[CVE-2020-1354](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1354>) \n[CVE-2020-1419](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1419>) \n[CVE-2020-1438](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1438>) \n[CVE-2020-1435](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1435>) \n[CVE-2020-1412](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1412>) \n[CVE-2020-1437](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1437>) \n[CVE-2020-1436](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1436>) \n[CVE-2020-1430](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1430>) \n[CVE-2020-1428](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1428>) \n[CVE-2020-1396](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1396>) \n[CVE-2020-1397](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1397>) \n[CVE-2020-1390](<https://nvd.nist.gov/vuln/detail/CVE-2020-1390>) \n[CVE-2020-1359](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1359>) \n[CVE-2020-1371](<https://nvd.nist.gov/vuln/detail/CVE-2020-1371>) \n[CVE-2020-1350](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1350>) \n[CVE-2020-1351](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1351>) \n[CVE-2020-1040](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1040>) \n[CVE-2020-1041](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1041>) \n[CVE-2020-1042](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1042>) \n[CVE-2020-1043](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1043>) \n[CVE-2020-1373](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1373>) \n[CVE-2020-1410](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1410>) \n[CVE-2020-1374](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1374>) \n[CVE-2020-1085](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1085>) \n[CVE-2020-1407](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1407>) \n[CVE-2020-1400](<https://nvd.nist.gov/vuln/detail/CVE-2020-1400>) \n[CVE-2020-1401](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1401>) \n[CVE-2020-1402](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1402>) \n[CVE-2020-1403](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1403>) \n[CVE-2020-1427](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1427>) \n[CVE-2020-1468](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1468>) \n[CVE-2020-1408](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1408>) \n[CVE-2020-1409](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1409>) \n[CVE-2020-1421](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1421>) \n[ADV200008](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/ADV200008>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2020-1403](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1403>)7.6Critical \n[CVE-2020-1333](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1333>)3.7Warning \n[CVE-2020-1384](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1384>)4.6Warning \n[CVE-2020-1346](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1346>)4.6Warning \n[CVE-2020-1389](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1389>)2.1Warning \n[CVE-2020-1032](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1032>)7.7Critical \n[CVE-2020-1036](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1036>)7.7Critical \n[CVE-2020-1360](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1360>)4.6Warning \n[CVE-2020-1267](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1267>)4.0Warning \n[CVE-2020-1365](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1365>)4.6Warning \n[CVE-2020-1354](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1354>)4.6Warning \n[CVE-2020-1419](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1419>)2.1Warning \n[CVE-2020-1438](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1438>)4.6Warning \n[CVE-2020-1435](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1435>)9.3Critical \n[CVE-2020-1412](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1412>)9.3Critical \n[CVE-2020-1437](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1437>)4.6Warning \n[CVE-2020-1436](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1436>)6.8High \n[CVE-2020-1430](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1430>)4.6Warning \n[CVE-2020-1428](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1428>)4.6Warning \n[CVE-2020-1396](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1396>)4.6Warning \n[CVE-2020-1397](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1397>)4.3Warning \n[CVE-2020-1390](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1390>)4.6Warning \n[CVE-2020-1359](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1359>)4.6Warning \n[CVE-2020-1371](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1371>)4.6Warning \n[CVE-2020-1351](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1351>)2.1Warning \n[CVE-2020-1040](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1040>)7.7Critical \n[CVE-2020-1041](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1041>)7.7Critical \n[CVE-2020-1042](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1042>)7.7Critical \n[CVE-2020-1043](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1043>)7.7Critical \n[CVE-2020-1373](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1373>)4.6Warning \n[CVE-2020-1410](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1410>)9.3Critical \n[CVE-2020-1374](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1374>)5.1High \n[CVE-2020-1085](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1085>)4.6Warning \n[CVE-2020-1407](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1407>)9.3Critical \n[CVE-2020-1400](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1400>)9.3Critical \n[CVE-2020-1401](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1401>)9.3Critical \n[CVE-2020-1402](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1402>)7.2High \n[CVE-2020-1427](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1427>)4.6Warning \n[CVE-2020-1468](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1468>)4.3Warning \n[CVE-2020-1408](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1408>)9.3Critical \n[CVE-2020-1409](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1409>)9.3Critical \n[CVE-2020-1421](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1421>)9.3Critical\n\n### *KB list*:\n[4565524](<http://support.microsoft.com/kb/4565524>) \n[4565479](<http://support.microsoft.com/kb/4565479>) \n[4565529](<http://support.microsoft.com/kb/4565529>) \n[4565539](<http://support.microsoft.com/kb/4565539>) \n[4565353](<http://support.microsoft.com/kb/4565353>) \n[4565354](<http://support.microsoft.com/kb/4565354>) \n[4565536](<http://support.microsoft.com/kb/4565536>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-14T00:00:00", "type": "kaspersky", "title": "KLA11863 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1032", "CVE-2020-1036", "CVE-2020-1040", "CVE-2020-1041", "CVE-2020-1042", "CVE-2020-1043", "CVE-2020-1085", "CVE-2020-1267", "CVE-2020-1333", "CVE-2020-1346", "CVE-2020-1350", "CVE-2020-1351", "CVE-2020-1354", "CVE-2020-1359", "CVE-2020-1360", "CVE-2020-1365", "CVE-2020-1371", "CVE-2020-1373", "CVE-2020-1374", "CVE-2020-1384", "CVE-2020-1389", "CVE-2020-1390", "CVE-2020-1396", "CVE-2020-1397", "CVE-2020-1400", "CVE-2020-1401", "CVE-2020-1402", "CVE-2020-1403", "CVE-2020-1407", "CVE-2020-1408", "CVE-2020-1409", "CVE-2020-1410", "CVE-2020-1412", "CVE-2020-1419", "CVE-2020-1421", "CVE-2020-1427", "CVE-2020-1428", "CVE-2020-1430", "CVE-2020-1435", "CVE-2020-1436", "CVE-2020-1437", "CVE-2020-1438", "CVE-2020-1468"], "modified": "2020-07-22T00:00:00", "id": "KLA11863", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11863/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-22T23:31:32", "description": "### *Detect date*:\n07/14/2020\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to gain privileges, obtain sensitive information, execute arbitrary code, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 2004 for ARM64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 1903 for 32-bit Systems \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2012 R2 \nWindows Server 2012 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server, version 2004 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows Server 2016 (Server Core installation) \nWindows 8.1 for x64-based systems \nWindows Server 2012 (Server Core installation) \nWindows 10 Version 1709 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 1709 for ARM64-based Systems \nWindows 8.1 for 32-bit systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2016 \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 2004 for 32-bit Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server, version 1903 (Server Core installation) \nWindows 10 Version 1803 for x64-based Systems \nWindows RT 8.1 \nWindows 10 Version 2004 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2019 \nWindows 10 Version 1803 for ARM64-based Systems \nWindows Server, version 1909 (Server Core installation) \nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1709 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-1347](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1347>) \n[CVE-2020-1346](<https://nvd.nist.gov/vuln/detail/CVE-2020-1346>) \n[CVE-2020-1344](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1344>) \n[CVE-2020-1267](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1267>) \n[CVE-2020-1419](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1419>) \n[CVE-2020-1418](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1418>) \n[CVE-2020-1413](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1413>) \n[CVE-2020-1412](<https://nvd.nist.gov/vuln/detail/CVE-2020-1412>) \n[CVE-2020-1411](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1411>) \n[CVE-2020-1410](<https://nvd.nist.gov/vuln/detail/CVE-2020-1410>) \n[CVE-2020-1415](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1415>) \n[CVE-2020-1414](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1414>) \n[CVE-2020-1358](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1358>) \n[CVE-2020-1359](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1359>) \n[CVE-2020-1350](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1350>) \n[CVE-2020-1351](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1351>) \n[CVE-2020-1352](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1352>) \n[CVE-2020-1353](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1353>) \n[CVE-2020-1354](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1354>) \n[CVE-2020-1355](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1355>) \n[CVE-2020-1356](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1356>) \n[CVE-2020-1357](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1357>) \n[CVE-2020-1085](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1085>) \n[CVE-2020-1404](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1404>) \n[CVE-2020-1405](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