{"mscve": [{"lastseen": "2023-03-17T02:32:01", "description": "Windows Kerberos Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-33679.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mscve", "title": "Windows Kerberos Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-33647", "CVE-2022-33679"], "modified": "2022-09-13T07:00:00", "id": "MS:CVE-2022-33647", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-33647", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-17T02:32:02", "description": "Windows Kerberos Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-33647.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mscve", "title": "Windows Kerberos Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-33647", "CVE-2022-33679"], "modified": "2022-09-13T07:00:00", "id": "MS:CVE-2022-33679", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-33679", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2023-02-09T14:30:19", "description": "Windows Kerberos Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-33647.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T19:15:00", "type": "cve", "title": "CVE-2022-33679", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-33647", "CVE-2022-33679"], "modified": "2022-09-15T20:09:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-"], "id": "CVE-2022-33679", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-33679", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:azure:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2022-10-04T08:46:02", "description": "", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-04T00:00:00", "type": "zdt", "title": "Windows Kerberos RC4 MD4 Encryption Downgrade Privilege Escalation Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-33647", "CVE-2022-33679"], "modified": "2022-10-04T00:00:00", "id": "1337DAY-ID-38021", "href": "https://0day.today/exploit/description/38021", "sourceData": "Windows: Kerberos RC4 MD4 Encryption Downgrade EoP\nPlatform: Windows 10+\nClass: Elevation of Privilege\nSecurity Boundary: User\n\nSummary:\n The KDC allows an interposing attacker to downgrade to RC4 MD4 encryption in compromising the user's TGT session key resulting in EoP.\n\nNOTE: I tried to look if this was something which has been reported before. The fact that Kerberos can have its encryption downgraded is a well known issue, but the primary use case seems to be to get crackable data by weakening the encryption. However, I couldn't find a description of this specific attack. Also while I'm sure Kerberos armoring will prevent the attack as is, unless FAST is required I am led to understand that an attacker can downgrade to non-FAST if they're in a privileged position on the network.\n\nDescription: \nWhen Kerberos makes an initial request to the KDC to authenticate a user it sends an AS-REQ structure. One of the options in the AS-REQ is a list of encryption algorithms that the client supports. The KDC will accept the strongest available from the list for things like session keys.\n\nThe problem with the list is it's unprotected (without FAST) and so an attacker who interposes the connection can modify it before it goes to the KDC. This allows the attacker to downgrade the encryption used to a weaker algorithm such as RC4-HMAC which is more amenable to cracking the password due to the weak password to key generation.\n\nHowever, even with downgrading to RC4-HMAC it's not an immediate exploit, the key would have to be cracked offline which for complex passwords can take a long time. For example, a computer account usually has a 120 character randomly generated password which would be effectively impossible to crack.\n\nThrough inspection it seems that you can request any Kerberos encryption algorithm supported by CRYPTDLL which implements all the Kerberos encryption engines. The one of most interest is RC4-MD4 (encryption type -128) as it has some serious security weaknesses.\n\n1. Only 8 of the 16 key bytes are used by the encryption algorithm.\n2. The key is not blinded or otherwise hashed unlike RC4-HMAC which means the key stream is always the same for the same key. \n3. The encryption ignores the key usage value so different parts of the protocol also use the same RC4 key stream.\n4. The encryption has no cryptographic checksum applied so the cipher text can be modified if the plain text is known.\n5. Session keys, when generated, only have 40bits of randomness, the remaining 11 bytes of the key as populated with the value 0xAB.\n\nIf you can downgrade the client and KDC to use RC4-MD4 then it's catastrophic for the Kerberos authentication process. An attacker could get the KDC to use an RC4-MD4 session key for the initial TGT which only has 40 bits of entropy and be reasonably confident of brute forcing that before the associated ticket expires. They could then issue TGS requests for arbitrary service tickets for that user.\n\nHowever, brute force seems overly complex. Instead if the initial AS-REQ without the pre-authentication is downgraded then it induces the client into using RC4-MD4 with its RC4-HMAC key for the encrypted timestamp. The KDC authenticates the timestamp and returns an AS-REP with the result also encrypted to the user's RC4-HMAC key but with the RC4-MD4 algorithm.\n\nAlmost the entirety of the encrypted timestamps' plain text data is known or can be guessed, which means we can determine the keystream for the user's encryption key. We can then apply that keystream to decrypt some encrypted data in the AS-REP. By luck the TGT session key is at the start of the encrypted data. We don't have enough of the keystream from the timestamp to decrypt the entire key but we only need the first 5 bytes due to the weak session key generation. We end up with an overlap between the last byte of the key and the first byte of the microseconds for the timestamp which could be anything. As long as we then observe at least one TGS-REQ from the user (which they will almost certainly do) we can use that to brute force offline the single remaining byte of the key. With the TGT session key the attacker could impersonate the user entirely.\n\nHow you interpose the Kerberos connection is myriad. Obviously local network based attacks are possible such as a \\\"Coffee Shop\\\" attack or DNS spoofing. It's possible this could also resurrect attacks such as MS15-011 on group policy as getting the TGT of the computer account would allow for the session keys for service tickets to be decrypted and by extension the sub-session keys from the AP-REQ to hijack the SMB connection.