ID CVE-2017-11814 Type cve Reporter cve@mitre.org Modified 2017-10-20T12:56:00
Description
The Microsoft Windows Kernel component on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016, allows an information disclosure vulnerability when it improperly handles objects in memory, aka "Windows Kernel Information Disclosure Vulnerability". This CVE ID is unique from CVE-2017-11765, CVE-2017-11784, and CVE-2017-11785.
{"id": "CVE-2017-11814", "bulletinFamily": "NVD", "title": "CVE-2017-11814", "description": "The Microsoft Windows Kernel component on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016, allows an information disclosure vulnerability when it improperly handles objects in memory, aka \"Windows Kernel Information Disclosure Vulnerability\". This CVE ID is unique from CVE-2017-11765, CVE-2017-11784, and CVE-2017-11785.", "published": "2017-10-13T13:29:00", "modified": "2017-10-20T12:56:00", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11814", "reporter": "cve@mitre.org", "references": ["https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11814", "http://www.securityfocus.com/bid/101093", "http://www.securitytracker.com/id/1039526"], "cvelist": ["CVE-2017-11814"], "type": "cve", "lastseen": "2021-02-02T06:36:34", "edition": 4, "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-101093"]}, {"type": "mscve", "idList": ["MS:CVE-2017-11814"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310812016", "OPENVAS:1361412562310811865", "OPENVAS:1361412562310811921", "OPENVAS:1361412562310811927", "OPENVAS:1361412562310812026", "OPENVAS:1361412562310812022", "OPENVAS:1361412562310811925", "OPENVAS:1361412562310811920"]}, {"type": "kaspersky", "idList": ["KLA11108", "KLA11111"]}, {"type": "nessus", "idList": ["SMB_NT_MS17_OCT_4041689.NASL", "SMB_NT_MS17_OCT_4041693.NASL", "SMB_NT_MS17_OCT_4041691.NASL", "SMB_NT_MS17_OCT_WIN2008.NASL", "SMB_NT_MS17_OCT_4041690.NASL", "SMB_NT_MS17_OCT_4042895.NASL", "SMB_NT_MS17_OCT_4041681.NASL", "SMB_NT_MS17_OCT_4041676.NASL"]}, {"type": "talosblog", "idList": ["TALOSBLOG:D985A5A21B218B47A518D6D4AB858393"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:141C894C9A7CCB3BB2E580A6C8292E37"]}], "modified": "2021-02-02T06:36:34", "rev": 2}, "score": {"value": 2.2, "vector": "NONE", "modified": "2021-02-02T06:36:34", "rev": 2}, "vulnersScore": 2.2}, "cpe": ["cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_7:*"], "affectedSoftware": [{"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1607"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_7", "name": "microsoft windows 7", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_8.1", "name": "microsoft windows 8.1", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1703"}, {"cpeName": "microsoft:windows_rt_8.1", "name": "microsoft windows rt 8.1", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1511"}, {"cpeName": "microsoft:windows_server_2016", "name": "microsoft windows server 2016", "operator": "eq", "version": "-"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "LOW", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 3.6}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"], "cwe": ["CWE-200"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11814", "refsource": "CONFIRM", "tags": ["Patch", "Vendor Advisory"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11814"}, {"name": "101093", "refsource": "BID", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/101093"}, {"name": "1039526", "refsource": "SECTRACK", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1039526"}], "immutableFields": []}
{"symantec": [{"lastseen": "2018-03-12T02:29:13", "bulletinFamily": "software", "cvelist": ["CVE-2017-11814"], "description": "### Description\n\nMicrosoft Windows is prone to a local information-disclosure vulnerability. Local attackers can exploit this issue to obtain sensitive information that may lead to further attacks.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nEnsure that only trusted users have local, interactive access to affected computers.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2017-10-10T00:00:00", "published": "2017-10-10T00:00:00", "id": "SMNTC-101093", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/101093", "type": "symantec", "title": "Microsoft Windows Kernel CVE-2017-11814 Local Information Disclosure Vulnerability", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "mscve": [{"lastseen": "2021-03-18T19:17:25", "bulletinFamily": "microsoft", "cvelist": ["CVE-2017-11814"], "description": "An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user\u2019s system.\n\nTo exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system.\n\nThe update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.\n", "modified": "2017-10-10T07:00:00", "published": "2017-10-10T07:00:00", "id": "MS:CVE-2017-11814", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11814", "type": "mscve", "title": "Windows Kernel Information Disclosure Vulnerability", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2020-06-08T23:35:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11765", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11814", "CVE-2017-8694"], "description": "This host is missing an important security\n update according to Microsoft KB4042120", "modified": "2020-06-04T00:00:00", "published": "2017-10-11T00:00:00", "id": "OPENVAS:1361412562310811920", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811920", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4042120)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4042120)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811920\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-8694\", \"CVE-2017-11765\", \"CVE-2017-11814\", \"CVE-2017-11824\",\n \"CVE-2017-8689\");\n script_bugtraq_id(101100, 101111, 101093, 101099, 101128);\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 08:44:10 +0530 (Wed, 11 Oct 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4042120)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4042120\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - The Windows kernel improperly handles objects in memory.\n\n - The Windows kernel-mode driver fails to properly handle objects in memory.\n\n - The Windows Graphics Component improperly handles objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to obtain information to further compromise the user's system and also run\n arbitrary code in kernel mode.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4042120\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008:3, win2008x64:3) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"win32k.sys\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.0.6002.24200\"))\n{\n report = 'File checked: ' + sysPath + \"\\win32k.sys\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: Less than 6.0.6002.24200\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:35:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11793", "CVE-2017-11772", "CVE-2017-11765", "CVE-2017-13080", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11784", "CVE-2017-11818", "CVE-2017-11824", "CVE-2017-11817", "CVE-2017-8727", "CVE-2017-8717", "CVE-2017-11779", "CVE-2017-11790", "CVE-2017-11815", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11810", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11781", "CVE-2017-11816"], "description": "This host is missing a critical security\n update according to Microsoft KB4041690", "modified": "2020-06-04T00:00:00", "published": "2017-10-11T00:00:00", "id": "OPENVAS:1361412562310811927", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811927", "type": "openvas", "title": "Microsoft Windows Server 2012 Multiple Vulnerabilities (KB4041690)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Server 2012 Multiple Vulnerabilities (KB4041690)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811927\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-11762\", \"CVE-2017-8694\", \"CVE-2017-8717\", \"CVE-2017-11763\",\n \"CVE-2017-11765\", \"CVE-2017-8718\", \"CVE-2017-8727\", \"CVE-2017-11815\",\n \"CVE-2017-11771\", \"CVE-2017-11772\", \"CVE-2017-11779\", \"CVE-2017-11780\",\n \"CVE-2017-11781\", \"CVE-2017-11784\", \"CVE-2017-11785\", \"CVE-2017-11790\",\n \"CVE-2017-11793\", \"CVE-2017-11810\", \"CVE-2017-11816\", \"CVE-2017-11817\",\n \"CVE-2017-11818\", \"CVE-2017-11824\", \"CVE-2017-11814\", \"CVE-2017-13080\");\n script_bugtraq_id(101108, 101100, 101161, 101109, 101111, 101162, 101142, 101114,\n 101116, 101166, 101110, 101140, 101147, 101149, 101077, 101141,\n 101081, 101094, 101095, 101101, 101099, 101093, 101136, 101274);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 08:59:57 +0530 (Wed, 11 Oct 2017)\");\n script_name(\"Microsoft Windows Server 2012 Multiple Vulnerabilities (KB4041690)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4041690\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - A spoofing vulnerability in the Windows implementation of wireless networking (KRACK)\n\n - An error in USBHUB.SYS randomly causes memory corruption that results in\n random system crashes that are extremely difficult to diagnose.\n\n - Security updates to Microsoft Windows Search Component, Windows kernel-mode drivers,\n Microsoft Graphics Component, Internet Explorer, Windows kernel, Windows Wireless\n Networking, Windows Storage and File systems, Microsoft Windows DNS, Microsoft JET\n Database Engine, and the Windows SMB Server.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in the security context of the local system to take\n complete control of an affected system, gain access to potentially sensitive\n information, conduct a denial-of-service condition, bypass certain security\n restrictions and gain elevated privileges.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows Server 2012.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4041690\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2012:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"shell32.dll\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.2.9200.22281\"))\n{\n report = 'File checked: ' + sysPath + \"\\shell32.dll\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: Less than 6.2.9200.22281\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:35:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11793", "CVE-2017-11772", "CVE-2017-11765", "CVE-2017-11819", "CVE-2017-13080", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11784", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11817", "CVE-2017-11813", "CVE-2017-8727", "CVE-2017-8717", "CVE-2017-11790", "CVE-2017-11815", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11810", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11781", "CVE-2017-11822", "CVE-2017-11816"], "description": "This host is missing a critical security\n update according to Microsoft KB4041681", "modified": "2020-06-04T00:00:00", "published": "2017-10-11T00:00:00", "id": "OPENVAS:1361412562310812016", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812016", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4041681)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4041681)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812016\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-11762\", \"CVE-2017-8694\", \"CVE-2017-8717\", \"CVE-2017-8718\",\n \"CVE-2017-11763\", \"CVE-2017-11765\", \"CVE-2017-8727\", \"CVE-2017-11771\",\n \"CVE-2017-11772\", \"CVE-2017-11780\", \"CVE-2017-11781\", \"CVE-2017-11784\",\n \"CVE-2017-11785\", \"CVE-2017-11790\", \"CVE-2017-11793\", \"CVE-2017-11810\",\n \"CVE-2017-11813\", \"CVE-2017-11814\", \"CVE-2017-11815\", \"CVE-2017-11816\",\n \"CVE-2017-11817\", \"CVE-2017-11819\", \"CVE-2017-11822\", \"CVE-2017-11824\",\n \"CVE-2017-8689\", \"CVE-2017-13080\");\n script_bugtraq_id(101108, 101100, 101161, 101162, 101109, 101111, 101142, 101114,\n 101116, 101110, 101140, 101147, 101149, 101077, 101141, 101081,\n 101083, 101093, 101136, 101094, 101095, 101121, 101122, 101099,\n 101128, 101274);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 08:41:12 +0530 (Wed, 11 Oct 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4041681)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4041681\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - A spoofing vulnerability in the Windows implementation of wireless networking (KRACK)\n\n - An error in the Microsoft Server Block Message (SMB) when an attacker sends\n specially crafted requests to the server.\n\n - An error in the Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space Layout Randomization\n (ASLR) bypass.\n\n - An error when the Windows kernel improperly handles objects in memory.\n\n - An error when the Windows font library improperly handles specially crafted\n embedded fonts.\n\n - An error when the Windows kernel-mode driver fails to properly handle objects\n in memory.\n\n - An error when Internet Explorer improperly accesses objects in memory.\n\n - An error in the Microsoft JET Database Engine that could allow remote code\n execution on an affected system.\n\n - An error when Internet Explorer improperly handles objects in memory.\n\n - An error when the Windows Graphics Component improperly handles objects in\n memory.\n\n - An error in the way that the scripting engine handles objects in memory in\n Internet Explorer.\n\n - An error when Internet Explorer improperly accesses objects in memory via the\n Microsoft Windows Text Services Framework.\n\n - An error when Windows Search improperly handles objects in memory.\n\n - An error in the way that Microsoft browsers access objects in memory.\n\n - An error when the Windows kernel improperly initializes objects in memory.\n\n - An error in the way that the Windows Graphics Device Interface (GDI) handles\n objects in memory, allowing an attacker to retrieve information from a targeted\n system.\n\n - An error in the way that the Windows SMB Server handles certain requests.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, conduct denial-of-service, gain access to potentially\n sensitive information, take control of the affected system and gain escalated\n privileges.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 7 for 32-bit/x64 Systems Service Pack 1\n\n - Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4041681\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"win32k.sys\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.1.7601.23914\"))\n{\n report = 'File checked: ' + sysPath + \"\\win32k.sys\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: Less than 6.1.7601.23914\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:55:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11793", "CVE-2017-11772", "CVE-2017-11765", "CVE-2017-13080", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11784", "CVE-2017-11818", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11817", "CVE-2017-11813", "CVE-2017-8727", "CVE-2017-8717", "CVE-2017-11779", "CVE-2017-11790", "CVE-2017-11815", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11810", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11783", "CVE-2017-11781", "CVE-2017-11822", "CVE-2017-11816"], "description": "This host is missing a critical security\n update according to Microsoft KB4041693", "modified": "2019-12-20T00:00:00", "published": "2017-10-11T00:00:00", "id": "OPENVAS:1361412562310812022", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812022", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4041693)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4041693)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812022\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2017-11762\", \"CVE-2017-8694\", \"CVE-2017-8717\", \"CVE-2017-8718\",\n \"CVE-2017-11763\", \"CVE-2017-11765\", \"CVE-2017-8727\", \"CVE-2017-11771\",\n \"CVE-2017-11772\", \"CVE-2017-11779\", \"CVE-2017-11780\", \"CVE-2017-11781\",\n \"CVE-2017-11783\", \"CVE-2017-11784\", \"CVE-2017-11785\", \"CVE-2017-11790\",\n \"CVE-2017-11793\", \"CVE-2017-11810\", \"CVE-2017-11813\", \"CVE-2017-11814\",\n \"CVE-2017-11815\", \"CVE-2017-11816\", \"CVE-2017-11817\", \"CVE-2017-11818\",\n \"CVE-2017-11822\", \"CVE-2017-11824\", \"CVE-2017-8689\", \"CVE-2017-13080\");\n script_bugtraq_id(101108, 101100, 101161, 101162, 101109, 101111, 101142, 101114,\n 101116, 101166, 101110, 101140, 101144, 101147, 101149, 101077,\n 101141, 101081, 101083, 101093, 101136, 101094, 101095, 101101,\n 101122, 101099, 101128, 101274);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 09:41:11 +0530 (Wed, 11 Oct 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4041693)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4041693\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - A spoofing vulnerability in the Windows implementation of wireless networking (KRACK)\n\n - An error when Windows improperly handles calls to Advanced Local Procedure\n Call (ALPC).\n\n - An error in the Microsoft Server Block Message (SMB) when an attacker sends\n specially crafted requests to the server.\n\n - An error in the Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space Layout Randomization\n (ASLR) bypass.\n\n - An error in certain Trusted Platform Module (TPM) chipsets.