1405>) \n[CVE-2020-1406](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1406>) \n[CVE-2020-1407](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1407>) \n[CVE-2020-1400](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1400>) \n[CVE-2020-1401](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1401>) \n[CVE-2020-1402](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1402>) \n[CVE-2020-1408](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1408>) \n[CVE-2020-1409](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1409>) \n[CVE-2020-1336](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1336>) \n[CVE-2020-1333](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1333>) \n[CVE-2020-1330](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1330>) \n[CVE-2020-1463](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1463>) \n[CVE-2020-1468](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1468>) \n[CVE-2020-1382](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1382>) \n[CVE-2020-1381](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1381>) \n[CVE-2020-1387](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1387>) \n[CVE-2020-1386](<https://nvd.nist.gov/vuln/detail/CVE-2020-1386>) \n[CVE-2020-1385](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1385>) \n[CVE-2020-1384](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1384>) \n[CVE-2020-1389](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1389>) \n[CVE-2020-1388](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1388>) \n[CVE-2020-1398](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1398>) \n[CVE-2020-1399](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1399>) \n[CVE-2020-1394](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1394>) \n[CVE-2020-1395](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1395>) \n[CVE-2020-1396](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1396>) \n[CVE-2020-1397](<https://nvd.nist.gov/vuln/detail/CVE-2020-1397>) \n[CVE-2020-1390](<https://nvd.nist.gov/vuln/detail/CVE-2020-1390>) \n[CVE-2020-1391](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1391>) \n[CVE-2020-1392](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1392>) \n[CVE-2020-1393](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1393>) \n[CVE-2020-1040](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1040>) \n[CVE-2020-1041](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1041>) \n[CVE-2020-1042](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1042>) \n[CVE-2020-1043](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1043>) \n[CVE-2020-1032](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1032>) \n[CVE-2020-1036](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1036>) \n[CVE-2020-1361](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1361>) \n[CVE-2020-1360](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1360>) \n[CVE-2020-1363](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1363>) \n[CVE-2020-1362](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1362>) \n[CVE-2020-1365](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1365>) \n[CVE-2020-1364](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1364>) \n[CVE-2020-1367](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1367>) \n[CVE-2020-1366](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1366>) \n[CVE-2020-1369](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1369>) \n[CVE-2020-1368](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1368>) \n[CVE-2020-1438](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1438>) \n[CVE-2020-1435](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1435>) \n[CVE-2020-1434](<https://nvd.nist.gov/vuln/detail/CVE-2020-1434>) \n[CVE-2020-1437](<https://nvd.nist.gov/vuln/detail/CVE-2020-1437>) \n[CVE-2020-1436](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1436>) \n[CVE-2020-1431](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1431>) \n[CVE-2020-1430](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1430>) \n[CVE-2020-1372](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1372>) \n[CVE-2020-1373](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1373>) \n[CVE-2020-1370](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1370>) \n[CVE-2020-1371](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1371>) \n[CVE-2020-1374](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1374>) \n[CVE-2020-1375](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1375>) \n[CVE-2020-1249](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1249>) \n[CVE-2020-1428](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1428>) \n[CVE-2020-1429](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1429>) \n[CVE-2020-1426](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1426>) \n[CVE-2020-1427](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1427>) \n[CVE-2020-1424](<https://nvd.nist.gov/vuln/detail/CVE-2020-1424>) \n[CVE-2020-1422](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1422>) \n[CVE-2020-1423](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1423>) \n[CVE-2020-1420](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1420>) \n[CVE-2020-1421](<https://nvd.nist.gov/vuln/detail/CVE-2020-1421>) \n[ADV200008](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200008>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2020-1393](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1393>)4.6Warning \n[CVE-2020-1333](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1333>)3.7Warning \n[CVE-2020-1384](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1384>)4.6Warning \n[CVE-2020-1346](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1346>)4.6Warning \n[CVE-2020-1389](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1389>)2.1Warning \n[CVE-2020-1032](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1032>)7.7Critical \n[CVE-2020-1036](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1036>)7.7Critical \n[CVE-2020-1360](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1360>)4.6Warning \n[CVE-2020-1267](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1267>)4.0Warning \n[CVE-2020-1365](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1365>)4.6Warning \n[CVE-2020-1354](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1354>)4.6Warning \n[CVE-2020-1419](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1419>)2.1Warning \n[CVE-2020-1438](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1438>)4.6Warning \n[CVE-2020-1435](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1435>)9.3Critical \n[CVE-2020-1412](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1412>)9.3Critical \n[CVE-2020-1437](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1437>)4.6Warning \n[CVE-2020-1436](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1436>)6.8High \n[CVE-2020-1430](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1430>)4.6Warning \n[CVE-2020-1428](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1428>)4.6Warning \n[CVE-2020-1396](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1396>)4.6Warning \n[CVE-2020-1397](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1397>)4.3Warning \n[CVE-2020-1390](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1390>)4.6Warning \n[CVE-2020-1359](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1359>)4.6Warning \n[CVE-2020-1371](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1371>)4.6Warning \n[CVE-2020-1351](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1351>)2.1Warning \n[CVE-2020-1040](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1040>)7.7Critical \n[CVE-2020-1041](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1041>)7.7Critical \n[CVE-2020-1042](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1042>)7.7Critical \n[CVE-2020-1043](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1043>)7.7Critical \n[CVE-2020-1373](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1373>)4.6Warning \n[CVE-2020-1410](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1410>)9.3Critical \n[CVE-2020-1374](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1374>)5.1High \n[CVE-2020-1085](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1085>)4.6Warning \n[CVE-2020-1407](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1407>)9.3Critical \n[CVE-2020-1400](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1400>)9.3Critical \n[CVE-2020-1401](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1401>)9.3Critical \n[CVE-2020-1402](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1402>)7.2High \n[CVE-2020-1427](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1427>)4.6Warning \n[CVE-2020-1468](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1468>)4.3Warning \n[CVE-2020-1408](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1408>)9.3Critical \n[CVE-2020-1409](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1409>)9.3Critical \n[CVE-2020-1421](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1421>)9.3Critical \n[CVE-2020-1347](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1347>)4.6Warning \n[CVE-2020-1344](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1344>)4.6Warning \n[CVE-2020-1418](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1418>)7.2High \n[CVE-2020-1413](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1413>)4.6Warning \n[CVE-2020-1411](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1411>)7.2High \n[CVE-2020-1415](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1415>)4.6Warning \n[CVE-2020-1414](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1414>)4.6Warning \n[CVE-2020-1358](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1358>)2.1Warning \n[CVE-2020-1352](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1352>)4.6Warning \n[CVE-2020-1353](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1353>)4.6Warning \n[CVE-2020-1355](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1355>)4.6Warning \n[CVE-2020-1356](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1356>)4.6Warning \n[CVE-2020-1357](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1357>)4.6Warning \n[CVE-2020-1404](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1404>)4.6Warning \n[CVE-2020-1405](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1405>)3.6Warning \n[CVE-2020-1406](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1406>)7.2High \n[CVE-2020-1336](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1336>)4.6Warning \n[CVE-2020-1330](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1330>)2.1Warning \n[CVE-2020-1463](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1463>)4.6Warning \n[CVE-2020-1382](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1382>)4.6Warning \n[CVE-2020-1381](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1381>)4.6Warning \n[CVE-2020-1387](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1387>)4.6Warning \n[CVE-2020-1386](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1386>)2.1Warning \n[CVE-2020-1385](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1385>)4.6Warning \n[CVE-2020-1388](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1388>)4.6Warning \n[CVE-2020-1398](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1398>)4.6Warning \n[CVE-2020-1399](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1399>)4.6Warning \n[CVE-2020-1394](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1394>)4.6Warning \n[CVE-2020-1395](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1395>)4.6Warning \n[CVE-2020-1391](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1391>)2.1Warning \n[CVE-2020-1392](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1392>)4.6Warning \n[CVE-2020-1361](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1361>)2.1Warning \n[CVE-2020-1363](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1363>)4.6Warning \n[CVE-2020-1362](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1362>)4.6Warning \n[CVE-2020-1364](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1364>)3.6Warning \n[CVE-2020-1367](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1367>)2.1Warning \n[CVE-2020-1366](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1366>)4.6Warning \n[CVE-2020-1369](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1369>)4.6Warning \n[CVE-2020-1368](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1368>)4.6Warning \n[CVE-2020-1434](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1434>)4.6Warning \n[CVE-2020-1431](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1431>)4.6Warning \n[CVE-2020-1372](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1372>)4.6Warning \n[CVE-2020-1370](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1370>)4.6Warning \n[CVE-2020-1375](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1375>)4.6Warning \n[CVE-2020-1249](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1249>)4.6Warning \n[CVE-2020-1429](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1429>)7.2High \n[CVE-2020-1426](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1426>)2.1Warning \n[CVE-2020-1424](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1424>)7.2High \n[CVE-2020-1422](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1422>)4.6Warning \n[CVE-2020-1423](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1423>)4.6Warning \n[CVE-2020-1420](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1420>)2.1Warning\n\n### *KB list*:\n[4565541](<http://support.microsoft.com/kb/4565541>) \n[4558998](<http://support.microsoft.com/kb/4558998>) \n[4565489](<http://support.microsoft.com/kb/4565489>) \n[4565483](<http://support.microsoft.com/kb/4565483>) \n[4565508](<http://support.microsoft.com/kb/4565508>) \n[4565511](<http://support.microsoft.com/kb/4565511>) \n[4565513](<http://support.microsoft.com/kb/4565513>) \n[4565537](<http://support.microsoft.com/kb/4565537>) \n[4565503](<http://support.microsoft.com/kb/4565503>) \n[4565540](<http://support.microsoft.com/kb/4565540>) \n[4565554](<http://support.microsoft.com/kb/4565554>) \n[4565553](<http://support.microsoft.com/kb/4565553>) \n[4566425](<http://support.microsoft.com/kb/4566425>) \n[4558997](<http://support.microsoft.com/kb/4558997>) \n[4565911](<http://support.microsoft.com/kb/4565911>) \n[4565912](<http://support.microsoft.com/kb/4565912>) \n[4566785](<http://support.microsoft.com/kb/4566785>) \n[4566426](<http://support.microsoft.com/kb/4566426>) \n[4565535](<http://support.microsoft.com/kb/4565535>) \n[4565552](<http://support.microsoft.com/kb/4565552>) \n[4571692](<http://support.microsoft.com/kb/4571692>) \n[4571694](<http://support.microsoft.com/kb/4571694>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-14T00:00:00", "type": "kaspersky", "title": "KLA11865 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1032", "CVE-2020-1036", "CVE-2020-1040", "CVE-2020-1041", "CVE-2020-1042", "CVE-2020-1043", "CVE-2020-1085", "CVE-2020-1249", "CVE-2020-1267", "CVE-2020-1330", "CVE-2020-1333", "CVE-2020-1336", "CVE-2020-1344", "CVE-2020-1346", "CVE-2020-1347", "CVE-2020-1350", "CVE-2020-1351", "CVE-2020-1352", "CVE-2020-1353", "CVE-2020-1354", "CVE-2020-1355", "CVE-2020-1356", "CVE-2020-1357", "CVE-2020-1358", "CVE-2020-1359", "CVE-2020-1360", "CVE-2020-1361", "CVE-2020-1362", "CVE-2020-1363", "CVE-2020-1364", "CVE-2020-1365", "CVE-2020-1366", "CVE-2020-1367", "CVE-2020-1368", "CVE-2020-1369", "CVE-2020-1370", "CVE-2020-1371", "CVE-2020-1372", "CVE-2020-1373", "CVE-2020-1374", "CVE-2020-1375", "CVE-2020-1381", "CVE-2020-1382", "CVE-2020-1384", "CVE-2020-1385", "CVE-2020-1386", "CVE-2020-1387", "CVE-2020-1388", "CVE-2020-1389", "CVE-2020-1390", "CVE-2020-1391", "CVE-2020-1392", "CVE-2020-1393", "CVE-2020-1394", "CVE-2020-1395", "CVE-2020-1396", "CVE-2020-1397", "CVE-2020-1398", "CVE-2020-1399", "CVE-2020-1400", "CVE-2020-1401", "CVE-2020-1402", "CVE-2020-1404", "CVE-2020-1405", "CVE-2020-1406", "CVE-2020-1407", "CVE-2020-1408", "CVE-2020-1409", "CVE-2020-1410", "CVE-2020-1411", "CVE-2020-1412", "CVE-2020-1413", "CVE-2020-1414", "CVE-2020-1415", "CVE-2020-1418", "CVE-2020-1419", "CVE-2020-1420", "CVE-2020-1421", "CVE-2020-1422", "CVE-2020-1423", "CVE-2020-1424", "CVE-2020-1426", "CVE-2020-1427", "CVE-2020-1428", "CVE-2020-1429", "CVE-2020-1430", "CVE-2020-1431", "CVE-2020-1434", "CVE-2020-1435", "CVE-2020-1436", "CVE-2020-1437", "CVE-2020-1438", "CVE-2020-1463", "CVE-2020-1468"], "modified": "2020-09-10T00:00:00", "id": "KLA11865", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11865/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}