\n\nFixing wise, nothing should be using the RC4-MD4 encryption algorithm, it's not even clear why it's still there in CRYPTDLL. One way to mitigate the attack as described is to disable RC4 across the board, both on the KDC and the clients. If this is only disabled on clients then it might be possible to get the initial pre-authentication to use AES but only change the session key which might allow it to continue to function but I've not verified that. Even if you do that you might need to bruteforce the session key, but that's doable. \n\nUsing PKINIT would break the initial hijacking of the AS-REQ's encrypted timestamp, but it might still be possible to downgrade the TGT's session key. At that point the only attack might be to brute force the key. However it is also possible that the encrypted data in the initial TGS-REQ could be attacked instead as the encrypted authorization data is encrypted with the same key as the authenticator.\n\nFAST would also break the attack as described but I'm not sure if that's sufficient if you're in a privileged network position and FAST is not required.\n\nProof of Concept:\n\nI've provided a PoC as a C# project. It works locally using KDC pinning to hijack a SSPI Kerberos authentication process to steal the TGT. This in itself is a potentially useful local privilege escalation but of course the real attack would be remote. You need to get and build a copy of my NtApiDotNet library to build the project (https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools).\n\n1) Compile the C# project, put a copy of NtApiDotNet.dll in the project's directory before building.\n2) Run the POC on a domain joined machine where FAST hasn't been configured and RC4 is still enabled.\n3) The POC should complete successfully.\n\nExpected Result:\nThe downgraded encryption is rejected on the KDC and/or the client.\n\nObserved Result:\nThe KDC and client honor the encryption downgrade and the POC can request a new TGT indicated by printing the final key.\n\nThis bug is subject to a 90-day disclosure deadline. If a fix for this\nissue is made available to users before the end of the 90-day deadline,\nthis bug report will become public 30 days after the fix was made\navailable. Otherwise, this bug report will become public at the deadline.\nThe scheduled deadline is 2022-08-31.\n\nRelated CVE Numbers: CVE-2022-33647,CVE-2022-33679.\n", "sourceHref": "https://0day.today/exploit/38021", "cvss": {"score": 0.0, "vector": "NONE"}}], "googleprojectzero": [{"lastseen": "2023-01-18T01:58:51", "description": "By James Forshaw, Project Zero\n\n \n\n\nI've been spending a lot of time researching Windows authentication implementations, specifically Kerberos. In June 2022 I found an interesting issue number [2310](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2310>) with the handling of RC4 encryption that allowed you to authenticate as another user if you could either interpose on the Kerberos network traffic to and from the KDC or directly if the user was configured to disable typical pre-authentication requirements.\n\n \n\n\nThis blog post goes into more detail on how this vulnerability works and how I was able to exploit it with only a bare minimum of brute forcing required. Note, I'm not going to spend time fully explaining how Kerberos authentication works, there's plenty of resources online. For example [this blog post](<https://syfuhs.net/a-bit-about-kerberos>) by [Steve Syfuhs](<https://twitter.com/SteveSyfuhs>) who works at Microsoft is a good first start.\n\n## Background\n\nKerberos is a very old authentication protocol. The current version (v5) was described in [RFC1510](<https://datatracker.ietf.org/doc/html/rfc1510>) back in 1993, although it was updated in [RFC4120](<https://datatracker.ietf.org/doc/html/rfc4120>) in 2005. As Kerberos' core security concept is using encryption to prove knowledge of a user's credentials the design allows for negotiating the encryption and checksum algorithms that the client and server will use. \n\n \n\n\nFor example when sending the initial authentication service request (AS-REQ) to the Key Distribution Center (KDC) a client can specify a list supported encryption algorithms, as predefined integer identifiers, as shown below in the snippet of the ASN.1 definition from RFC4120.\n\n \n\n\nKDC-REQ-BODY ::= SEQUENCE {\n\n...\n\netype [8] SEQUENCE OF Int32 -- EncryptionType\n\n\\-- in preference order --,\n\n...\n\n}\n\n \n\n\nWhen the server receives the request it checks its list of supported encryption types and the ones the user's account supports (which is based on what keys the user has configured) and then will typically choose the one the client most preferred. The selected algorithm is then used for anything requiring encryption, such as generating session keys or the EncryptedData structure as shown below:\n\n \n\n\nEncryptedData ::= SEQUENCE {\n\netype [0] Int32 -- EncryptionType --,\n\nkvno [1] UInt32 OPTIONAL,\n\ncipher [2] OCTET STRING -- ciphertext\n\n}\n\n \n\n\nThe KDC will send back an authentication service reply (AS-REP) structure containing the user's Ticket Granting Ticket (TGT) and an EncryptedData structure which contains the session key necessary to use the TGT to request service tickets. The user can then use their known key which corresponds to the requested encryption algorithm to decrypt the session key and complete the authentication process.\n\n \n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRE6Kj-svyxGDL8OhnPM46jhk7cf3JEJrssrRSwToM3q63wAaqtboIVHeEiZ5bONQoHZNapfdxpDr3kXMbxLakja1tqshef6N4GDNlw1BXyhanRY_Jg2zDqTlIPmHZBZ2XvCMf_23GXoRSS-18_zLCfwYV2v4xOR5usrM4zq1AONy2U57oCk-n-BpW/s1062/image5.png>) \n\n\nThis flexibility in selecting an encryption algorithm is both a blessing and a curse. In the original implementations of Kerberos only DES encryption was supported, which by modern standards is far too weak. Because of the flexibility developers were able to add support for AES through [RFC3962](<https://datatracker.ietf.org/doc/html/rfc3962>) which is supported by all modern versions of Windows. This can then be negotiated between client and server to use the best algorithm both support. However, unless weak algorithms are explicitly disabled there's nothing stopping a malicious client or server from downgrading the encryption algorithm in use and trying to break Kerberos using cryptographic attacks.