\n\n - An error when the Windows kernel improperly handles objects in memory.\n\n - An error when the Windows font library improperly handles specially crafted\n embedded fonts.\n\n - An error when the Windows kernel-mode driver fails to properly handle objects\n in memory.\n\n - An error when Internet Explorer improperly accesses objects in memory.\n\n - An error in the Microsoft JET Database Engine that could allow remote code\n execution on an affected system.\n\n - An error when the Windows Graphics Component improperly handles objects in\n memory.\n\n - An error in the way that the scripting engine handles objects in memory in\n Internet Explorer.\n\n - An error when Internet Explorer improperly accesses objects in memory via\n the Microsoft Windows Text Services Framework.\n\n - An error in Windows Domain Name System (DNS) DNSAPI.\n\n - An error when Windows Search improperly handles objects in memory.\n\n - An error when Windows Search handles objects in memory.\n\n - An error in Microsoft Windows storage when it fails to validate an\n integrity-level check.\n\n - An error in the way that the Windows Graphics Device Interface (GDI) handles\n objects in memory, allowing an attacker to retrieve information from a targeted\n system.\n\n - An error in the way that the Windows SMB Server handles certain requests.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n who successfully exploited this vulnerability to run arbitrary code in the\n security context of the local system, cause the affected system to crash, gain\n access to potentially sensitive information, take control of an affected system\n and gain the same user rights as the current user.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8.1 for 32-bit/x64\n\n - Microsoft Windows Server 2012 R2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4041693\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"gdi32.dll\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.3.9600.18818\"))\n{\n report = 'File checked: ' + sysPath + \"\\gdi32.dll\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: Less than 6.3.9600.18818\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:35:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11793", "CVE-2017-8715", "CVE-2017-11809", "CVE-2017-11772", "CVE-2017-11804", "CVE-2017-11765", "CVE-2017-13080", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11811", "CVE-2017-11802", "CVE-2017-11818", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11817", "CVE-2017-8727", "CVE-2017-11798", "CVE-2017-11769", "CVE-2017-8717", "CVE-2017-11779", "CVE-2017-11812", "CVE-2017-11800", "CVE-2017-11790", "CVE-2017-11815", "CVE-2017-11799", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11810", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11783", "CVE-2017-11808", "CVE-2017-8693", "CVE-2017-11823", "CVE-2017-11781", "CVE-2017-11822", "CVE-2017-8726", "CVE-2017-11816"], "description": "This host is missing a critical security\n update according to Microsoft KB4041689", "modified": "2020-06-04T00:00:00", "published": "2017-10-11T00:00:00", "id": "OPENVAS:1361412562310811925", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811925", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4041689)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4041689)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811925\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-11762\", \"CVE-2017-8694\", \"CVE-2017-8715\", \"CVE-2017-8717\",\n \"CVE-2017-8718\", \"CVE-2017-11763\", \"CVE-2017-11765\", \"CVE-2017-11816\",\n \"CVE-2017-11769\", \"CVE-2017-8726\", \"CVE-2017-8727\", \"CVE-2017-11771\",\n \"CVE-2017-11772\", \"CVE-2017-11779\", \"CVE-2017-11780\", \"CVE-2017-11781\",\n \"CVE-2017-11783\", \"CVE-2017-11785\", \"CVE-2017-11790\", \"CVE-2017-11793\",\n \"CVE-2017-11798\", \"CVE-2017-11799\", \"CVE-2017-11800\", \"CVE-2017-11802\",\n \"CVE-2017-11804\", \"CVE-2017-11808\", \"CVE-2017-11809\", \"CVE-2017-11810\",\n \"CVE-2017-11811\", \"CVE-2017-11812\", \"CVE-2017-11814\", \"CVE-2017-11817\",\n \"CVE-2017-11818\", \"CVE-2017-11822\", \"CVE-2017-11823\", \"CVE-2017-11824\",\n \"CVE-2017-8689\", \"CVE-2017-8693\", \"CVE-2017-11815\", \"CVE-2017-13080\");\n script_bugtraq_id(101108, 101100, 101163, 101161, 101162, 101109, 101111, 101112,\n 101084, 101142, 101114, 101116, 101166, 101110, 101140, 101144,\n 101149, 101077, 101141, 101125, 101126, 101127, 101130, 101131,\n 101135, 101137, 101081, 101138, 101139, 101093, 101095, 101101,\n 101122, 101102, 101099, 101128, 101096, 101136, 101094, 101274);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 08:49:56 +0530 (Wed, 11 Oct 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4041689)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4041689\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - A spoofing vulnerability in the Windows implementation of wireless networking (KRACK)\n\n - The Universal CRT _splitpath was not handling multi byte strings correctly,\n which caused apps to fail when accessing multi byte filenames.\n\n - The Universal CRT caused the linker (link.exe) to stop working for large\n projects.\n\n - The MSMQ performance counter (MSMQ Queue) may not populate queue instances\n when the server hosts a clustered MSMQ role.\n\n - The Lock Workstation policy for smart cards where, in some cases, the system\n doesn't lock when you remove the smart card.\n\n - Issue with form submissions in Internet Explorer.\n\n - Issue with URL encoding in Internet Explorer.\n\n - Issue that prevents an element from receiving focus in Internet Explorer.\n\n - Issue with the docking and undocking of Internet Explorer windows.\n\n - Issue with the rendering of a graphics element in Internet Explorer.\n\n - Issue caused by a pop-up window in Internet Explorer.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in the security context of the local system, take complete\n control of an affected system, bypass certain security restrictions, gain access\n to potentially sensitive information, conduct a denial-of-service condition and\n gain privileged access.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1511 x32/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4041689\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.10586.0\", test_version2:\"11.0.10586.1175\"))\n{\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: 11.0.10586.0 - 11.0.10586.1175\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:35:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11793", "CVE-2017-8715", "CVE-2017-11809", "CVE-2017-11772", "CVE-2017-11804", "CVE-2017-11765", "CVE-2017-13080", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11811", "CVE-2017-11784", "CVE-2017-11802", "CVE-2017-11818", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11817", "CVE-2017-8727", "CVE-2017-11798", "CVE-2017-11769", "CVE-2017-8717", "CVE-2017-11779", "CVE-2017-11800", "CVE-2017-11790", "CVE-2017-11815", "CVE-2017-11799", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11810", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11783", "CVE-2017-11808", "CVE-2017-8693", "CVE-2017-11823", "CVE-2017-11781", "CVE-2017-11822", "CVE-2017-8726", "CVE-2017-11816"], "description": "This host is missing a critical security\n update according to Microsoft KB4042895", "modified": "2020-06-04T00:00:00", "published": "2017-10-11T00:00:00", "id": "OPENVAS:1361412562310811921", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811921", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4042895)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4042895)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811921\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-11762\", \"CVE-2017-8694\", \"CVE-2017-8715\", \"CVE-2017-8717\",\n \"CVE-2017-11763\", \"CVE-2017-11765\", \"CVE-2017-11769\", \"CVE-2017-8718\",\n \"CVE-2017-8726\", \"CVE-2017-8727\", \"CVE-2017-11771\", \"CVE-2017-11772\",\n \"CVE-2017-11779\", \"CVE-2017-11780\", \"CVE-2017-11781\", \"CVE-2017-11783\",\n \"CVE-2017-11784\", \"CVE-2017-11785\", \"CVE-2017-11790\", \"CVE-2017-11793\",\n \"CVE-2017-11798\", \"CVE-2017-11799\", \"CVE-2017-11800\", \"CVE-2017-11802\",\n \"CVE-2017-11804\", \"CVE-2017-11808\", \"CVE-2017-11809\", \"CVE-2017-11810\",\n \"CVE-2017-11811\", \"CVE-2017-11816\", \"CVE-2017-11817\", \"CVE-2017-11818\",\n \"CVE-2017-11822\", \"CVE-2017-11823\", \"CVE-2017-11824\", \"CVE-2017-8689\",\n \"CVE-2017-8693\", \"CVE-2017-11814\", \"CVE-2017-11815\", \"CVE-2017-13080\");\n script_bugtraq_id(101108, 101100, 101163, 101161, 101109, 101111, 101112, 101162,\n 101084, 101142, 101114, 101116, 101166, 101110, 101140, 101144,\n 101147, 101149, 101077, 101141, 101125, 101126, 101127, 101130,\n 101131, 101135, 101137, 101081, 101138, 101094, 101095, 101101,\n 101122, 101102, 101099, 101128, 101096, 101093, 101136, 101274);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 08:47:24 +0530 (Wed, 11 Oct 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4042895)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4042895\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - A spoofing vulnerability in the Windows implementation of wireless networking (KRACK)\n\n - The Universal CRT _splitpath was not handling multi byte strings correctly,\n which caused apps to fail when accessing multi byte filenames.\n\n - The Universal CRT caused the linker (link.exe) to stop working for large\n projects.\n\n - The MSMQ performance counter (MSMQ Queue) may not populate queue instances\n when the server hosts a clustered MSMQ role.\n\n - The Lock Workstation policy for smart cards where, in some cases, the system\n doesn't lock when you remove the smart card.\n\n - Issue with form submissions in Internet Explorer.\n\n - Issue with URL encoding in Internet Explorer.\n\n - Issue that prevents an element from receiving focus in Internet Explorer.\n\n - Issue with the docking and undocking of Internet Explorer windows.\n\n - Issue with the rendering of a graphics element in Internet Explorer.\n\n - Issue caused by a pop-up window in Internet Explorer.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in the security context of the local system, take complete\n control of an affected system, bypass certain security restrictions, gain access\n to potentially sensitive information, conduct a denial-of-service condition and\n gain privileged access.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 for 32-bit Systems\n\n - Microsoft Windows 10 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4042895\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.10240.0\", test_version2:\"11.0.10240.17642\"))\n{\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: 11.0.10240.0 - 11.0.10240.17642\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:55:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11793", "CVE-2017-8715", "CVE-2017-11809", "CVE-2017-11772", "CVE-2017-11804", "CVE-2017-11765", "CVE-2017-13080", "CVE-2017-11782", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11811", "CVE-2017-11802", "CVE-2017-11818", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11829", "CVE-2017-11817", "CVE-2017-8727", "CVE-2017-11798", "CVE-2017-11769", "CVE-2017-8717", "CVE-2017-11779", "CVE-2017-11812", "CVE-2017-11800", "CVE-2017-11790", "CVE-2017-11815", "CVE-2017-11799", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11810", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11783", "CVE-2017-11808", "CVE-2017-8693", "CVE-2017-11823", "CVE-2017-11781", "CVE-2017-11822", "CVE-2017-8726", "CVE-2017-11816"], "description": "This host is missing a critical security\n update according to Microsoft KB4041691", "modified": "2019-12-20T00:00:00", "published": "2017-10-11T00:00:00", "id": "OPENVAS:1361412562310812026", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812026", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4041691)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4041691)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812026\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2017-8717\", \"CVE-2017-11763\", \"CVE-2017-11765\", \"CVE-2017-11769\",\n \"CVE-2017-8718\", \"CVE-2017-8726\", \"CVE-2017-8727\", \"CVE-2017-11771\",\n \"CVE-2017-11772\", \"CVE-2017-11779\", \"CVE-2017-11780\", \"CVE-2017-11781\",\n \"CVE-2017-11782\", \"CVE-2017-11783\", \"CVE-2017-11785\", \"CVE-2017-11790\",\n \"CVE-2017-11793\", \"CVE-2017-11798\", \"CVE-2017-11799\", \"CVE-2017-11800\",\n \"CVE-2017-11802\", \"CVE-2017-11804\", \"CVE-2017-11808\", \"CVE-2017-11809\",\n \"CVE-2017-11810\", \"CVE-2017-11811\", \"CVE-2017-11812\", \"CVE-2017-11814\",\n \"CVE-2017-11815\", \"CVE-2017-11816\", \"CVE-2017-11817\", \"CVE-2017-11818\",\n \"CVE-2017-11822\", \"CVE-2017-11823\", \"CVE-2017-11824\", \"CVE-2017-11829\",\n \"CVE-2017-8689\", \"CVE-2017-8693\", \"CVE-2017-11762\", \"CVE-2017-8694\",\n \"CVE-2017-8715\", \"CVE-2017-13080\");\n script_bugtraq_id(101108, 101100, 101163, 101161, 101109, 101111, 101112, 101162,\n 101084, 101142, 101114, 101116, 101166, 101110, 101140, 101143,\n 101144, 101149, 101077, 101141, 101125, 101126, 101127, 101130,\n 101131, 101135, 101137, 101081, 101138, 101139, 101093, 101136,\n 101094, 101095, 101101, 101122, 101102, 101099, 101213, 101128,\n 101096, 101274);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 10:50:05 +0530 (Wed, 11 Oct 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4041691)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4041691\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - A spoofing vulnerability in the Windows implementation of wireless networking (KRACK)\n\n - An error when Windows improperly handles calls to Advanced Local Procedure\n Call (ALPC).\n\n - An error in the Microsoft Server Block Message (SMB) when an attacker sends\n specially crafted requests to the server.\n\n - An error in the Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space Layout Randomization\n (ASLR) bypass.\n\n - An error in certain Trusted Platform Module (TPM) chipsets.\n\n - An error when Internet Explorer improperly accesses objects in memory.\n\n - An error in the way that certain Windows components handle the loading of\n DLL files.\n\n - An error when the Windows kernel improperly handles objects in memory.\n\n - An error when the Windows font library improperly handles specially crafted\n embedded fonts.\n\n - An error when the Microsoft Windows Graphics Component improperly handles\n objects in memory.\n\n - An error when the Windows kernel-mode driver fails to properly handle objects\n in memory.\n\n - An error in the way the scripting engine handle objects in memory in Microsoft\n browsers.\n\n - An error in the way that the scripting engine handles objects in memory in\n Microsoft Edge.\n\n - An error in Device Guard that could allow an attacker to inject malicious code\n into a Windows PowerShell session.\n\n - An error in the Microsoft JET Database Engine that could allow remote code\n execution on an affected system.\n\n - An error when Internet Explorer improperly handles objects in memory.\n\n - An error when the Windows Graphics Component improperly handles objects in memory.\n\n - An error in the way that the scripting engine handles objects in memory in\n Internet Explorer.\n\n - An error when the Windows Update Delivery Optimization does not properly enforce\n file share permissions.\n\n - An error in Windows Domain Name System (DNS) DNSAPI.\n\n - An error in the default Windows SMB Server configuration which allows anonymous\n users to remotely access certain named pipes that are also configured to allow\n anonymous access to users who are logged on locally.\n\n - An error when Windows Search improperly handles objects in memory.\n\n - An error in Microsoft Windows storage when it fails to validate an integrity-level\n check.\n\n - An error in the way affected Microsoft scripting engines render when handling\n objects in memory in Microsoft Edge.\n\n - when Internet Explorer improperly accesses objects in memory via the Microsoft\n Windows Text Services Framework.\n\n - An error when the Windows kernel improperly initializes objects in memory.\n\n - An error in the way that the Windows Graphics Device Interface (GDI) handles\n objects in memory, allowing an attacker to retrieve information from a targeted\n system.\n\n - An error in the way that the Windows SMB Server handles certain requests.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in the security context of the local system, conduct NTLM\n dictionary attacks, cause the affected system to crash, take complete control\n of an affected system, obtain sensitive information to further compromise the\n user's system, inject code into a trusted PowerShell process, run processes\n in an elevated context, inject code code in kernel mode and gain elevated\n privileges.