\n\n \n\n\nModern versions of Windows have started to disable DES as a supported encryption algorithm, preferring AES. However, there's another encryption algorithm which Windows supports which is still enabled by default, [RC4](<https://en.wikipedia.org/wiki/RC4>). This algorithm was used in Kerberos by Microsoft for Windows 2000, although its documentation was in draft form until [RFC4757](<https://datatracker.ietf.org/doc/html/rfc4757>) was released in 2006. \n\n \n\n\nThe RC4 stream cipher has many substantial weaknesses, but when it was introduced it was still considered a better option than DES which has been shown to be sufficiently vulnerable to hardware cracking such as the EFF's \"[Deep Crack](<https://en.wikipedia.org/wiki/EFF_DES_cracker>)\". Using RC4 also had the advantage that it was relatively easy to operate in a reduced key size mode to satisfy US export requirements of cryptographic systems. \n\n \n\n\nIf you read the RFC for the implementation of RC4 in Kerberos, you'll notice it doesn't use the stream cipher as is. Instead it puts in place various protections to guard against common cryptographic attacks:\n\n * The encrypted data is protected by a keyed MD5 HMAC hash to prevent tampering which is trivial with a simple stream cipher such as RC4. The hashed data includes a randomly generated 8-byte \"confounder\" so that the hash is randomized even for the same plain text.\n\n * The key used for the encryption is derived from the hash and a base key. This, combined with the confounder makes it almost certain the same key is never reused for the encryption.\n\n * The base key is not the user's key, but instead is derived from a MD5 HMAC keyed with the user's key over a 4 byte message type value. For example the message type is different for the AS-REQ and the AS-REP structures. This prevents an attacker using Kerberos as an encryption oracle and reusing existing encrypted data in unrelated parts of the protocol.\n\n \n\n\nMany of the known weaknesses of RC4 are related to gathering a significant quantity of ciphertext encrypted with a known key. Due to the design of the RC4-HMAC algorithm and the general functional principles of Kerberos this is not really a significant concern. However, the biggest weakness of RC4 as defined by Microsoft for Kerberos is not so much the algorithm, but the generation of the user's key from their password. \n\n \n\n\nAs already mentioned Kerberos was introduced in Windows 2000 to replace the existing NTLM authentication process used from NT 3.1. However, there was a problem of migrating existing users to the new authentication protocol. In general the KDC doesn't store a user's password, instead it stores a hashed form of that password. For NTLM this hash was generated from the Unicode password using a single pass of the MD4 algorithm. Therefore to make an easy upgrade path Microsoft specified that the RC4-HMAC Kerberos key was this same hash value.\n\n \n\n\nAs the MD4 output is 16 bytes in size it wouldn't be practical to brute force the entire key. However, the hash algorithm has no protections against brute-force attacks for example no salting or multiple iterations. If an attacker has access to ciphertext encrypted using the RC4-HMAC key they can attempt to brute force the key through guessing the password. As user's will tend to choose weak or trivial passwords this increases the chance that a brute force attack would work to recover the key. And with the key the attacker can then authenticate as that user to any service they like. \n\n \n\n\nTo get appropriate cipher text the attacker can make requests to the KDC and specify the encryption type they need. The most well known attack technique is called [Kerberoasting](<https://attack.mitre.org/techniques/T1558/003/>). This technique requests a service ticket for the targeted user and specifies the RC4-HMAC encryption type as their preferred algorithm. If the user has an RC4 key configured then the ticket returned can be encrypted using the RC4-HMAC algorithm. As significant parts of the plain-text is known for the ticket data the attacker can try to brute force the key from that. \n\n \n\n\nThis technique does require the attacker to have an account on the KDC to make the service ticket request. It also requires that the user account has a configured Service Principal Name (SPN) so that a ticket can be requested. Also modern versions of Windows Server will try to block this attack by forcing the use of AES keys which are derived from the service user's password over RC4 even if the attacker only requested RC4 support.\n\n \n\n\nAn alternative form is called [AS-REP Roasting](<https://attack.mitre.org/techniques/T1558/004/>). Instead of requesting a service ticket this relies on the initial authentication requests to return encrypted data. When a user sends an AS-REQ structure, the KDC can look up the user, generate the TGT and its associated session key then return that information encrypted using the user's RC4-HMAC key. At this point the KDC hasn't verified the client knows the user's key before returning the encrypted data, which allows the attacker to brute force the key without needing to have an account themselves on the KDC.\n\n \n\n\nFortunately this attack is more rare because Windows's Kerberos implementation requires pre-authentication. For a password based logon the user uses their encryption key to encrypt a timestamp value which is sent to the KDC as part of the AS-REQ. The KDC can decrypt the timestamp, check it's within a small time window and only then return the user's TGT and encrypted session key. This would prevent an attacker getting encrypted data for the brute force attack. \n\n \n\n\nHowever, Windows does support a user account flag, \"Do not require Kerberos preauthentication\". If this flag is enabled on a user the authentication request does not require the encrypted timestamp to be sent and the AS-REP roasting process can continue. This should be an uncommon configuration.\n\n \n\n\nThe success of the brute-force attack entirely depends on the password complexity. Typically service user accounts have a long, at least 25 character, randomly generated password which is all but impossible to brute force. Normal users would typically have weaker passwords, but they are less likely to have a configured SPN which would make them targets for Kerberoasting. The system administrator can also mitigate the attack by disabling RC4 entirely across the network, though this is not commonly done for compatibility reasons. A more limited alternative is to add sensitive users to the [Protected Users Group](<https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group>), which disables RC4 for them without having to disable it across the entire network.