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows Server 2016\n\n - Microsoft Windows 10 Version 1607 x32/x64\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4041691\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2016:1, win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.1769\"))\n{\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: 11.0.14393.0 - 11.0.14393.1769\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:35:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11793", "CVE-2017-8715", "CVE-2017-11809", "CVE-2017-11772", "CVE-2017-11796", "CVE-2017-11804", "CVE-2017-11765", "CVE-2017-13080", "CVE-2017-11794", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11811", "CVE-2017-11802", "CVE-2017-11818", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11829", "CVE-2017-11817", "CVE-2017-11806", "CVE-2017-8727", "CVE-2017-11798", "CVE-2017-11769", "CVE-2017-8717", "CVE-2017-11779", "CVE-2017-11812", "CVE-2017-8703", "CVE-2017-11792", "CVE-2017-11790", "CVE-2017-11815", "CVE-2017-11799", "CVE-2017-11807", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11810", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11783", "CVE-2017-11821", "CVE-2017-11808", "CVE-2017-8693", "CVE-2017-11823", "CVE-2017-11805", "CVE-2017-11781", "CVE-2017-11822", "CVE-2017-8726", "CVE-2017-11816"], "description": "This host is missing a critical security\n update according to Microsoft KB4041676", "modified": "2020-06-04T00:00:00", "published": "2017-10-11T00:00:00", "id": "OPENVAS:1361412562310811865", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811865", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4041676)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4041676)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811865\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-8694\", \"CVE-2017-8703\", \"CVE-2017-8715\", \"CVE-2017-11780\",\n \"CVE-2017-8717\", \"CVE-2017-11762\", \"CVE-2017-11763\", \"CVE-2017-11765\",\n \"CVE-2017-8718\", \"CVE-2017-8726\", \"CVE-2017-8727\", \"CVE-2017-11769\",\n \"CVE-2017-11771\", \"CVE-2017-11772\", \"CVE-2017-11781\", \"CVE-2017-11783\",\n \"CVE-2017-11785\", \"CVE-2017-11790\", \"CVE-2017-11792\", \"CVE-2017-11793\",\n \"CVE-2017-11794\", \"CVE-2017-11796\", \"CVE-2017-11798\", \"CVE-2017-11799\",\n \"CVE-2017-11802\", \"CVE-2017-11804\", \"CVE-2017-11805\", \"CVE-2017-11806\",\n \"CVE-2017-11807\", \"CVE-2017-11808\", \"CVE-2017-11809\", \"CVE-2017-11810\",\n \"CVE-2017-11811\", \"CVE-2017-11812\", \"CVE-2017-11814\", \"CVE-2017-11815\",\n \"CVE-2017-11816\", \"CVE-2017-11817\", \"CVE-2017-11818\", \"CVE-2017-11821\",\n \"CVE-2017-11822\", \"CVE-2017-11823\", \"CVE-2017-11824\", \"CVE-2017-11829\",\n \"CVE-2017-8689\", \"CVE-2017-8693\", \"CVE-2017-11779\", \"CVE-2017-13080\");\n script_bugtraq_id(101100, 101164, 101163, 101161, 101108, 101109, 101111, 101162,\n 101084, 101142, 101112, 101114, 101116, 101140, 101144, 101149,\n 101077, 101078, 101141, 101079, 101080, 101125, 101126, 101130,\n 101131, 101132, 101133, 101134, 101135, 101137, 101081, 101138,\n 101139, 101093, 101136, 101094, 101095, 101101, 101123, 101122,\n 101102, 101099, 101213, 101128, 101096, 101166, 101110, 101274);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 11:02:49 +0530 (Wed, 11 Oct 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4041676)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4041676\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists, please refer the link\n mentioned in reference for more information.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n who successfully exploited these vulnerabilities to run arbitrary code in the\n security context of the local system, cause the affected system to crash, gain\n access to potentially sensitive information, take control of an affected system\n and gain the same user rights as the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1703 x32/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4041676\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.15063.0\", test_version2:\"11.0.15063.673\"))\n{\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: 11.0.15063.0 - 11.0.15063.673\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-04-01T06:16:55", "description": "The remote Windows host is missing security update 4041679\nor cumulative update 4041690. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8694)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11784,\n CVE-2017-11785)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)", "edition": 45, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-10-10T00:00:00", "title": "Windows Server 2012 October 2017 Security Updates (KRACK)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11793", "CVE-2017-11772", "CVE-2017-11765", "CVE-2017-13080", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11784", "CVE-2017-11818", "CVE-2017-11824", "CVE-2017-11817", "CVE-2017-8727", "CVE-2017-8717", "CVE-2017-11779", "CVE-2017-11790", "CVE-2017-11815", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11810", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11781", "CVE-2017-11816"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_OCT_4041690.NASL", "href": "https://www.tenable.com/plugins/nessus/103748", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103748);\n script_version(\"1.20\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-8694\",\n \"CVE-2017-8717\",\n \"CVE-2017-8718\",\n \"CVE-2017-8727\",\n \"CVE-2017-11762\",\n \"CVE-2017-11763\",\n \"CVE-2017-11765\",\n \"CVE-2017-11771\",\n \"CVE-2017-11772\",\n \"CVE-2017-11779\",\n \"CVE-2017-11780\",\n \"CVE-2017-11781\",\n \"CVE-2017-11784\",\n \"CVE-2017-11785\",\n \"CVE-2017-11790\",\n \"CVE-2017-11793\",\n \"CVE-2017-11810\",\n \"CVE-2017-11814\",\n \"CVE-2017-11815\",\n \"CVE-2017-11816\",\n \"CVE-2017-11817\",\n \"CVE-2017-11818\",\n \"CVE-2017-11824\",\n \"CVE-2017-13080\"\n );\n script_bugtraq_id(\n 101077,\n 101081,\n 101093,\n 101094,\n 101095,\n 101099,\n 101100,\n 101101,\n 101108,\n 101109,\n 101110,\n 101111,\n 101114,\n 101116,\n 101136,\n 101140,\n 101141,\n 101142,\n 101147,\n 101149,\n 101161,\n 101162,\n 101166,\n 101274\n );\n script_xref(name:\"MSKB\", value:\"4041690\");\n script_xref(name:\"IAVA\", value:\"2017-A-0310\");\n script_xref(name:\"MSKB\", value:\"4041679\");\n script_xref(name:\"MSFT\", value:\"MS17-4041690\");\n script_xref(name:\"MSFT\", value:\"MS17-4041679\");\n\n script_name(english:\"Windows Server 2012 October 2017 Security Updates (KRACK)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4041679\nor cumulative update 4041690. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8694)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11784,\n CVE-2017-11785)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)\");\n # https://support.microsoft.com/en-us/help/4041690/windows-server-2012-update-kb4041690\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e258896f\");\n # https://support.microsoft.com/en-us/help/4041679/windows-server-2012-update-kb4041679\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?14f62d6a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4041690 or KB4041679.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-11771\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-10\";\nkbs = make_list('4041690', '4041679');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date:\"10_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4041690, 4041679])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-01T06:16:55", "description": "The remote Windows host is missing security update 4041678\nor cumulative update 4041681. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11813,\n CVE-2017-11822)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11784,\n CVE-2017-11785)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)", "edition": 47, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-10-10T00:00:00", "title": "Windows 7 and Windows Server 2008 R2 October 2017 Security Updates (KRACK)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11793", "CVE-2017-11772", "CVE-2017-11765", "CVE-2017-11819", "CVE-2017-13080", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11784", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11817", "CVE-2017-11813", "CVE-2017-8717", "CVE-2017-11790", "CVE-2017-11815", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11810", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11781", "CVE-2017-11822", "CVE-2017-11816"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_OCT_4041681.NASL", "href": "https://www.tenable.com/plugins/nessus/103746", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103746);\n script_version(\"1.22\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-8689\",\n \"CVE-2017-8694\",\n \"CVE-2017-8717\",\n \"CVE-2017-8718\",\n \"CVE-2017-11762\",\n \"CVE-2017-11763\",\n \"CVE-2017-11765\",\n \"CVE-2017-11771\",\n \"CVE-2017-11772\",\n \"CVE-2017-11780\",\n \"CVE-2017-11781\",\n \"CVE-2017-11784\",\n \"CVE-2017-11785\",\n \"CVE-2017-11790\",\n \"CVE-2017-11793\",\n \"CVE-2017-11810\",\n \"CVE-2017-11813\",\n \"CVE-2017-11814\",\n \"CVE-2017-11815\",\n \"CVE-2017-11816\",\n \"CVE-2017-11817\",\n \"CVE-2017-11819\",\n \"CVE-2017-11822\",\n \"CVE-2017-11824\",\n \"CVE-2017-13080\"\n );\n script_bugtraq_id(\n 101077,\n 101081,\n 101083,\n 101093,\n 101094,\n 101095,\n 101099,\n 101100,\n 101108,\n 101109,\n 101110,\n 101111,\n 101114,\n 101116,\n 101122,\n 101128,\n 101136,\n 101140,\n 101141,\n 101147,\n 101149,\n 101161,\n 101162,\n 101274\n );\n script_xref(name:\"MSKB\", value:\"4041681\");\n script_xref(name:\"IAVA\", value:\"2017-A-0310\");\n script_xref(name:\"MSKB\", value:\"4041678\");\n script_xref(name:\"MSFT\", value:\"MS17-4041681\");\n script_xref(name:\"MSFT\", value:\"MS17-4041678\");\n\n script_name(english:\"Windows 7 and Windows Server 2008 R2 October 2017 Security Updates (KRACK)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4041678\nor cumulative update 4041681. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11813,\n CVE-2017-11822)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11784,\n CVE-2017-11785)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)\");\n # https://support.microsoft.com/en-us/help/4041681/windows-7-update-kb4041681\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1d1a2595\");\n # https://support.microsoft.com/en-us/help/4041678/windows-7-update-kb4041678\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?501fabf5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4041678 or Cumulative update KB4041681.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-11771\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-10\";\nkbs = make_list('4041681', '4041678');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date:\"10_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4041681, 4041678])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-09T05:02:37", "description": "The remote Windows host is missing multiple security updates released\non 2017/10/10. It is, therefore, affected by multiple\nvulnerabilities :\n\n- A buffer overflow vulnerability exists in the Microsoft JET\n Database Engine that could allow remote code execution on an\n affected system. An attacker who successfully exploited this\n vulnerability could take complete control of an affected system.\n (CVE-2017-0250)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11822)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11784,\n CVE-2017-11785)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)", "edition": 38, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-10-12T00:00:00", "title": "Windows 2008 October 2017 Multiple Security Updates (KRACK)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11793", "CVE-2017-11772", "CVE-2017-11765", "CVE-2017-13080", "CVE-2017-0250", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11784", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11817", "CVE-2017-8717", "CVE-2017-11790", "CVE-2017-11815", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11810", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11781", "CVE-2017-11822", "CVE-2017-11816"], "modified": "2017-10-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_OCT_WIN2008.NASL", "href": "https://www.tenable.com/plugins/nessus/103816", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103816);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/04\");\n\n script_cve_id(\n \"CVE-2017-0250\",\n \"CVE-2017-8689\",\n \"CVE-2017-8694\",\n \"CVE-2017-8717\",\n \"CVE-2017-8718\",\n \"CVE-2017-11762\",\n \"CVE-2017-11763\",\n \"CVE-2017-11765\",\n \"CVE-2017-11771\",\n \"CVE-2017-11772\",\n \"CVE-2017-11780\",\n \"CVE-2017-11781\",\n \"CVE-2017-11784\",\n \"CVE-2017-11785\",\n \"CVE-2017-11790\",\n \"CVE-2017-11793\",\n \"CVE-2017-11810\",\n \"CVE-2017-11814\",\n \"CVE-2017-11815\",\n \"CVE-2017-11816\",\n \"CVE-2017-11817\",\n \"CVE-2017-11822\",\n \"CVE-2017-11824\",\n \"CVE-2017-13080\"\n );\n script_bugtraq_id(\n 98100,\n 101077,\n 101081,\n 101093,\n 101094,\n 101095,\n 101099,\n 101100,\n 101108,\n 101109,\n 101110,\n 101111,\n 101114,\n 101116,\n 101122,\n 101128,\n 101136,\n 101140,\n 101141,\n 101147,\n 101149,\n 101161,\n 101162,\n 101274\n );\n script_xref(name:\"MSKB\", value:\"4042050\");\n script_xref(name:\"MSFT\", value:\"MS17-4042050\");\n script_xref(name:\"MSKB\", value:\"4041671\");\n script_xref(name:\"IAVA\", value:\"2017-A-0310\");\n script_xref(name:\"MSFT\", value:\"MS17-4041671\");\n script_xref(name:\"MSKB\", value:\"4041944\");\n script_xref(name:\"MSFT\", value:\"MS17-4041944\");\n script_xref(name:\"MSKB\", value:\"4041995\");\n script_xref(name:\"MSFT\", value:\"MS17-4041995\");\n script_xref(name:\"MSKB\", value:\"4050795\");\n script_xref(name:\"MSFT\", value:\"MS17-4050795\");\n script_xref(name:\"MSKB\", value:\"4042067\");\n script_xref(name:\"MSFT\", value:\"MS17-4042067\");\n script_xref(name:\"MSKB\", value:\"4042120\");\n script_xref(name:\"MSFT\", value:\"MS17-4042120\");\n script_xref(name:\"MSKB\", value:\"4042121\");\n script_xref(name:\"MSFT\", value:\"MS17-4042121\");\n script_xref(name:\"MSKB\", value:\"4042122\");\n script_xref(name:\"MSFT\", value:\"MS17-4042122\");\n\n script_name(english:\"Windows 2008 October 2017 Multiple Security Updates (KRACK)\");\n script_summary(english:\"Checks the existence of Windows Server 2008 October 2017 Patches.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing multiple security updates released\non 2017/10/10. It is, therefore, affected by multiple\nvulnerabilities :\n\n- A buffer overflow vulnerability exists in the Microsoft JET\n Database Engine that could allow remote code execution on an\n affected system. An attacker who successfully exploited this\n vulnerability could take complete control of an affected system.\n (CVE-2017-0250)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11822)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11784,\n CVE-2017-11785)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)\");\n # https://support.microsoft.com/en-us/help/4042050/security-update-for-the-microsoft-jet-database-engine-remote-code-exec\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?47cf0955\");\n # https://support.microsoft.com/en-us/help/4050795/unexpected-error-from-external-database-driver-error-when-you-create-o\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9ef65f13\");\n # https://support.microsoft.com/en-us/help/4041995/security-update-for-the-windows-smb-vulnerabilities-in-windows-server\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cdb3c598\");\n # https://support.microsoft.com/en-us/help/4042067/security-update-for-search-vulnerabilities-in-windows-server-2008\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?492474c1\");\n # https://support.microsoft.com/en-us/help/4041671/security-update-for-the-windows-kernel-information-disclosure-vulnerab\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?11033575\");\n # https://support.microsoft.com/en-us/help/4042122/security-update-for-vulnerabilities-in-windows-server-2008\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?41b63a5b\");\n # https://support.microsoft.com/en-us/help/4042120/security-update-for-vulnerabilities-in-windows-server-2008\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9e644606\");\n # https://support.microsoft.com/en-us/help/4042121/security-update-for-vulnerabilities-in-windows-server-2008\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?53858948\");\n # https://support.microsoft.com/en-us/help/4040685/cumulative-security-update-for-internet-explorer\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?86f61c93\");\n # https://support.microsoft.com/en-us/help/4041944/windows-information-disclosure-vulnerability\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e2287b5e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the following security updates :\n\n - 4041671\n - 4041944\n - 4041995\n - 4050795\n - 4042067\n - 4042120\n - 4042121\n - 4042122\n - 4042050\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-11771\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-10';\n\nkbs = make_list(\n \"4032201\",\n \"4034786\",\n \"4038874\",\n \"4039038\",\n \"4039266\",\n \"4039325\",\n \"4039384\"\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\n# KBs only apply to Windows 2008\nif (hotfix_check_sp_range(vista:'2') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Vista\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nsystemroot = hotfix_get_systemroot();\nif (!systemroot) audit(AUDIT_PATH_NOT_DETERMINED, 'system root');\n\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nwinsxs = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:\"\\1\\WinSxS\", string:systemroot);\nwinsxs_share = hotfix_path2share(path:systemroot);\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:winsxs_share);\nif (rc != 1)\n{\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, winsxs_share);\n}\n\nthe_session = make_array(\n 'login', login,\n 'password', pass,\n 'domain', domain,\n 'share', winsxs_share\n);\n\nvuln = 0;\n\n# 4041671\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"os-kernel_31bf3856ad364e35\", file_pat:\"^ntoskrnl\\.exe$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24202'),\n max_versions:make_list('6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4041671\", session:the_session);\n\n# 4041944\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"ntfs_31bf3856ad364e35\", file_pat:\"^ntfs\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24201'),\n max_versions:make_list('6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4041944\", session:the_session);\n\n# 4041995\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"smbserver-common_31bf3856ad364e35\", file_pat:\"^srvnet\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24201'),\n max_versions:make_list('6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4041995\", session:the_session);\n\n# 4042067\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"c..ent-indexing-common_31bf3856ad364e35\", file_pat:\"^query\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24201'),\n max_versions:make_list('6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4042067\", session:the_session);\n\n# 4042120\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"win32k_31bf3856ad364e35\", file_pat:\"^win32k\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24200'),\n max_versions:make_list('6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4042120\", session:the_session);\n\n# 4042121\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"gdi32_31bf3856ad364e35\", file_pat:\"^gdi32\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24200'),\n max_versions:make_list('6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4042121\", session:the_session);\n\n# 4050795 (fix for 4042007)\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"m..components-jetexcel_31bf3856ad364e35\", file_pat:\"^msexcl40\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('4.0.9801.2'),\n max_versions:make_list('4.0.9801.9999'),\n bulletin:bulletin,\n kb:\"4050795\", session:the_session);\n\n# 4042122\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"font-embedding_31bf3856ad364e35\", file_pat:\"^t2embed\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24200'),\n max_versions:make_list('6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4042122\", session:the_session);\n\n# 4042050\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"mponents-jetintlerr_31bf3856ad364e35\", file_pat:\"^msjint40\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('4.0.9801.1'),\n max_versions:make_list('4.0.9801.9999'),\n bulletin:bulletin,\n kb:\"4042050\", session:the_session);\n\n# The following two checks are commented out\n# due to released patches failing to apply\n# to relavant systems.\n## 4042123\n#files = list_dir(basedir:winsxs, level:0, dir_pat:\"t..icesframework-msctf_31bf3856ad364e35\", file_pat:\"^msctf\\.dll$\", max_recurse:1);\n#vuln += hotfix_check_winsxs(os:'6.0',\n# sp:2,\n# files:files,\n# versions:make_list('6.0.6002.16386', '6.0.6002.24202'),\n# max_versions:make_list('6.0.6002.20000', '6.0.6003.99999'),\n# bulletin:bulletin,\n# kb:\"4042123\", session:the_session);\n#\n## 4042723\n#files = list_dir(basedir:winsxs, level:0, dir_pat:\"wlansvc_31bf3856ad364e35\", file_pat:\"^wlanapi\\.dll$\", max_recurse:1);\n#vuln += hotfix_check_winsxs(os:'6.0',\n# sp:2,\n# files:files,\n# versions:make_list('6.0.6001.18000', '6.0.6002.24202'),\n# max_versions:make_list('6.0.6001.20000', '6.0.6003.99999'),\n# bulletin:bulletin,\n# kb:\"4042723\", session:the_session);\n\nif (vuln > 0)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-01T06:16:56", "description": "The remote Windows host is missing security update 4041687\nor cumulative update 4041693. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-11783)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11813,\n CVE-2017-11822)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11784,\n CVE-2017-11785)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)", "edition": 44, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-10-10T00:00:00", "title": "Windows 8.1 and Windows Server 2012 R2 October 2017 Security Updates (KRACK)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11793", "CVE-2017-11772", "CVE-2017-11765", "CVE-2017-13080", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11784", "CVE-2017-11818", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11817", "CVE-2017-11813", "CVE-2017-8727", "CVE-2017-8717", "CVE-2017-11779", "CVE-2017-11790", "CVE-2017-11815", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11810", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11783", "CVE-2017-11781", "CVE-2017-11822", "CVE-2017-11816"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_OCT_4041693.NASL", "href": "https://www.tenable.com/plugins/nessus/103750", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103750);\n script_version(\"1.20\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-8689\",\n \"CVE-2017-8694\",\n \"CVE-2017-8717\",\n \"CVE-2017-8718\",\n \"CVE-2017-8727\",\n \"CVE-2017-11762\",\n \"CVE-2017-11763\",\n \"CVE-2017-11765\",\n \"CVE-2017-11771\",\n \"CVE-2017-11772\",\n \"CVE-2017-11779\",\n \"CVE-2017-11780\",\n \"CVE-2017-11781\",\n \"CVE-2017-11783\",\n \"CVE-2017-11784\",\n \"CVE-2017-11785\",\n \"CVE-2017-11790\",\n \"CVE-2017-11793\",\n \"CVE-2017-11810\",\n \"CVE-2017-11813\",\n \"CVE-2017-11814\",\n \"CVE-2017-11815\",\n \"CVE-2017-11816\",\n \"CVE-2017-11817\",\n \"CVE-2017-11818\",\n \"CVE-2017-11822\",\n \"CVE-2017-11824\",\n \"CVE-2017-13080\"\n );\n script_bugtraq_id(\n 101077,\n 101081,\n 101083,\n 101093,\n 101094,\n 101095,\n 101099,\n 101100,\n 101101,\n 101108,\n 101109,\n 101110,\n 101111,\n 101114,\n 101116,\n 101122,\n 101128,\n 101136,\n 101140,\n 101141,\n 101142,\n 101144,\n 101147,\n 101149,\n 101161,\n 101162,\n 101166,\n 101274\n );\n script_xref(name:\"MSKB\", value:\"4041687\");\n script_xref(name:\"IAVA\", value:\"2017-A-0310\");\n script_xref(name:\"MSKB\", value:\"4041693\");\n script_xref(name:\"MSFT\", value:\"MS17-4041687\");\n script_xref(name:\"MSFT\", value:\"MS17-4041693\");\n\n script_name(english:\"Windows 8.1 and Windows Server 2012 R2 October 2017 Security Updates (KRACK)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4041687\nor cumulative update 4041693. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-11783)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11813,\n CVE-2017-11822)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11784,\n CVE-2017-11785)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)\");\n # https://support.microsoft.com/en-us/help/4041687/windows-81-update-kb4041687\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c1c67d5c\");\n # https://support.microsoft.com/en-us/help/4041693/windows-81-update-kb4041693\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1c3325f2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4041687 or Cumulative update KB4041693.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-11771\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-10\";\nkbs = make_list('4041687', '4041693');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date:\"10_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4041687, 4041693])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-01T06:16:55", "description": "The remote Windows host is missing security update 4041689.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-11783)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11798,\n CVE-2017-11799, CVE-2017-11800, CVE-2017-11802,\n CVE-2017-11804, CVE-2017-11808, CVE-2017-11811,\n CVE-2017-11812)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2017-11823, CVE-2017-8715)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-8693)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handle objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11809)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11785)\n\n - A remote code execution vulnerability exists in the way\n that certain Windows components handle the loading of\n DLL files. An attacker who successfully exploited this\n vulnerability could take complete control of an affected\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2017-11769)\n\n - A remote code execution vulnerability exists in the way\n affected Microsoft scripting engines render when\n handling objects in memory in Microsoft Edge. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8726)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11822)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)", "edition": 45, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-10-10T00:00:00", "title": "KB4041689: Windows 10 Version 1511 October 2017 Cumulative Update (KRACK)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11793", "CVE-2017-8715", "CVE-2017-11809", "CVE-2017-11772", "CVE-2017-11804", "CVE-2017-11765", "CVE-2017-13080", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11811", "CVE-2017-11802", "CVE-2017-11818", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11817", "CVE-2017-8727", "CVE-2017-11798", "CVE-2017-11769", "CVE-2017-8717", "CVE-2017-11779", "CVE-2017-11812", "CVE-2017-11800", "CVE-2017-11790", "CVE-2017-11815", "CVE-2017-11799", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11810", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11783", "CVE-2017-11808", "CVE-2017-8693", "CVE-2017-11823", "CVE-2017-11781", "CVE-2017-11822", "CVE-2017-8726", "CVE-2017-11816"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_OCT_4041689.NASL", "href": "https://www.tenable.com/plugins/nessus/103747", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103747);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-8689\",\n \"CVE-2017-8693\",\n \"CVE-2017-8694\",\n \"CVE-2017-8715\",\n \"CVE-2017-8717\",\n \"CVE-2017-8718\",\n \"CVE-2017-8726\",\n \"CVE-2017-8727\",\n \"CVE-2017-11762\",\n \"CVE-2017-11763\",\n \"CVE-2017-11765\",\n \"CVE-2017-11769\",\n \"CVE-2017-11771\",\n \"CVE-2017-11772\",\n \"CVE-2017-11779\",\n \"CVE-2017-11780\",\n \"CVE-2017-11781\",\n \"CVE-2017-11783\",\n \"CVE-2017-11785\",\n \"CVE-2017-11790\",\n \"CVE-2017-11793\",\n \"CVE-2017-11798\",\n \"CVE-2017-11799\",\n \"CVE-2017-11800\",\n \"CVE-2017-11802\",\n \"CVE-2017-11804\",\n \"CVE-2017-11808\",\n \"CVE-2017-11809\",\n \"CVE-2017-11810\",\n \"CVE-2017-11811\",\n \"CVE-2017-11812\",\n \"CVE-2017-11814\",\n \"CVE-2017-11815\",\n \"CVE-2017-11816\",\n \"CVE-2017-11817\",\n \"CVE-2017-11818\",\n \"CVE-2017-11822\",\n \"CVE-2017-11823\",\n \"CVE-2017-11824\",\n \"CVE-2017-13080\"\n );\n script_bugtraq_id(\n 101077,\n 101081,\n 101084,\n 101093,\n 101094,\n 101095,\n 101096,\n 101099,\n 101100,\n 101101,\n 101102,\n 101108,\n 101109,\n 101110,\n 101111,\n 101112,\n 101114,\n 101116,\n 101122,\n 101125,\n 101126,\n 101127,\n 101128,\n 101130,\n 101131,\n 101135,\n 101136,\n 101137,\n 101138,\n 101139,\n 101140,\n 101141,\n 101142,\n 101144,\n 101149,\n 101161,\n 101162,\n 101163,\n 101166,\n 101274\n );\n script_xref(name:\"MSKB\", value:\"4041689\");\n script_xref(name:\"IAVA\", value:\"2017-A-0310\");\n script_xref(name:\"MSFT\", value:\"MS17-4041689\");\n\n script_name(english:\"KB4041689: Windows 10 Version 1511 October 2017 Cumulative Update (KRACK)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4041689.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-11783)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11798,\n CVE-2017-11799, CVE-2017-11800, CVE-2017-11802,\n CVE-2017-11804, CVE-2017-11808, CVE-2017-11811,\n CVE-2017-11812)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2017-11823, CVE-2017-8715)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-8693)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handle objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11809)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11785)\n\n - A remote code execution vulnerability exists in the way\n that certain Windows components handle the loading of\n DLL files. An attacker who successfully exploited this\n vulnerability could take complete control of an affected\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2017-11769)\n\n - A remote code execution vulnerability exists in the way\n affected Microsoft scripting engines render when\n handling objects in memory in Microsoft Edge. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8726)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11822)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)\");\n # https://support.microsoft.com/en-us/help/4041689/windows-10-update-kb4041689\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?00992eb3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4041689.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-11771\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-10\";\nkbs = make_list('4041689');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10586\",\n rollup_date:\"10_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4041689])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-01T06:16:57", "description": "The remote Windows host is missing security update 4042895.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-8726)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11798,\n CVE-2017-11799, CVE-2017-11800, CVE-2017-11802,\n CVE-2017-11804, CVE-2017-11808, CVE-2017-11811)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-11783)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11784,\n CVE-2017-11785)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2017-11823, CVE-2017-8715)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11809)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic to\n hosts on a WPA or WPA 2-protected wireless network.\n Multiple conditions would need to be met in order for an\n attacker to exploit the vulnerability the attacker would\n need to be within the physical proximity of the targeted\n user, and the user's computer would need to have\n wireless networking enabled. The attacker would then\n need to execute a man-in-the-middle (MitM) attack to\n intercept traffic between the target computer and\n wireless access point. The security update addresses the\n vulnerability by changing how Windows verifies wireless\n group key handshakes. (CVE-2017-13080)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-8693)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A remote code execution vulnerability exists in the way\n that certain Windows components handle the loading of\n DLL files. An attacker who successfully exploited this\n vulnerability could take complete control of an affected\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2017-11769)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11822)", "edition": 34, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-11-03T00:00:00", "title": "KB4042895: Windows 10 October 2017 Cumulative Update (KRACK)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11793", "CVE-2017-8715", "CVE-2017-11809", "CVE-2017-11772", "CVE-2017-11804", "CVE-2017-11765", "CVE-2017-13080", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11811", "CVE-2017-11784", "CVE-2017-11802", "CVE-2017-11818", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11817", "CVE-2017-8727", "CVE-2017-11798", "CVE-2017-11769", "CVE-2017-8717", "CVE-2017-11779", "CVE-2017-11800", "CVE-2017-11790", "CVE-2017-11815", "CVE-2017-11799", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11810", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11783", "CVE-2017-11808", "CVE-2017-8693", "CVE-2017-11823", "CVE-2017-11781", "CVE-2017-11822", "CVE-2017-8726", "CVE-2017-11816"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_OCT_4042895.NASL", "href": "https://www.tenable.com/plugins/nessus/104384", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104384);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-8689\",\n \"CVE-2017-8693\",\n \"CVE-2017-8694\",\n \"CVE-2017-8715\",\n \"CVE-2017-8717\",\n \"CVE-2017-8718\",\n \"CVE-2017-8726\",\n \"CVE-2017-8727\",\n \"CVE-2017-11762\",\n \"CVE-2017-11763\",\n \"CVE-2017-11765\",\n \"CVE-2017-11769\",\n \"CVE-2017-11771\",\n \"CVE-2017-11772\",\n \"CVE-2017-11779\",\n \"CVE-2017-11780\",\n \"CVE-2017-11781\",\n \"CVE-2017-11783\",\n \"CVE-2017-11784\",\n \"CVE-2017-11785\",\n \"CVE-2017-11790\",\n \"CVE-2017-11793\",\n \"CVE-2017-11798\",\n \"CVE-2017-11799\",\n \"CVE-2017-11800\",\n \"CVE-2017-11802\",\n \"CVE-2017-11804\",\n \"CVE-2017-11808\",\n \"CVE-2017-11809\",\n \"CVE-2017-11810\",\n \"CVE-2017-11811\",\n \"CVE-2017-11814\",\n \"CVE-2017-11815\",\n \"CVE-2017-11816\",\n \"CVE-2017-11817\",\n \"CVE-2017-11818\",\n \"CVE-2017-11822\",\n \"CVE-2017-11823\",\n \"CVE-2017-11824\",\n \"CVE-2017-13080\"\n );\n script_bugtraq_id(\n 101077,\n 101081,\n 101084,\n 101093,\n 101094,\n 101095,\n 101096,\n 101099,\n 101100,\n 101101,\n 101102,\n 101108,\n 101109,\n 101110,\n 101111,\n 101112,\n 101114,\n 101116,\n 101122,\n 101125,\n 101126,\n 101127,\n 101128,\n 101130,\n 101131,\n 101135,\n 101136,\n 101137,\n 101138,\n 101140,\n 101141,\n 101142,\n 101144,\n 101147,\n 101149,\n 101161,\n 101162,\n 101163,\n 101166,\n 101274\n );\n script_xref(name:\"MSKB\", value:\"4042895\");\n script_xref(name:\"IAVA\", value:\"2017-A-0310\");\n script_xref(name:\"MSFT\", value:\"MS17-4042895\");\n\n script_name(english:\"KB4042895: Windows 10 October 2017 Cumulative Update (KRACK)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4042895.