\n\n## Windows Kerberos Encryption Implementation\n\nWhile working on researching Windows Defender Credential Guard (CG) I wanted to understand how Windows actually implements the various Kerberos encryption schemes. The primary goal of CG at least for Kerberos is to protect the user's keys, specifically the ones derived from their password and session keys for the TGT. If I could find a way of using one of the keys with a weak encryption algorithm I hoped to be able to extract the original key removing CG's protection.\n\n \n\n\nThe encryption algorithms are all implemented inside the CRYPTDLL.DLL library which is separate from the core Kerberos library in KERBEROS.DLL on the client and KDCSVC.DLL on the server. This interface is undocumented but it's fairly easy to work out how to call the exported functions. For example, to get a \"crypto system\" from the encryption type integer you can use the following exported function:\n\n \n\n\nNTSTATUS CDLocateCSystem(int etype, KERB_ECRYPT** engine);\n\n \n\n\nThe KERB_ECRYPT structure contains configuration information for the engine such as the size of the key and function pointers to convert a password to a key, generate new session keys, and perform encryption or decryption. The structure also contains a textual name so that you can get a quick idea of what algorithm is supposed to be, which lead to the following supported systems:\n\n \n\n\nName Encryption Type\n\n\\---- ---------------\n\nRSADSI RC4-HMAC 24\n\nRSADSI RC4-HMAC 23\n\nKerberos AES256-CTS-HMAC-SHA1-96 18\n\nKerberos AES128-CTS-HMAC-SHA1-96 17\n\nKerberos DES-CBC-MD5 3\n\nKerberos DES-CBC-CRC 1\n\nRSADSI RC4-MD4 -128\n\nKerberos DES-Plain -132\n\nRSADSI RC4-HMAC -133\n\nRSADSI RC4 -134\n\nRSADSI RC4-HMAC -135\n\nRSADSI RC4-EXP -136\n\nRSADSI RC4 -140\n\nRSADSI RC4-EXP -141\n\nKerberos AES128-CTS-HMAC-SHA1-96-PLAIN -148\n\nKerberos AES256-CTS-HMAC-SHA1-96-PLAIN -149\n\n \n\n\nEncryption types with positive values are well-known encryption types defined in the RFCs, whereas negative values are private types. Therefore I decided to spend my time on these private types. Most of the private types were just subtle variations on the existing well-known types, or clones with legacy numbers. \n\n \n\n\nHowever, one stood out as being different from the rest, \"RSADSI RC4-MD4\" with type value -128. This was different because the implementation was incredibly insecure, specifically it had the following properties:\n\n \n\n\n * Keys are 16 bytes in size, but only the first 8 of the key bytes are used by the encryption algorithm.\n\n * The key is used as-is, there's no blinding so the key stream is always the same for the same user key.\n\n * The message type is ignored, which means that the key stream is the same for different parts of the Kerberos protocol when using the same key.\n\n * The encrypted data does not contain any cryptographic hash to protect from tampering with the ciphertext which for RC4 is basically catastrophic. Even though the name contains MD4 this is only used for deriving the key from the password, not for any message integrity.\n\n * Generated session keys are 16 bytes in size but only contain 40 bits (5 bytes) of randomness. The remaining 11 bytes are populated with the fixed value of 0xAB.\n\n \n\n\nTo say this is bad from a cryptographic standpoint, is an understatement. Fortunately it would be safe to assume that while this crypto system is implemented in CRYPTDLL, it wouldn't be used by Kerberos? Unfortunately not \u2014 it is totally accepted as a valid encryption type when sent in the AS-REQ to the KDC. The question then becomes how to exploit this behavior?\n\n## Exploitation on the Wire (CVE-2022-33647)\n\nMy first thoughts were to attack the session key generation. If we could get the server to return the AS-REP with a RC4-MD4 session key for the TGT then any subsequent usage of that key could be captured and used to brute force the 40 bit key. At that point we could take the user's TGT which is sent in the clear and the session key and make requests as that authenticated user.\n\n \n\n\nThe most obvious approach to forcing the preferred encryption type to be RC4-MD4 would be to interpose the connection between a client and the KDC. The etype field of the AS-REQ is not protected for password based authentication. Therefore a proxy can modify the field to only include RC4-MD4 which is then sent to the KDC. Once that's completed the proxy would need to also capture a service ticket request to get encrypted data to brute force.\n\n \n\n\nBrute forcing the 40 bit key would be technically feasible at least if you built a giant lookup table, however I felt like it's not practical. I realized there's a simpler way, when a client authenticates it typically sends a request to the KDC with no pre-authentication timestamp present. As long as pre-authentication hasn't been disabled the KDC returns a Kerberos error to the client with the KDC_ERR_PREAUTH_REQUIRED error code. \n\n \n\n\nAs part of that error response the KDC also sends a list of acceptable encryption types in the [PA-ETYPE-INFO2](<https://datatracker.ietf.org/doc/html/rfc4120#section-5.2.7.5>) pre-authentication data structure. This list contains additional information for the password to key derivation such as the salt for AES keys. The client can use this information to correctly generate the encryption key for the user. I noticed that if you sent back only a single entry indicating support for RC4-MD4 then the client would use the insecure algorithm for generating the pre-authentication timestamp. This worked even if the client didn't request RC4-MD4 in the first place.\n\n \n\n\nWhen the KDC received the timestamp it would validate it using the RC4-MD4 algorithm and return the AS-REP with the TGT's RC4-MD4 session key encrypted using the same key as the timestamp. Due to the already mentioned weaknesses in the RC4-MD4 algorithm the key stream used for the timestamp must be the same as used in the response to encrypt the session key. Therefore we could mount a known-plaintext attack to recover the keystream from the timestamp and use that to decrypt parts of the response.