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-8726)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11798,\n CVE-2017-11799, CVE-2017-11800, CVE-2017-11802,\n CVE-2017-11804, CVE-2017-11808, CVE-2017-11811)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-11783)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11784,\n CVE-2017-11785)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2017-11823, CVE-2017-8715)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11809)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic to\n hosts on a WPA or WPA 2-protected wireless network.\n Multiple conditions would need to be met in order for an\n attacker to exploit the vulnerability the attacker would\n need to be within the physical proximity of the targeted\n user, and the user's computer would need to have\n wireless networking enabled. The attacker would then\n need to execute a man-in-the-middle (MitM) attack to\n intercept traffic between the target computer and\n wireless access point. The security update addresses the\n vulnerability by changing how Windows verifies wireless\n group key handshakes. (CVE-2017-13080)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-8693)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A remote code execution vulnerability exists in the way\n that certain Windows components handle the loading of\n DLL files. An attacker who successfully exploited this\n vulnerability could take complete control of an affected\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2017-11769)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11822)\");\n # https://support.microsoft.com/en-us/help/4042895/windows-10-update-kb4042895\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bfbef494\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4042895.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-11771\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-10\";\nkbs = make_list('4042895');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\nos_name=get_kb_item_or_exit(\"SMB/ProductName\");\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif(\"LTSB\" >!< os_name) audit(AUDIT_OS_NOT, \"Windows 10 version 1507 LTSB\");\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date:\"10_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4042895])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-01T06:16:55", "description": "The remote Windows host is missing security update 4041691.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Delivery Optimization does not properly\n enforce file share permissions. An attacker who\n successfully exploited the vulnerability could overwrite\n files that require higher privileges than what the\n attacker already has. (CVE-2017-11829)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-11783)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11798,\n CVE-2017-11799, CVE-2017-11800, CVE-2017-11802,\n CVE-2017-11804, CVE-2017-11808, CVE-2017-11811,\n CVE-2017-11812)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2017-11823, CVE-2017-8715)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - An elevation of privilege vulnerability exists in the\n default Windows SMB Server configuration which allows\n anonymous users to remotely access certain named pipes\n that are also configured to allow anonymous access to\n users who are logged on locally. An unauthenticated\n attacker who successfully exploits this configuration\n error could remotely send specially crafted requests to\n certain services that accept requests via named pipes.\n (CVE-2017-11782)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-8693)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handle objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11809)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11785)\n\n - A remote code execution vulnerability exists in the way\n that certain Windows components handle the loading of\n DLL files. An attacker who successfully exploited this\n vulnerability could take complete control of an affected\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2017-11769)\n\n - A remote code execution vulnerability exists in the way\n affected Microsoft scripting engines render when\n handling objects in memory in Microsoft Edge. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8726)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11822)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)", "edition": 46, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-10-10T00:00:00", "title": "KB4041691: Windows 10 Version 1607 and Windows Server 2016 October 2017 Cumulative Update (KRACK)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11793", "CVE-2017-8715", "CVE-2017-11809", "CVE-2017-11772", "CVE-2017-11804", "CVE-2017-11765", "CVE-2017-13080", "CVE-2017-11782", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11811", "CVE-2017-11802", "CVE-2017-11818", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11829", "CVE-2017-11817", "CVE-2017-8727", "CVE-2017-11798", "CVE-2017-11769", "CVE-2017-8717", "CVE-2017-11779", "CVE-2017-11812", "CVE-2017-11800", "CVE-2017-11790", "CVE-2017-11815", "CVE-2017-11799", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11810", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11783", "CVE-2017-11808", "CVE-2017-8693", "CVE-2017-11823", "CVE-2017-11781", "CVE-2017-11822", "CVE-2017-8726", "CVE-2017-11816"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_OCT_4041691.NASL", "href": "https://www.tenable.com/plugins/nessus/103749", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103749);\n script_version(\"1.20\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-8689\",\n \"CVE-2017-8693\",\n \"CVE-2017-8694\",\n \"CVE-2017-8715\",\n \"CVE-2017-8717\",\n \"CVE-2017-8718\",\n \"CVE-2017-8726\",\n \"CVE-2017-8727\",\n \"CVE-2017-11762\",\n \"CVE-2017-11763\",\n \"CVE-2017-11765\",\n \"CVE-2017-11769\",\n \"CVE-2017-11771\",\n \"CVE-2017-11772\",\n \"CVE-2017-11779\",\n \"CVE-2017-11780\",\n \"CVE-2017-11781\",\n \"CVE-2017-11782\",\n \"CVE-2017-11783\",\n \"CVE-2017-11785\",\n \"CVE-2017-11790\",\n \"CVE-2017-11793\",\n \"CVE-2017-11798\",\n \"CVE-2017-11799\",\n \"CVE-2017-11800\",\n \"CVE-2017-11802\",\n \"CVE-2017-11804\",\n \"CVE-2017-11808\",\n \"CVE-2017-11809\",\n \"CVE-2017-11810\",\n \"CVE-2017-11811\",\n \"CVE-2017-11812\",\n \"CVE-2017-11814\",\n \"CVE-2017-11815\",\n \"CVE-2017-11816\",\n \"CVE-2017-11817\",\n \"CVE-2017-11818\",\n \"CVE-2017-11822\",\n \"CVE-2017-11823\",\n \"CVE-2017-11824\",\n \"CVE-2017-11829\",\n \"CVE-2017-13080\"\n );\n script_bugtraq_id(\n 101077,\n 101081,\n 101084,\n 101093,\n 101094,\n 101095,\n 101096,\n 101099,\n 101100,\n 101101,\n 101102,\n 101108,\n 101109,\n 101110,\n 101111,\n 101112,\n 101114,\n 101116,\n 101122,\n 101125,\n 101126,\n 101127,\n 101128,\n 101130,\n 101131,\n 101135,\n 101136,\n 101137,\n 101138,\n 101139,\n 101140,\n 101141,\n 101142,\n 101143,\n 101144,\n 101149,\n 101161,\n 101162,\n 101163,\n 101166,\n 101213,\n 101274\n );\n script_xref(name:\"MSKB\", value:\"4041691\");\n script_xref(name:\"IAVA\", value:\"2017-A-0310\");\n script_xref(name:\"MSFT\", value:\"MS17-4041691\");\n\n script_name(english:\"KB4041691: Windows 10 Version 1607 and Windows Server 2016 October 2017 Cumulative Update (KRACK)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4041691.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Delivery Optimization does not properly\n enforce file share permissions. An attacker who\n successfully exploited the vulnerability could overwrite\n files that require higher privileges than what the\n attacker already has. (CVE-2017-11829)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-11783)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11798,\n CVE-2017-11799, CVE-2017-11800, CVE-2017-11802,\n CVE-2017-11804, CVE-2017-11808, CVE-2017-11811,\n CVE-2017-11812)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2017-11823, CVE-2017-8715)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - An elevation of privilege vulnerability exists in the\n default Windows SMB Server configuration which allows\n anonymous users to remotely access certain named pipes\n that are also configured to allow anonymous access to\n users who are logged on locally. An unauthenticated\n attacker who successfully exploits this configuration\n error could remotely send specially crafted requests to\n certain services that accept requests via named pipes.\n (CVE-2017-11782)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-8693)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handle objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11809)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11785)\n\n - A remote code execution vulnerability exists in the way\n that certain Windows components handle the loading of\n DLL files. An attacker who successfully exploited this\n vulnerability could take complete control of an affected\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2017-11769)\n\n - A remote code execution vulnerability exists in the way\n affected Microsoft scripting engines render when\n handling objects in memory in Microsoft Edge. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8726)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11822)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)\");\n # https://support.microsoft.com/en-us/help/4041691/windows-10-update-kb4041691\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?62ef3ec8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4041691.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-11771\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-10\";\nkbs = make_list('4041691');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_nano() == 1) audit(AUDIT_OS_NOT, \"a currently supported OS (Windows Nano Server)\");\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date:\"10_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4041691])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-01T06:16:54", "description": "The remote Windows host is missing security update 4041676.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Delivery Optimization does not properly\n enforce file share permissions. An attacker who\n successfully exploited the vulnerability could overwrite\n files that require higher privileges than what the\n attacker already has. (CVE-2017-11829)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11792,\n CVE-2017-11796, CVE-2017-11798, CVE-2017-11799,\n CVE-2017-11802, CVE-2017-11804, CVE-2017-11805,\n CVE-2017-11806, CVE-2017-11807, CVE-2017-11808,\n CVE-2017-11811, CVE-2017-11812, CVE-2017-11821)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-11783)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2017-11823, CVE-2017-8715)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11794)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-8693)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handle objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11809)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11785)\n\n - A denial of service vulnerability exists when Windows\n Subsystem for Linux improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could cause a denial of service against\n the local system. A attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how Windows Subsystem for Linux handles\n objects in memory. (CVE-2017-8703)\n\n - A remote code execution vulnerability exists in the way\n that certain Windows components handle the loading of\n DLL files. An attacker who successfully exploited this\n vulnerability could take complete control of an affected\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2017-11769)\n\n - A remote code execution vulnerability exists in the way\n affected Microsoft scripting engines render when\n handling objects in memory in Microsoft Edge. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8726)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11822)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)", "edition": 45, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-10-10T00:00:00", "title": "KB4041676: Windows 10 Version 1703 October 2017 Cumulative Update (KRACK)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11793", "CVE-2017-8715", "CVE-2017-11809", "CVE-2017-11772", "CVE-2017-11796", "CVE-2017-11804", "CVE-2017-11765", "CVE-2017-13080", "CVE-2017-11794", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11811", "CVE-2017-11802", "CVE-2017-11818", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11829", "CVE-2017-11817", "CVE-2017-11806", "CVE-2017-8727", "CVE-2017-11798", "CVE-2017-11769", "CVE-2017-8717", "CVE-2017-11779", "CVE-2017-11812", "CVE-2017-8703", "CVE-2017-11792", "CVE-2017-11790", "CVE-2017-11815", "CVE-2017-11799", "CVE-2017-11807", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11810", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11783", "CVE-2017-11821", "CVE-2017-11808", "CVE-2017-8693", "CVE-2017-11823", "CVE-2017-11805", "CVE-2017-11781", "CVE-2017-11822", "CVE-2017-8726", "CVE-2017-11816"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_OCT_4041676.NASL", "href": "https://www.tenable.com/plugins/nessus/103745", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103745);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-8689\",\n \"CVE-2017-8693\",\n \"CVE-2017-8694\",\n \"CVE-2017-8703\",\n \"CVE-2017-8715\",\n \"CVE-2017-8717\",\n \"CVE-2017-8718\",\n \"CVE-2017-8726\",\n \"CVE-2017-8727\",\n \"CVE-2017-11762\",\n \"CVE-2017-11763\",\n \"CVE-2017-11765\",\n \"CVE-2017-11769\",\n \"CVE-2017-11771\",\n \"CVE-2017-11772\",\n \"CVE-2017-11779\",\n \"CVE-2017-11780\",\n \"CVE-2017-11781\",\n \"CVE-2017-11783\",\n \"CVE-2017-11785\",\n \"CVE-2017-11790\",\n \"CVE-2017-11792\",\n \"CVE-2017-11793\",\n \"CVE-2017-11794\",\n \"CVE-2017-11796\",\n \"CVE-2017-11798\",\n \"CVE-2017-11799\",\n \"CVE-2017-11802\",\n \"CVE-2017-11804\",\n \"CVE-2017-11805\",\n \"CVE-2017-11806\",\n \"CVE-2017-11807\",\n \"CVE-2017-11808\",\n \"CVE-2017-11809\",\n \"CVE-2017-11810\",\n \"CVE-2017-11811\",\n \"CVE-2017-11812\",\n \"CVE-2017-11814\",\n \"CVE-2017-11815\",\n \"CVE-2017-11816\",\n \"CVE-2017-11817\",\n \"CVE-2017-11818\",\n \"CVE-2017-11821\",\n \"CVE-2017-11822\",\n \"CVE-2017-11823\",\n \"CVE-2017-11824\",\n \"CVE-2017-11829\",\n \"CVE-2017-13080\"\n );\n script_bugtraq_id(\n 101077,\n 101078,\n 101079,\n 101080,\n 101081,\n 101084,\n 101093,\n 101094,\n 101095,\n 101096,\n 101099,\n 101100,\n 101101,\n 101102,\n 101108,\n 101109,\n 101110,\n 101111,\n 101112,\n 101114,\n 101116,\n 101122,\n 101123,\n 101125,\n 101126,\n 101128,\n 101130,\n 101131,\n 101132,\n 101133,\n 101134,\n 101135,\n 101136,\n 101137,\n 101138,\n 101139,\n 101140,\n 101141,\n 101142,\n 101144,\n 101149,\n 101161,\n 101162,\n 101163,\n 101164,\n 101166,\n 101213,\n 101274\n );\n script_xref(name:\"MSKB\", value:\"4041676\");\n script_xref(name:\"IAVA\", value:\"2017-A-0310\");\n script_xref(name:\"MSFT\", value:\"MS17-4041676\");\n\n script_name(english:\"KB4041676: Windows 10 Version 1703 October 2017 Cumulative Update (KRACK)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4041676.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Delivery Optimization does not properly\n enforce file share permissions. An attacker who\n successfully exploited the vulnerability could overwrite\n files that require higher privileges than what the\n attacker already has. (CVE-2017-11829)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11792,\n CVE-2017-11796, CVE-2017-11798, CVE-2017-11799,\n CVE-2017-11802, CVE-2017-11804, CVE-2017-11805,\n CVE-2017-11806, CVE-2017-11807, CVE-2017-11808,\n CVE-2017-11811, CVE-2017-11812, CVE-2017-11821)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-11783)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2017-11823, CVE-2017-8715)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11794)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-8693)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handle objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11809)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11785)\n\n - A denial of service vulnerability exists when Windows\n Subsystem for Linux improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could cause a denial of service against\n the local system. A attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how Windows Subsystem for Linux handles\n objects in memory. (CVE-2017-8703)\n\n - A remote code execution vulnerability exists in the way\n that certain Windows components handle the loading of\n DLL files. An attacker who successfully exploited this\n vulnerability could take complete control of an affected\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2017-11769)\n\n - A remote code execution vulnerability exists in the way\n affected Microsoft scripting engines render when\n handling objects in memory in Microsoft Edge. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8726)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11822)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)\");\n # https://support.microsoft.com/en-us/help/4041676/windows-10-update-kb4041676\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0ea1407b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4041676.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-11771\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-10\";\nkbs = make_list('4041676');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"15063\",\n rollup_date:\"10_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4041676])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T11:51:13", "bulletinFamily": "info", "cvelist": ["CVE-2017-11793", "CVE-2017-11772", "CVE-2017-11765", "CVE-2017-11819", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11784", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11817", "CVE-2017-8727", "CVE-2017-8717", "CVE-2017-11790", "CVE-2017-11815", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11810", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11781", "CVE-2017-11822", "CVE-2017-11816"], "description": "### *Detect date*:\n10/10/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Support Update). Malicious users can exploit these vulnerabilities to cause denial of service, execute arbitrary code, obtain sensitive information, gain privileges.\n\n### *Affected products*:\nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 for 32-bit Systems \nInternet Explorer 9 \nWindows 10 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 8.1 for 32-bit systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 8.1 for x64-based systems \nWindows Server 2012 \nInternet Explorer 11 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2016 \nWindows RT 8.1 \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows 10 Version 1703 for x64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows 10 Version 1511 for 32-bit Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1511 for x64-based Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nInternet Explorer 10 \nWindows 10 Version 1703 for 32-bit Systems \nWindows Server 2012 R2\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2017-11781](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11781>) \n[CVE-2017-11780](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11780>) \n[CVE-2017-11785](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11785>) \n[CVE-2017-11784](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11784>) \n[CVE-2017-11765](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11765>) \n[CVE-2017-11763](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11763>) \n[CVE-2017-11762](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11762>) \n[CVE-2017-8694](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8694>) \n[CVE-2017-11822](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11822>) \n[CVE-2017-8717](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8717>) \n[CVE-2017-11790](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11790>) \n[CVE-2017-11824](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11824>) \n[CVE-2017-11793](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11793>) \n[CVE-2017-8718](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8718>) \n[CVE-2017-8727](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8727>) \n[CVE-2017-11772](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11772>) \n[CVE-2017-11771](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11771>) \n[CVE-2017-11819](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11819>) \n[CVE-2017-8689](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8689>) \n[CVE-2017-11810](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11810>) \n[CVE-2017-11817](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11817>) \n[CVE-2017-11816](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11816>) \n[CVE-2017-11815](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11815>) \n[CVE-2017-11814](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11814>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2017-11762](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11762>)0.0Unknown \n[CVE-2017-11763](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11763>)0.0Unknown \n[CVE-2017-11765](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11765>)0.0Unknown \n[CVE-2017-11771](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11771>)0.0Unknown \n[CVE-2017-11772](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11772>)0.0Unknown \n[CVE-2017-11780](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11780>)0.0Unknown \n[CVE-2017-11781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11781>)0.0Unknown \n[CVE-2017-11784](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11784>)0.0Unknown \n[CVE-2017-11785](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11785>)0.0Unknown \n[CVE-2017-11814](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11814>)0.0Unknown \n[CVE-2017-11815](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11815>)0.0Unknown \n[CVE-2017-11816](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11816>)0.0Unknown \n[CVE-2017-11817](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11817>)0.0Unknown \n[CVE-2017-11819](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11819>)0.0Unknown \n[CVE-2017-11824](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11824>)0.0Unknown \n[CVE-2017-8689](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8689>)0.0Unknown \n[CVE-2017-8694](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8694>)0.0Unknown \n[CVE-2017-8717](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8717>)0.0Unknown \n[CVE-2017-8718](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8718>)0.0Unknown \n[CVE-2017-8727](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8727>)0.0Unknown \n[CVE-2017-11810](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11810>)0.0Unknown \n[CVE-2017-11790](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11790>)0.0Unknown \n[CVE-2017-11793](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11793>)0.0Unknown \n[CVE-2017-11822](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11822>)0.0Unknown\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4041678](<http://support.microsoft.com/kb/4041678>) \n[4041681](<http://support.microsoft.com/kb/4041681>) \n[4042122](<http://support.microsoft.com/kb/4042122>) \n[4042123](<http://support.microsoft.com/kb/4042123>) \n[4042120](<http://support.microsoft.com/kb/4042120>) \n[4042121](<http://support.microsoft.com/kb/4042121>) \n[4041995](<http://support.microsoft.com/kb/4041995>) \n[4042007](<http://support.microsoft.com/kb/4042007>) \n[4042067](<http://support.microsoft.com/kb/4042067>) \n[4041944](<http://support.microsoft.com/kb/4041944>) \n[4041671](<http://support.microsoft.com/kb/4041671>) \n[4050795](<http://support.microsoft.com/kb/4050795>) \n[4040685](<http://support.microsoft.com/kb/4040685>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 47, "modified": "2020-07-22T00:00:00", "published": "2017-10-10T00:00:00", "id": "KLA11108", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11108", "title": "\r KLA11108Multiple vulnerabilities in Microsoft Products (ESU) ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-02T11:48:13", "bulletinFamily": "info", "cvelist": ["CVE-2017-8715", "CVE-2017-11772", "CVE-2017-11765", "CVE-2017-11782", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11784", "CVE-2017-11818", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11829", "CVE-2017-11817", "CVE-2017-8727", "CVE-2017-11769", "CVE-2017-8717", "CVE-2017-11779", "CVE-2017-8703", "CVE-2017-11815", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11783", "CVE-2017-8693", "CVE-2017-11823", "CVE-2017-11781", "CVE-2017-11816"], "description": "### *Detect date*:\n10/10/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to execute arbitrary code, obtain sensitive information, cause denial of service, gain privileges, bypass security restrictions.\n\n### *Affected products*:\nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 8.1 for 32-bit systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 8.1 for x64-based systems \nWindows Server 2012 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2016 \nWindows RT 8.1 \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows 10 Version 1703 for x64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows 10 Version 1511 for 32-bit Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1511 for x64-based Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows 10 Version 1703 for 32-bit Systems \nWindows Server 2012 R2\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2017-11762](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11762>) \n[CVE-2017-11763](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11763>) \n[CVE-2017-11765](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11765>) \n[CVE-2017-11769](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11769>) \n[CVE-2017-11771](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11771>) \n[CVE-2017-11772](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11772>) \n[CVE-2017-11779](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11779>) \n[CVE-2017-11780](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11780>) \n[CVE-2017-11781](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11781>) \n[CVE-2017-11782](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11782>) \n[CVE-2017-11783](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11783>) \n[CVE-2017-11784](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11784>) \n[CVE-2017-11785](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11785>) \n[CVE-2017-11814](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11814>) \n[CVE-2017-11815](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11815>) \n[CVE-2017-11816](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11816>) \n[CVE-2017-11817](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11817>) \n[CVE-2017-11818](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11818>) \n[CVE-2017-11823](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11823>) \n[CVE-2017-11824](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11824>) \n[CVE-2017-11829](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11829>) \n[CVE-2017-8689](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8689>) \n[CVE-2017-8693](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8693>) \n[CVE-2017-8694](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8694>) \n[CVE-2017-8703](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8703>) \n[CVE-2017-8715](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8715>) \n[CVE-2017-8717](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8717>) \n[CVE-2017-8718](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8718>) \n[CVE-2017-8727](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8727>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2017-11762](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11762>)0.0Unknown \n[CVE-2017-11763](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11763>)0.0Unknown \n[CVE-2017-11765](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11765>)0.0Unknown \n[CVE-2017-11769](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11769>)0.0Unknown \n[CVE-2017-11771](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11771>)0.0Unknown \n[CVE-2017-11772](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11772>)0.0Unknown \n[CVE-2017-11779](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11779>)0.0Unknown \n[CVE-2017-11780](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11780>)0.0Unknown \n[CVE-2017-11781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11781>)0.0Unknown \n[CVE-2017-11782](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11782>)0.0Unknown \n[CVE-2017-11783](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11783>)0.0Unknown \n[CVE-2017-11784](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11784>)0.0Unknown \n[CVE-2017-11785](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11785>)0.0Unknown \n[CVE-2017-11814](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11814>)0.0Unknown \n[CVE-2017-11815](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11815>)0.0Unknown \n[CVE-2017-11816](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11816>)0.0Unknown \n[CVE-2017-11817](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11817>)0.0Unknown \n[CVE-2017-11818](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11818>)0.0Unknown \n[CVE-2017-11823](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11823>)0.0Unknown \n[CVE-2017-11824](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11824>)0.0Unknown \n[CVE-2017-11829](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11829>)0.0Unknown \n[CVE-2017-8689](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8689>)0.0Unknown \n[CVE-2017-8693](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8693>)0.0Unknown \n[CVE-2017-8694](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8694>)0.0Unknown \n[CVE-2017-8703](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8703>)0.0Unknown \n[CVE-2017-8715](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8715>)0.0Unknown \n[CVE-2017-8717](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8717>)0.0Unknown \n[CVE-2017-8718](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8718>)0.0Unknown \n[CVE-2017-8727](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8727>)0.0Unknown\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4038793](<http://support.microsoft.com/kb/4038793>) \n[4041689](<http://support.microsoft.com/kb/4041689>) \n[4041693](<http://support.microsoft.com/kb/4041693>) \n[4041687](<http://support.microsoft.com/kb/4041687>) \n[4041676](<http://support.microsoft.com/kb/4041676>) \n[4041690](<http://support.microsoft.com/kb/4041690>) \n[4041691](<http://support.microsoft.com/kb/4041691>) \n[4042895](<http://support.microsoft.com/kb/4042895>) \n[4041679](<http://support.microsoft.com/kb/4041679>) \n[4048955](<http://support.microsoft.com/kb/4048955>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 46, "modified": "2020-07-22T00:00:00", "published": "2017-10-10T00:00:00", "id": "KLA11111", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11111", "title": "\r KLA11111Multiple vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2017-10-22T19:31:53", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11762", "CVE-2017-11763", "CVE-2017-11765", "CVE-2017-11767", "CVE-2017-11769", "CVE-2017-11771", "CVE-2017-11772", "CVE-2017-11774", "CVE-2017-11775", "CVE-2017-11776", "CVE-2017-11777", "CVE-2017-11779", "CVE-2017-11780", "CVE-2017-11781", "CVE-2017-11782", "CVE-2017-11783", "CVE-2017-11784", "CVE-2017-11785", "CVE-2017-11786", "CVE-2017-11790", "CVE-2017-11792", "CVE-2017-11793", "CVE-2017-11794", "CVE-2017-11796", "CVE-2017-11797", "CVE-2017-11798", "CVE-2017-11799", "CVE-2017-11800", "CVE-2017-11801", "CVE-2017-11802", "CVE-2017-11804", "CVE-2017-11805", "CVE-2017-11806", "CVE-2017-11807", "CVE-2017-11808", "CVE-2017-11809", "CVE-2017-11810", "CVE-2017-11811", "CVE-2017-11812", "CVE-2017-11813", "CVE-2017-11814", "CVE-2017-11815", "CVE-2017-11816", "CVE-2017-11817", "CVE-2017-11818", "CVE-2017-11819", "CVE-2017-11820", "CVE-2017-11821", "CVE-2017-11822", "CVE-2017-11823", "CVE-2017-11824", "CVE-2017-11825", "CVE-2017-11826", "CVE-2017-11829", "CVE-2017-8689", "CVE-2017-8693", "CVE-2017-8694", "CVE-2017-8703", "CVE-2017-8715", "CVE-2017-8717", "CVE-2017-8718", "CVE-2017-8726", "CVE-2017-8727"], "description": "Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 63 new vulnerabilities with 28 of them rated critical and 35 rated important. These vulnerabilities impact Graphics, Edge, Internet Explorer, Office, Sharepoint, Windows Graphic Display Interface, Windows Kernel Mode Drivers, and more. <br /><br /><a name='more'></a><br /><h2 id=\"h.vyxocry7flp\">Vulnerabilities Rated Critical</h2><br />The following vulnerabilities are rated \"Critical\" by Microsoft: <br /><br /><ul><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11813\">CVE-2017-11813 - Internet Explorer Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11822\">CVE-2017-11822 - Internet Explorer Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11762\">CVE-2017-11762 - Microsoft Graphics Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11763\">CVE-2017-11763 - Microsoft Graphics Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11797\">CVE-2017-11797 - Scripting Engine Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11767\">CVE-2017-11767 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11792\">CVE-2017-11792 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11793\">CVE-2017-11793 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11796\">CVE-2017-11796 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11798\">CVE-2017-11798 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11799\">CVE-2017-11799 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11800\">CVE-2017-11800 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11801\">CVE-2017-11801 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11802\">CVE-2017-11802 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11804\">CVE-2017-11804 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11805\">CVE-2017-11805 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11806\">CVE-2017-11806 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11807\">CVE-2017-11807 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11808\">CVE-2017-11808 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11809\">CVE-2017-11809 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11810\">CVE-2017-11810 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11811\">CVE-2017-11811 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11812\">CVE-2017-11812 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11821\">CVE-2017-11821 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11779\">CVE-2017-11779 - Windows DNSAPI Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11771\">CVE-2017-11771 - Windows Search Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8727\">CVE-2017-8727 - Windows Shell Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11819\">CVE-2017-11819 - Windows Shell Remote Code Execution Vulnerability</a></li></ul><h3 id=\"h.9n0bk25dm78x\">CVE-2017-11813, CVE-2017-11822 - Internet Explorer Memory Corruption Vulnerability</h3><br />Two vulnerabilities have been identified in Internet Explorer that could result in remote code execution in the context of the current user. These vulnerabilities manifest due to improper handling of objects in memory when attempting to render a webpage. Both vulnerabilities could be exploited if, for example, a user visits a specially crafted webpage that exploits one of these flaws.