\n\n \n\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUvTW1UFAq2BkR82D8pZBtol-7uMDtXUhYYWtsdj59L02yosepSSb2zaddG7GkNt9t8YvR7pQogCoZDMv9shMSF_iq0V4pIuDCt-o042w285bolE5_s3gGXZKI-XreYKDGzT48ShCCbyijZU0dDvrpFTVl-Kk4KYX6gYokC4vjlq6GpZt9_rfBRgje/s1465/image3.png>) \nThe timestamp itself has the following ASN.1 structure, which is serialized using the [Distinguished Encoding Rules (DER)](<https://en.wikipedia.org/wiki/X.690#DER_encoding>) and then encrypted.\n\n \n\n\nPA-ENC-TS-ENC ::= SEQUENCE {\n\npatimestamp [0] KerberosTime -- client's time --,\n\npausec [1] Microseconds OPTIONAL\n\n}\n\n \n\n\nThe AS-REP encrypted response has the following ASN.1 structure:\n\n \n\n\nEncASRepPart ::= SEQUENCE {\n\nkey [0] EncryptionKey,\n\nlast-req [1] LastReq,\n\nnonce [2] UInt32,\n\nkey-expiration [3] KerberosTime OPTIONAL,\n\nflags [4] TicketFlags,\n\nauthtime [5] KerberosTime,\n\nstarttime [6] KerberosTime OPTIONAL,\n\nendtime [7] KerberosTime,\n\nrenew-till [8] KerberosTime OPTIONAL,\n\nsrealm [9] Realm,\n\nsname [10] PrincipalName,\n\ncaddr [11] HostAddresses OPTIONAL\n\n}\n\n \n\n\nWe can see from the two structures that as luck would have it the session key in the AS-REP is at the start of the encrypted data. This means there should be an overlap between the known parts of the timestamp and the key, allowing us to apply key stream recovery to decrypt the session key without any brute force needed.\n\n \n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg24DDfsRh9c8OtrHaHSYfjKbUOPqVKpbrgf1ifZslYw1JDXAv8Q3hXmZRzz3MSsByAMoAg7Tpj5OIw3VzE5e9mrqIQ_fs-pLE61jHNF47qF1dBr-zFg7OV5hOSuDLJy7b9vYJm6hw5tDmK2-Oznd1hzj1a8NlBNBnGfxdX2lQfkrxQtGkhFy_nz9xR/s1187/image1.png>) \n\n\nThe diagram shows the ASN.1 DER structures for the timestamp and the start of the AS-REP. The values with specific hex digits in green are plain-text we know or can calculate as they are part of the ASN.1 structure such as types and lengths. We can see that there's a clear overlap between 4 bytes of known data in the timestamp with the first 4 bytes of the session key. We only need the first 5 bytes of the key due to the padding at the end, but this does mean we need to brute force the final key byte. \n\n \n\n\nWe can do this brute force one of two ways. First we can send service ticket requests with the user's TGT and a guess for the session key to the KDC until one succeeds. This would require at most 256 requests to the KDC. Alternatively we can capture a service ticket request from the client which is likely to happen immediately after the authentication. As the service ticket request will be encrypted using the session key we can perform the brute force attack locally without needing to talk to the KDC which will be faster. Regardless of the option chosen this approach would be orders of magnitude faster than brute forcing the entire 40 bit session key.\n\n \n\n\nThe simplest approach to performing this exploit would be to interpose the client to server connection and modify traffic. However, as the initial request without pre-authentication just returns an error message it's likely the exploit could be done by injecting a response back to the client while the KDC is processing the real request. This could be done with only the ability to monitor network traffic and inject arbitrary network traffic back into that network. However, I've not verified that approach.\n\n## Exploitation without Interception (CVE-2022-33679)\n\nThe requirement to have access to the client to server authentication traffic does make this vulnerability seem less impactful. Although there's plenty of scenarios where an attacker could interpose, such as shared wifi networks, or physical attacks which could be used to compromise the computer account authentication which would take place when a domain joined system was booted.\n\n \n\n\nIt would be interesting if there was an attack vector to exploit this without needing a real Kerberos user at all. I realized that if a user has pre-authentication disabled then we have everything we need to perform the attack. The important point is that if pre-authentication is disabled we can request a TGT for the user, specifying RC4-MD4 encryption and the KDC will send back the AS-REP encrypted using that algorithm.\n\n \n\n\nThe key to the exploit is to reverse the previous attack, instead of using the timestamp to decrypt the AS-REP we'll use the AS-REP to encrypt a timestamp. We can then use the timestamp value when sent to the KDC as an encryption oracle to brute force enough bytes of the key stream to decrypt the TGT's session key. For example, if we remove the optional microseconds component of the timestamp we get the following DER encoded values:\n\n \n\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJwOslmDADrdMxHQePmjJB4AwNGPGaFkdemYZCTgtHzSOcKYXYq46I5ETenRLGSjx-aPpCGMj40oox50HylEiImPmompOLGzAs0mNSRbjQtEUWhlNl6xv3XWladvkt__nep8zR4GEcMTLUHzqpC5ECmGSjYlr7CINK8BP3lBrX8n5u1hTKwcrBzMEd/s1057/image2.png>) \n\n\nThe diagram shows that currently there's no overlap between the timestamp, represented by the T bytes, and the 40 bit session key. However, we know or at least can calculate the entire DER encoded data for the AS-REP to cover the entire timestamp buffer. We can use this to calculate the keystream for the user's RC4-MD4 key without actually knowing the key itself. With the key stream we can encrypt a valid timestamp and send it to the KDC. \n\n \n\n\nIf the KDC responds with a valid AS-REP then we know we've correctly calculated the key stream. How can we use this to start decrypting the session key? The KerberosTime value used for the timestamp is an ASCII string of the form YYYYMMDDHHmmssZ. The KDC parses this string to a format suitable for processing by the server. The parser takes the time as a NUL terminated string, so we can add an additional NUL character to the end of the string and it shouldn't affect the parsing. Therefore we can change the timestamp to the following:\n\n \n\n\n \n\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHkQxlTmqYoIrJDtSjALIbuKT6vXVkaSM2QGjB8aErmNyny_lSLBJt4ZogLrR2naCcnSc15TiR-oq45Xj2-WDfmZpNzs1k0RYZH2VQKpLb6Whj8Z4nNkc5DIK_CdQvfT3ncuVdLnAdMSBhclQIYpIWB26fmbSWaVzdQXwYkbnnz6iPxYCGJ1sNY7rM/s1032/image4.png>) \n \n\n\nWe can now guess a value for the encrypted NUL character and send the new timestamp to the KDC. If the KDC returns an error we know that the parsing failed as it didn't decrypt to a NUL character. However, if the authentication succeeds the value we guessed is the next byte in the key stream and we can decrypt the first byte of the session key.