<br /><br /><h3 id=\"h.p7pfodbbvqp3\">CVE-2017-11762, CVE-2017-11763 - Microsoft Graphics Remote Code Execution Vulnerability</h3><br />Two vulnerabilities have been identified in the font library of the Microsoft Graphics Component that could allow an attacker to execute arbitrary code. These vulnerabilities manifest due to the library incorrectly handling specialty embedded fonts within a web page or document. Exploitation of these two vulnerabilities could be achieved if a user navigates to a malicious web page or if the user opens a specially crafted document that exploits these vulnerabilities.<br /><br /><h3 id=\"h.2zd3ocgo4tir\">Multiple CVEs - Scripting Engine Memory Corruption Vulnerability</h3><br />Multiple vulnerabilities have been identified in the scripting engines of Edge and Internet Explorer that could allow an attacker to remotely execute arbitrary code. These vulnerabilities all manifest due to the scripting engines in Edge and Internet Explorer improperly handling objects in memory. As a result, successful exploitation could lead to arbitrary code execution in the context of the current user. Scenarios where these vulnerabilities would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit of these vulnerabilities or, in some cases, opens a Microsoft Office document containing an embedded ActiveX control marked \"safe for initialization.\"<br /><br />The following is a list of CVEs related to these vulnerabilities:<br /><br /><ul><li>CVE-2017-11767</li><li>CVE-2017-11792</li><li>CVE-2017-11793</li><li>CVE-2017-11796</li><li>CVE-2017-11797</li><li>CVE-2017-11798</li><li>CVE-2017-11799</li><li>CVE-2017-11800</li><li>CVE-2017-11801</li><li>CVE-2017-11802</li><li>CVE-2017-11804</li><li>CVE-2017-11805</li><li>CVE-2017-11806</li><li>CVE-2017-11807</li><li>CVE-2017-11808</li><li>CVE-2017-11809</li><li>CVE-2017-11810</li><li>CVE-2017-11811</li><li>CVE-2017-11812</li><li>CVE-2017-11821</li></ul><h3 id=\"h.6zgalyi0vdh0\">CVE-2017-11779 - Windows DNSAPI Remote Code Execution Vulnerability</h3><br />A remote code execution vulnerability has been identified in Windows DNS that could allow an attacker to execute arbitrary code in the context of the Local System account. This vulnerability manifests in DNSAPI.dll as a result of improperly handling DNS responses. A scenario where this vulnerability could be exploited would be one where an attacker stand ups a malicious DNS server to transmit specially crafted DNS responses to the target.<br /><br /><h3 id=\"h.30w8s827zxf7\">CVE-2017-11771 - Windows Search Remote Code Execution Vulnerability</h3><br />An arbitrary code execution vulnerability has been identified in Window Search that could allow an attacker to elevate their privileges and subsequently execute code in the elevated context. This vulnerability manifests due to improper handling of objects in memory. For this vulnerability to be exploited, an attacker would need to either have access to the targeted host to exploit this vulnerability, or remotely trigger it through an SMB connection.<br /><br /><h3 id=\"h.vl6grtvoq51l\">CVE-2017-8727 - Windows Shell Memory Corruption Vulnerability</h3><br />A remote code execution vulnerability has been identified in Internet Explorer which could allow an attacker to execute arbitrary code in the context of the current user. This vulnerability manifests as a result of Internet Explorer improperly accessing objects in memory via the Microsoft Windows Text Services Framework. An attacker could create a specially crafted web page that exploits this vulnerability and subsequently socially engineer a user to visit the page to compromise users. Additionally, attackers could leverage vulnerable or compromised websites or sites that display user-provided content or advertisements to exploit and compromise users.<br /><br /><h3 id=\"h.idto8iab26ye\">CVE-2017-11819 - Windows Shell Remote Code Execution Vulnerability</h3><br />A remote code execution vulnerability has been identified in Microsoft web browsers which manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the current user. An attacker could leverage this vulnerability to exploit users by crafting a specially formed web page and socially engineering users to visit such a page. Other scenarios include an attacker leveraging vulnerable or compromised websites or sites that display user-provided content or advertisements to exploit this vulnerability and compromise users.<br /><br /><h2 id=\"h.ykle8if9gdqr\">Vulnerabilities Rated Important</h2><br />The following vulnerabilities are rated \"important\" by Microsoft:<br /><br /><ul><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11790\">CVE-2017-11790 - Internet Explorer Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11794\">CVE-2017-11794 - Microsoft Edge Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8726\">CVE-2017-8726 - Microsoft Edge Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8693\">CVE-2017-8693 - Microsoft Graphics Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8717\">CVE-2017-8717 - Microsoft JET Database Engine Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8718\">CVE-2017-8718 - Microsoft JET Database Engine Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11826\">CVE-2017-11826 - Microsoft Office Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11825\">CVE-2017-11825 - Microsoft Office Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11775\">CVE-2017-11775 - Microsoft Office SharePoint XSS Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11777\">CVE-2017-11777 - Microsoft Office SharePoint XSS Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11820\">CVE-2017-11820 - Microsoft Office SharePoint XSS Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11776\">CVE-2017-11776 - Microsoft Outlook Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11774\">CVE-2017-11774 - Microsoft Outlook Security Feature Bypass Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11772\">CVE-2017-11772 - Microsoft Search Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11823\">CVE-2017-11823 - Microsoft Windows Security Feature Bypass</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11786\">CVE-2017-11786 - Skype for Business Elevation of Privilege Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11769\">CVE-2017-11769 - TRIE Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8689\">CVE-2017-8689 - Win32k Elevation of Privilege Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8694\">CVE-2017-8694 - Win32k Elevation of Privilege Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11783\">CVE-2017-11783 - Windows Elevation of Privilege Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11816\">CVE-2017-11816 - Windows GDI Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11824\">CVE-2017-11824 - Windows Graphics Component Elevation of Privilege Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11817\">CVE-2017-11817 - Windows Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11765\">CVE-2017-11765 - Windows Kernel Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11784\">CVE-2017-11784 - Windows Kernel Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11785\">CVE-2017-11785 - Windows Kernel Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11814\">CVE-2017-11814 - Windows Kernel Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8715\">CVE-2017-8715 - Windows Security Feature Bypass Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11781\">CVE-2017-11781 - Windows SMB Denial of Service Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11782\">CVE-2017-11782 - Windows SMB Elevation of Privilege Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11815\">CVE-2017-11815 - Windows SMB Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11780\">CVE-2017-11780 - Windows SMB Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11818\">CVE-2017-11818 - Windows Storage Security Feature Bypass Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8703\">CVE-2017-8703 - Windows Subsystem for Linux Denial of Service Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11829\">CVE-2017-11829 - Windows Update Delivery Optimization Elevation of Privilege Vulnerability</a></li></ul><h3 id=\"h.g7oy1wnmoh\">CVE-2017-11790 - Internet Explorer Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in Internet Explorer that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to Internet Explorer improperly handling objects in memory. A user who navigates to an attacker-controlled web page could be exploited. Additionally, users who navigate to site that hosts user-generated content could also be exploited.<br /><br /><h3 id=\"h.nb288lrlg1t0\">CVE-2017-11794 - Microsoft Edge Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in Edge that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to Edge improperly handling objects in memory. A user who navigates to an attacker-controlled web page could be exploited. Additionally, users who navigate to site that hosts user-generated content could also be exploited.<br /><br /><h3 id=\"h.xeyotn6ksca2\">CVE-2017-8726 - Microsoft Edge Memory Corruption Vulnerability</h3><br />A remote code execution vulnerability has been identified in Edge that could allow an attacker to execute arbitrary code in the context of the user. This vulnerability manifests due to Edge improperly handling objects in memory. Possible scenarios where an attacker could compromise a user could include a web-based attacks where a user navigates to a specially crafted web page under the attacker's control. Other possibilities include a user opening a Microsoft Office document containing an embedded ActiveX control marked \"safe for initialization\".<br /><br /><h3 id=\"h.ljhh4ib6ascw\">CVE-2017-8693 - Microsoft Graphics Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in the Microsoft Windows Graphics Component that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to the Graphics component improperly handling objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit this vulnerability. <br /><br /><h3 id=\"h.b3tc5u640xdc\">CVE-2017-8717, CVE-2017-8718 - Microsoft JET Database Engine Remote Code Execution Vulnerability</h3><br />Two arbitrary code execution vulnerabilities have been identified in the Microsoft JET Database Engine that could allow an attacker to execute arbitrary code in the context of the current user. These vulnerabilities manifest as buffer overflow conditions when triggered. For an attacker to successfully exploit these vulnerabilities, a user would need to open or preview a specially crafted Microsoft Excel document on an affected version of Windows. An email-based attack where an attacker sends a victim a specially crafted Excel document is the most likely scenario where a user could be compromised.<br /><br /><h3 id=\"h.8jrdy5afh6a8\">CVE-2017-11826 - Microsoft Office Memory Corruption Vulnerability</h3><br />A vulnerability have been identified in Microsoft Office that could allow an attacker to execute arbitrary code on an affected system. This vulnerability manifests due to Office improperly handling objects in memory. A users who opens a maliciously crafted Office document could be exploited, resulting in arbitrary code execution of the attacker's choice in the context of the current user. Scenarios where this could occur include email-based attacks, where the attacker sends the victim a message with a malicious attachment, or web-based attacks where the user downloads and opens a malicious Office document. Note that in certain conditions, the Preview Pane is an attack vector as well.<br /><br /><h3 id=\"h.ylhjbo1cr5qh\">CVE-2017-11825 - Microsoft Office Remote Code Execution Vulnerability</h3><br />A vulnerability has been identified in Microsoft Office that could allow an attacker to execute arbitrary code on an affected system. This vulnerability manifests due to Office improperly handling objects in memory. A users who opens a maliciously crafted Office document could be exploited, resulting in arbitrary code execution of the attacker's choice in the context of the current user. Scenarios where this could occur include email-based attacks, where the attacker sends the victim a message with a malicious attachment, or web-based attacks where the user downloads and opens a malicious Office document.<br /><br /><h3 id=\"h.oxc5wddvo6jo\">Multiple CVEs - Microsoft Office SharePoint XSS Vulnerability</h3><br />Multiple vulnerabilities in Microsoft Office Sharepoint have been identified that could could allow an attacker to execute a cross-site scripting (XSS) attack. These vulnerabilities manifest due to Sharepoint Server improperly sanitizing specific web requests from a user. Successful exploitation of these flaws could allow an attacker to execute scripts in the context of the current user, read content that the attacker would not otherwise have permission to view, or execute actions on behalf of the affected user.<br /><br />The following CVEs reflect these vulnerabilities:<br /><br /><ul><li>CVE-2017-11775</li><li>CVE-2017-11777</li><li>CVE-2017-11820</li></ul><h3 id=\"h.c41fpdu70sl\">CVE-2017-11776 - Microsoft Outlook Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability in Microsoft Outlook has been identified that could leak sensitive information to third-parties. This vulnerability manifests when Outlook fails to establish a secure connection. An attacker who exploits this vulnerability could obtain the email content of a user.<br /><br /><h3 id=\"h.qzz1eubjito7\">CVE-2017-11774 - Microsoft Outlook Security Feature Bypass Vulnerability</h3><br />A security feature bypass vulnerability has been identified in Microsoft Outlook that could be used to execute arbitrary commands. This vulnerability manifests due to Office improperly handling objects in memory. A user who opens a specially crafted document file could be exploited. A scenario where this could occur would be in a file-sharing attack where an attacker gives the user a file and socially engineers them to open it.<br /><br /><h3 id=\"h.h7qopze2yjkx\">CVE-2017-11772 - Microsoft Search Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in Windows Search that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to Window Search improperly handling objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user sends specially crafted messages to the Window Search service. Alternatively, this vulnerability could be exploited remotely in an enterprise setting over an SMB connection from an unauthenticated attacker. <br /><br /><h3 id=\"h.vz622ye9nv6q\">CVE-2017-11823 - Microsoft Windows Security Feature Bypass</h3><br />A vulnerability had been identified in Device Guard that could allow an attacker bypass a security control and inject malicious code into a Windows Powershell session. This vulnerability manifests as a flaw in how the Device Guard Code Integrity policy is implemented. An attacker who has access to a local machine could inject malicious code into a script that is trusted by the Code Integrity policy. As a result, the injected code could be run with the same trust level as the script, bypassing the Code Integrity policy control.