\n\n \n\n\nAt this point we've got a problem, we can't just add another NUL character as the parser would stop on the first one we sent. Even if the value didn't decrypt to a NUL it wouldn't be possible to detect. This is when a second trick comes into play, instead of extending the string we can abuse the way value lengths are encoded in DER. A length can be in one of two forms, a short form if the length is less than 128, or a long form for everything else. \n\n \n\n\nFor the short form the length is encoded in a single byte. For the long form, the first byte has the top bit set to 1, and the lower 7 bits encode the number of trailing bytes of the length value in big-endian format. For example in the above diagram the timestamp's total size is 0x14 bytes which is stored in the short form. We can instead encode the length in an arbitrary sized long form, for example 0x81 0x14, 0x82 0x00 0x14, 0x83 0x00 0x00 0x14 etc. The examples shown below move the NUL character to brute force the next two bytes of the session key:\n\n \n\n\n \n\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsKgGYAwo0YMFIjyz2Htl9U6igMxgQULM7SMPuDKr4jsQckfpZSvEUSshnUpNK15rRJD5ZD9mjSOgFn7F2_vgCGr1HHHGXRuGQZmMqHwAV7c7JairJhIUONjxM7YVBkWxBdxC9MfuXPxfISUEzVaPeRG5EsvlL91sgnZs4gXMjApMLYcZq4oXy7ZEg/s1038/image6.png>)\n\nEven though technically DER should expect the shortest form necessary to encode the length the Microsoft ASN.1 library doesn't enforce that when parsing so we can just repeat this length encoding trick to cover the remaining 4 unknown bytes of the key. As the exploit brute forces one byte at a time the maximum number of requests that we'd need to send to the KDC is 5 \u00d7 28 which is 1280 requests as opposed to 240 requests which would be around 1 trillion. \n\n \n\n\nEven with such a small number of requests it can still take around 30 seconds to brute force the key, but that still makes it a practical attack. Although it would be very noisy on the network and you'd expect any competent EDR system to notice, it might be too late at that point.\n\n## The Fixes\n\nThe only fix I can find is in the KDC service for the domain controller. Microsoft has added a new flag which by default disables the RC4-MD4 algorithm and an old variant of RC4-HMAC with the encryption type of -133. This behavior can be re-enabled by setting the KDC configuration registry value AllowOldNt4Crypto. The reference to NT4 is a good indication on how long this vulnerability has existed as it presumably pre-dates the introduction of Kerberos in Windows 2000. There are probably some changes to the client as well, but I couldn't immediately find them and it's not really worth my time to reverse engineer it.\n\n \n\n\nIt'd be good to mitigate the risk of similar attacks before they're found. Disabling RC4 is definitely recommended, however that can bring [its own problems](<https://syfuhs.net/lessons-in-disabling-rc4-in-active-directory>). If this particular vulnerability was being exploited in the wild it should be pretty easy to detect. Also unusual Kerberos encryption types would be an immediate red-flag as well as the repeated login attempts.\n\n \n\n\nAnother option is to enforce [Kerberos Armoring (FAST)](<https://syfuhs.net/kerberos-fast-armoring>) on all clients and KDCs in the environment. This would make it more difficult to inspect and tamper with Kerberos authentication traffic. However it's not a panacea, for example for FAST to work the domain joined computer needs to first authenticate without FAST to get a key they can then use for protecting the communications. If that initial authentication is compromised the entire protection fails.\n\n \n\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-27T00:00:00", "type": "googleprojectzero", "title": "\nRC4 Is Still Considered Harmful\n", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-33647", "CVE-2022-33679"], "modified": "2022-10-27T00:00:00", "id": "GOOGLEPROJECTZERO:75823B4B03E867492EE237294C2ED9EF", "href": "https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "githubexploit": [{"lastseen": "2022-11-19T15:04:33", "description": "# CVE-2022-33679\npoc of CVE-20...", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-03T11:19:29", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-33679"], "modified": "2022-11-19T13:13:57", "id": "E5D8CAA1-5C17-5A66-B3B6-1C229182D694", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}], "qualysblog": [{"lastseen": "2022-10-03T20:04:30", "description": "# **Microsoft Patch Tuesday Summary**\n\nMicrosoft has fixed 63 vulnerabilities (aka flaws) in the September 2022 update, including five (5) vulnerabilities classified as **_Critical_** as they allow Remote Code Execution (RCE). This month's Patch Tuesday fixes two (2) zero-day vulnerabilities, with one (1) actively exploited***** in attacks (**[CVE-2022-37969](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37969>)***,[ ](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30134>)**[CVE-2022-23960](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23960>)**). Earlier this month, on September 1-2, 2022, Microsoft also released a total of 16 Microsoft Edge (Chromium-Based) updates, one (1) addressing a Remote Code Execution (RCE) ([CVE-2022-38012](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38012>)) ranked _**Low**_.\n\nMicrosoft has fixed several flaws in its software, including Denial of Service, Elevation of Privilege, Information Disclosure, Microsoft Edge (Chromium-based), Remote Code Execution, and Security Feature Bypass.\n\n## **The September 2022 Microsoft Vulnerabilities are Classified as follows:**\n\n\n\n# **Notable Microsoft Vulnerabilities Patched**\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-34718](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34718>) | Windows TCP/IP Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nAn unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPSec is enabled, which could enable a remote code execution exploitation on that machine.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-34721](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34721>), [CVE-2022-34722](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34722>) | Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nAn unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation. NOTE: This vulnerability_ only impacts IKEv1_. IKEv2 is not impacted. However, all Windows Servers are affected because they accept both V1 and V2 packets.