<br /><br /><h3 id=\"h.oakx7dmaktpr\">CVE-2017-11786 - Skype for Business Elevation of Privilege Vulnerability</h3><br />A privilege escalation vulnerability has been identified in Skype for Business that could allow an authenticated attacker to potentially impersonate a user. This vulnerability manifests due to Skype for Business improperly handling specific authentication requests. An attacker who initiates an instant message session while a specially crafted profile image is set could exploit this vulnerability and steal an authentication hash that could be reused in different contexts. Successful exploitation would allow an attacker to perform actions that a user is permitted to do, resulting in various outcomes such as privilege escalation.<br /><br /><h3 id=\"h.m4vwz0vfvmia\">CVE-2017-11769 - TRIE Remote Code Execution Vulnerability</h3><br />An arbitrary code execution vulnerability has been identified in Windows that could allow an attacker to execute code in the context of the current user. This vulnerability manifests due to the way certain Windows components improperly handle loading DLL files. Successful exploitation could allow an attacker to perform actions or execute commands within the context of the current user.<br /><br /><h3 id=\"h.s3nuhh6mevtm\">CVE-2017-8689, CVE-2017-8694 - Win32k Elevation of Privilege Vulnerability</h3><br />Two vulnerabilities in Windows Kernel-Mode Drivers have been identified that could allow a privilege escalation attack to occur. These vulnerabilities manifest due to improper handling of objects in memory. Successful exploitation of these vulnerabilities would result in an attacker obtaining administrator privileges on the targeted system. Users who run a specifically crafted executable that exploits this vulnerability could leverage this vulnerability to perform actions as an administrator on the affected system.<br /><br /><h3 id=\"h.efo91ikgy106\">CVE-2017-11783 - Windows Elevation of Privilege Vulnerability</h3><br />A privilege escalation vulnerability has been identified in Windows that could allow an authenticated attacker to elevate their privileges to that of an administrator. This vulnerability manifests due to Windows improperly handling calls to Advanced Local Procedure Call (ALPC). A user who creates a specially crafted application and executes it on an affected system could exploit this vulnerability.<br /><br /><h3 id=\"h.ctwd13favj7d\">CVE-2017-11816 - Windows GDI Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in the Microsoft Windows Graphics Device Interface (GDI) that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to the GDI improperly handling objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit this vulnerability. <br /><br /><h3 id=\"h.3ttkcyczmr38\">CVE-2017-11824 - Windows Graphics Component Elevation of Privilege Vulnerability</h3><br />A privilege escalation vulnerability has been identified in the Microsoft Windows Graphics Component that could allow an attacker to elevate their privileges to that of an administrator. This vulnerability manifests due to the Graphics component improperly handling objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit this vulnerability.<br /><br /><h3 id=\"h.xs6yd6lux2zt\">CVE-2017-11817 - Windows Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in the Windows kernel that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to the kernel improperly initializing objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit this vulnerability. <br /><br /><h3 id=\"h.64j13moi1fp9\">CVE-2017-11784, CVE-2017-11785 - Windows Kernel Information Disclosure Vulnerability</h3><br />Two information disclosure vulnerabilities have been identified in the Windows kernel that could allow an attacker to obtain memory addresses and bypass Kernel Address Space Layout Randomization (KASLR). Exploitation of these vulnerabilities could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit them. <br /><br /><h3 id=\"h.7pxt6sdcvtyu\">CVE-2017-11765, CVE-2017-11814 - Windows Information Disclosure Vulnerability</h3><br />Two information disclosure vulnerabilities have been identified in the Windows kernel that could allow an attacker to obtain information that could be used to further compromise an affected system. These vulnerabilities manifest due to the kernel improperly initializing objects in memory. Exploitation of these vulnerabilities could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit them. <br /><br /><h3 id=\"h.cingn0ygtdh4\">CVE-2017-8715 - Windows Security Feature Bypass Vulnerability</h3><br />A vulnerability had been identified in Device Guard that could allow an attacker to bypass a security control and inject malicious code into a Windows Powershell session. This vulnerability manifests as a flaw in how the Device Guard Code Integrity policy is implemented. An attacker who has access to a local machine could inject malicious code into a script that is trusted by the Code Integrity policy. As a result, the injected code could be run with the same trust level as the script, bypassing the Code Integrity policy control.<br /><br /><h3 id=\"h.jfc0amtsn2gv\">CVE-2017-11781 - Windows SMB Denial of Service Vulnerability</h3><br />A denial of service vulnerability has been identified in Microsoft SMB that could allow an attacker to crash an affected host. This vulnerability manifests due to SMB improperly handling certain requests. An attacker who sends a vulnerable server specially crafted requests could exploit this vulnerability and create a denial of service condition for users.<br /><br /><h3 id=\"h.s6konclvij9e\">CVE-2017-11782 - Windows SMB Elevation of Privilege Vulnerability</h3><br />A privilege escalation vulnerability has been identified in the default Windows SMB Server configuration that could allow anonymous users to access certain named pipes. These named pipes could be used to send specially crafted requests to services that accept requests via named pipes. An attacker who is able to send SMB messages to an affected SMB server could exploit this vulnerability.<br /><br /><h3 id=\"h.eu27t49sp7sb\">CVE-2017-11815 - Windows SMB Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in Windows SMB that could allow an attacker to access files they otherwise should not have access to. This vulnerability manifests due to SMB server improperly handling certain requests. An attacker who is able to authenticate to the SMB server and send it SMB messages could exploit this vulnerability.<br /><br /><h3 id=\"h.4pj6p2ufcvo6\">CVE-2017-11780 - Windows SMB Remote Code Execution Vulnerability</h3><br />A remote code execution vulnerability has been identified in Microsoft Server Message Block 1.0 (SMBv1) which could allow an attacker to compromise SMBv1 servers. This vulnerability manifests due to the way SMBv1 servers handle certain requests. Exploitation of this vulnerability could be achieved by an unauthenticated attacker by sending specially crafted requests to the affected server.<br /><br /><h3 id=\"h.faj8k2jjkgei\">CVE-2017-11818 - Windows Storage Security Feature Bypass Vulnerability</h3><br />A security feature bypass has been identified in Microsoft Windows storage which could allow an application with a certain integrity level to execute code at a different level. This vulnerability manifests due to Windows improperly validating an integrity-level check.<br /><br /><h3 id=\"h.xb5ohr1yadjd\">CVE-2017-8703 - Windows Subsystem for Linux Denial of Service Vulnerability</h3><br />A denial of service vulnerability has been identified in the Windows Subsystem for Linux (WSL). This vulnerability manifests as due to the WSL improperly handling objects in memory. An attacker who creates a specially crafted application and executes it on an affected system could exploit this vulnerability.<br /><br /><h3 id=\"h.4x4sjotidrnz\">CVE-2017-11829 - Windows Update Delivery Optimization Elevation of Privilege Vulnerability</h3><br />A privilege escalation vulnerability has been identified in Windows Update Delivery Optimization that could allow an attacker to overwrite files of a higher privilege than what the attacker possesses. This vulnerability manifests due to Windows Update Delivery Optimization improperly enforcing file share permissions. An attacker who is able to log into the system and create a Delivery Optimization job could exploit this vulnerability.<br /><br /><h2 id=\"h.f970sl5g45g5\">Coverage</h2><br />In response to these vulnerability disclosures, Talos is releasing the following Snort rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.<br /><br />Snort Rules:<br /><br /><ul><li>44333-44334</li><li>44508-44519</li><li>44526-44529</li><li>44532-44533</li></ul><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=As9MZaE7IyE:eG0TMScPdq0:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/As9MZaE7IyE\" height=\"1\" width=\"1\" alt=\"\"/>", "modified": "2017-10-10T20:25:22", "published": "2017-10-10T13:25:00", "id": "TALOSBLOG:D985A5A21B218B47A518D6D4AB858393", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/As9MZaE7IyE/ms-tuesday.html", "title": "Microsoft Patch Tuesday - October 2017", "type": "talosblog", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "trendmicroblog": [{"lastseen": "2017-10-25T19:33:12", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11762", "CVE-2017-11763", "CVE-2017-11765", "CVE-2017-11769", "CVE-2017-11771", "CVE-2017-11772", "CVE-2017-11774", "CVE-2017-11775", "CVE-2017-11776", "CVE-2017-11777", "CVE-2017-11779", "CVE-2017-11780", "CVE-2017-11781", "CVE-2017-11782", "CVE-2017-11783", "CVE-2017-11784", "CVE-2017-11785", "CVE-2017-11786", "CVE-2017-11790", "CVE-2017-11792", "CVE-2017-11793", "CVE-2017-11794", "CVE-2017-11796", "CVE-2017-11797", "CVE-2017-11798", "CVE-2017-11799", "CVE-2017-11800", "CVE-2017-11801", "CVE-2017-11802", "CVE-2017-11804", "CVE-2017-11805", "CVE-2017-11806", "CVE-2017-11807", "CVE-2017-11808", "CVE-2017-11809", "CVE-2017-11810", "CVE-2017-11811", "CVE-2017-11812", "CVE-2017-11813", "CVE-2017-11814", "CVE-2017-11815", "CVE-2017-11816", "CVE-2017-11817", "CVE-2017-11818", "CVE-2017-11819", "CVE-2017-11820", "CVE-2017-11821", "CVE-2017-11822", "CVE-2017-11823", "CVE-2017-11824", "CVE-2017-11825", "CVE-2017-11826", "CVE-2017-11829", "CVE-2017-8689", "CVE-2017-8693", "CVE-2017-8694", "CVE-2017-8703", "CVE-2017-8715", "CVE-2017-8717", "CVE-2017-8718", "CVE-2017-8726", "CVE-2017-8727"], "description": "\n\nEven though \u201cPatch Tuesday\u201d isn\u2019t supposed to exist anymore, here I am blogging about it. As I looked at the October updates from Microsoft, the usual suspects were there. But this month was a little different. We usually see critical vulnerabilities on the browser side, but Microsoft Office is in the spotlight with [CVE-2017-11826](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11826>) under active attack.\n\nThe scenario involves a specially crafted file with an affected version of Microsoft Office software. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the current user. So, just imagine if a user is logged on with administrative user rights \u2013 an attacker could take over the system and install programs; view, change, or delete data; or create new accounts with full user rights. The table below highlights the Digital Vaccine\u00ae filters available for the Microsoft October updates.\n\n**Microsoft Update**\n\nThis week\u2019s Digital Vaccine\u00ae (DV) package includes coverage for Microsoft updates released on or before October 10, 2017. Microsoft had another big month with 62 security patches for September covering Windows, Internet Explorer (IE), Edge, Office, and Skype for Business. 27 of the patches are listed as Critical and 35 are rated Important. Eight of the Microsoft CVEs came through the Zero Day Initiative program. The following table maps Digital Vaccine filters to the Microsoft updates. Filters marked with an asterisk (*) shipped prior to this DV package, providing preemptive zero-day protection for customers. You can get more detailed information on this month\u2019s security updates from Dustin Childs\u2019 [October 2017 Security Update Review](<https://www.zerodayinitiative.com/blog/2017/10/10/the-october-2017-security-update-review>) from the Zero Day Initiative:\n\n**CVE #** | **Digital Vaccine Filter #** | **Status** \n---|---|--- \nCVE-2017-11762 | *29152 | \nCVE-2017-11763 | 29698 | \nCVE-2017-11765 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11769 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11771 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11772 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11774 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11775 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11776 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11777 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11779 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11780 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11781 | *29694 | \nCVE-2017-11782 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11783 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11784 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11785 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11786 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11790 | *29151 | \nCVE-2017-11792 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11793 | 29705 | \nCVE-2017-11794 | *29687 | \nCVE-2017-11796 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11797 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11798 | 29706 | \nCVE-2017-11799 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11800 | 28925 | \nCVE-2017-11801 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11802 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11804 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11805 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11806 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11807 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11808 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11809 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11810 | 29707 | \nCVE-2017-11811 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11812 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11813 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11814 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11815 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11816 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11817 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11818 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11819 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11820 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11821 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11822 | 29704 | \nCVE-2017-11823 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11824 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11825 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11826 | | Insufficient information currently available \nCVE-2017-11829 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-8689 | 29692 | \nCVE-2017-8693 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-8694 | 29693 | \nCVE-2017-8703 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-8715 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-8717 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-8718 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-8726 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-8727 | 29699 | \n \n \n\n**Zero-Day Filters**\n\nThere are four new zero-day filters covering two vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website. You can also follow the Zero Day Initiative on Twitter [@thezdi](<https://twitter.com/thezdi>) and on their [blog](<https://www.zerodayinitiative.com/blog>).\n\n**_Microsoft (2)_**\n\n| \n\n * 29695: ZDI-CAN-5067: Zero Day Initiative Vulnerability (Microsoft Chakra)\n * 29741: HTTP: Microsoft Windows WAV File Denial-of-Service Vulnerability (ZDI-17-838) \n---|--- \n| \n \n**_Trend Micro (2)_**\n\n| \n\n * 29701: HTTPS: Trend Micro Mobile Security Enterprise slink_id SQL Injection (ZDI-17-803)\n * 29710: HTTPS:Trend Micro InterScan Messaging Security Proxy Command Injection Vulnerability (ZDI-17-502,504) \n---|--- \n| \n \n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-october-2-2017/>).", "modified": "2017-10-13T14:03:59", "published": "2017-10-13T14:03:59", "id": "TRENDMICROBLOG:141C894C9A7CCB3BB2E580A6C8292E37", "href": "http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-october-9-2017/", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of October 9, 2017", "type": "trendmicroblog", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