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n# **Zero-Day Vulnerabilities Addressed**\n\nA vulnerability is classified as a zero-day if it is publicly disclosed or actively exploited with no official fix available.\n\n### [CVE-2022-37969](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37969>) | Windows Common Log File System Driver Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nAn attacker must already have access and the ability to run code on the target system. This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system.\n\nAn attacker who successfully exploited this vulnerability could gain SYSTEM privileges.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely_**\n\n* * *\n\n### [CVE-2022-23960](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23960>) | Windows Common Log File System Driver Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of [5.6](<https://nvd.nist.gov/vuln/detail/CVE-2022-23960>)/10.\n\n[CVE-2022-23960](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23960>) is regarding a vulnerability known as Spectre-BHB. MITRE created this CVE on behalf of Arm Limited.\n\nPlease see [Spectre-BHB on arm Developer](<https://developer.arm.com/Arm%20Security%20Center/Spectre-BHB>) for more information.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): _**Exploitation Less Likely**_\n\n* * *\n\n# **Microsoft Important Vulnerability Highlights**\n\nThis month\u2019s [advisory](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Sep>) covers multiple Microsoft product families, including Azure, Browser, Developer Tools, [Extended Security Updates (ESU)](<https://docs.microsoft.com/en-us/lifecycle/faq/extended-security-updates>), Microsoft Dynamics, Microsoft Office, System Center, and Windows.\n\nA total of 92 unique Microsoft products/versions are affected, including but not limited to .NET, Azure Arc, Microsoft Dynamics, Microsoft Edge (Chromium-based), Microsoft Office, Microsoft Office SharePoint, SPNEGO Extended Negotiation, Visual Studio Code, Windows Common Log File System Driver, Windows Credential Roaming Service, Windows Defender, Windows Distributed File System (DFS), Windows DPAPI (Data Protection Application Programming Interface), Windows Enterprise App Management, Windows Event Tracing, Windows Group Policy, Windows IKE Extension, Windows Kerberos, Windows Kernel, Windows LDAP - Lightweight Directory Access Protocol, Windows ODBC Driver, Windows OLE, Windows Print Spooler Components, Windows Remote Access Connection Manager, Windows TCP/IP, and Windows Transport Security Layer (TLS).\n\nDownloads include Cumulative Update, Monthly Rollup, Security Hotpatch Update, Security Only, and Security Updates.\n\n* * *\n\n### [CVE-2022-38009](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38009>) | Microsoft SharePoint Server Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nIn a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server.\n\nThe attacker must be authenticated to the target site, with the permission to use Manage Lists within SharePoint.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-26929](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26929>) | .NET Framework Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nThe word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.\n\nFor example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-38007](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38007>) | Azure Guest Configuration and Azure Arc-enabled Servers Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nAn attacker who successfully exploited the vulnerability could replace Microsoft-shipped code with their own code, which would then be run as root in the context of a Guest Configuration daemon. On an Azure VM with the Guest Configuration Linux Extension installed, this would run in the context of the GC Policy Agent daemon. On an Azure Arc-enabled server, it could run in the context of the GC Arc Service or Extension Service daemons.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n## **Microsoft Edge | Last But Not Least**\n\nEarlier in September 2022, Microsoft released Microsoft Edge (Chromium-based) vulnerabilities including [CVE-2022-38012](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38012>). The vulnerability assigned to the CVE is in the Chromium Open Source Software (OSS) which is consumed by Microsoft Edge. It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. For more information, please see [Security Update Guide Supports CVEs Assigned by Industry Partners](<https://msrc-blog.microsoft.com/2021/01/13/security-update-guide-supports-cves-assigned-by-industry-partners/>).\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38012>)[CVE-2022-38012](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38012>) | Microsoft Edge (Chromium-based) Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.7/10.\n\nThe word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.\n\nFor example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.\n\nThis vulnerability could lead to a browser sandbox escape.\n\nSuccessful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.\n\nNOTE: [Per Microsoft's severity guidelines](<https://www.microsoft.com/en-us/msrc/bounty-new-edge>), the amount of user interaction or preconditions required to allow this sort of exploitation downgraded the severity. The CVSS scoring system doesn't allow for this type of nuance which explains why this CVE is rated as Low, but the CVSSv3.1 score is 7.7\n\n* * *\n\n# **Adobe Security Bulletins and Advisories**\n\nAdobe released seven (7) [security bulletins and advisories](<https://helpx.adobe.com/security/security-bulletin.html>) with updates to fix 63 vulnerabilities affecting Adobe Animate, Bridge, Illustrator, InCopy, InDesign, Photoshop, and Experience Manager applications. Of these 63 vulnerabilities, 35 are rated as **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_** and 28 rated as _****_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_****_; ranging in severity from a CVSS score of 5.3/10 to 7.8/10, as summarized below.\n\n\n\n* * *\n\n### [APSB22-40](<https://helpx.adobe.com/security/products/experience-manager/apsb22-40.html>) | Security Update Available for Adobe Experience Manager\n\nThis update resolves 11 [_****__****_](<https://helpx.adobe.com/security/severity-ratings.html>)_****_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_****_ vulnerabilities.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released updates for Adobe Experience Manager (AEM). These updates resolve vulnerabilities rated [Important](<https://helpx.adobe.com/security/severity-ratings.html>). Successful exploitation of these vulnerabilities could result in arbitrary code execution and security feature bypass.\n\n* * *\n\n### [APSB22-49](<https://helpx.adobe.com/security/products/bridge/apsb22-49.html>) | Security Update Available for Adobe Bridge\n\nThis update resolves 12 vulnerabilities:\n\n * Ten (10) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * Two (2) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): _3\n\nAdobe has released a security update for Adobe Bridge. This update addresses [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities that could lead to arbitrary code execution and memory leak.\n\n* * *\n\n### [APSB22-50](<https://helpx.adobe.com/security/products/indesign/apsb22-50.html>) | Security Update Available for Adobe InDesign\n\nThis update resolves 18 vulnerabilities:\n\n * Eight (8) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * Ten (10) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): _3\n\nAdobe has released a security update for Adobe InDesign. This update addresses multiple [critical ](<https://helpx.adobe.com/security/severity-ratings.html>)and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution, arbitrary file system read, and memory leak.\n\n* * *\n\n### [APSB22-52](<https://helpx.adobe.com/security/products/photoshop/apsb22-52.html>) | Security Update Available for Adobe Photoshop\n\nThis update resolves ten (10) vulnerabilities:\n\n * Nine (9) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * One (1) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Photoshop for Windows and macOS. This update resolves [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak.\n\n* * *\n\n### [APSB22-53](<https://helpx.adobe.com/security/products/incopy/apsb22-53.html>) | Security Update Available for Adobe InCopy\n\nThis update resolves seven (7) vulnerabilities:\n\n * Five (5) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * Two (2) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for Adobe InCopy. This update addresses multiple [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak. \n\n* * *\n\n### [APSB22-54](<https://helpx.adobe.com/security/products/animate/apsb22-54.html>) | Security Update Available for Adobe Animate\n\nThis update resolves two (2) [](<https://helpx.adobe.com/security/severity-ratings.html>)[_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Adobe Animate. This update resolves [critical](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user. \n\n* * *\n\n### [APSB22-55](<https://helpx.adobe.com/security/products/illustrator/apsb22-55.html>) | Security Update Available for Adobe Illustrator\n\nThis update resolves three (3) vulnerabilities:\n\n * One (1) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * Two (2) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Adobe Illustrator 2022. This update resolves [critical ](<https://helpx.adobe.com/security/severity-ratings.html>)and [important ](<https://helpx.adobe.com/security/severity-ratings.html>)vulnerabilities that could lead to arbitrary code execution and memory leak.\n\n* * *\n\n# **About Qualys Patch Tuesday**\n\nQualys Patch Tuesday QIDs are published as [Security Alerts](<https://www.qualys.com/research/security-alerts/>) typically late in the evening on the day of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed later by the publication of the monthly queries for the [Unified Dashboard: 2022 Patch Tuesday (QID Based) Dashboard](<https://success.qualys.com/discussions/s/article/000006821>) by Noon on Wednesday.\n\n* * *\n\n## Qualys [Threat Protection](<https://www.qualys.com/apps/threat-protection/>) High-Rated Advisories from August to September 2022 Patch Tuesday Advisory\n\n_Sorted in Descending Order_\n\n * [Microsoft Patches Vulnerabilities 79 including 16 Microsoft Edge (Chromium-Based); with 2 Zero-days and 5 Critical in Patch Tuesday September 2022 Edition](<https://threatprotect.qualys.com/2022/09/14/microsoft-patches-vulnerabilities-79-including-16-microsoft-edge-chromium-based-with-2-zero-days-and-5-critical-in-patch-tuesday-september-2022-edition/>)\n * [Google Chrome Releases Fix for the Zero-day Vulnerability (CVE-2022-3075)](<https://threatprotect.qualys.com/2022/08/10/microsoft-patches-121-vulnerabilities-with-two-zero-days-and-17-critical-plus-20-microsoft-edge-chromium-based-in-august-2022-patch-tuesday/>)\n * [Atlassian Bitbucket Server and Data Center Command Injection Vulnerability (CVE-2022-36804)](<https://threatprotect.qualys.com/2022/08/29/atlassian-bitbucket-server-and-data-center-command-injection-vulnerability-cve-2022-36804/>)\n * [GitLab Patches Critical Remote Command Execution Vulnerability (CVE-2022-2884)](<https://threatprotect.qualys.com/2022/08/25/gitlab-patches-critical-remote-command-execution-vulnerability-cve-2022-2884/>)\n * [Apple Releases Security Updates to patch two Zero-Day Vulnerabilities (CVE-2022-32893 and CVE-2022-32894)](<https://threatprotect.qualys.com/2022/08/18/apple-releases-security-updates-to-patch-two-zero-day-vulnerabilities-cve-2022-32893-and-cve-2022-32894/>)\n * [Google Chrome Zero-Day Insufficient Input Validation Vulnerability (CVE-2022-2856)](<https://threatprotect.qualys.com/2022/08/18/google-chrome-zero-day-insufficient-input-validation-vulnerability-cve-2022-2856/>)\n * [Palo Alto Networks (PAN-OS) Reflected Amplification Denial-of-Service (DoS) Vulnerability (CVE-2022-0028)](<https://threatprotect.qualys.com/2022/08/16/palo-alto-networks-pan-os-reflected-amplification-denial-of-service-dos-vulnerability-cve-2022-0028/>)\n * [Microsoft Patches 121 Vulnerabilities with Two Zero-days and 17 Critical; Plus 20 Microsoft Edge (Chromium-Based) in August 2022 Patch Tuesday](<https://threatprotect.qualys.com/2022/08/10/microsoft-patches-121-vulnerabilities-with-two-zero-days-and-17-critical-plus-20-microsoft-edge-chromium-based-in-august-2022-patch-tuesday/>)\n * [VMware vRealize Operations Multiple Vulnerabilities Patched in the Latest Security update (CVE-2022-31672, CVE-2022-31673, CVE-2022-31674, & CVE-2022-31675)](<https://threatprotect.qualys.com/2022/08/10/vmware-vrealize-operations-multiple-vulnerabilities-patched-in-the-latest-security-update-cve-2022-31672-cve-2022-31673-cve-2022-31674-cve-2022-31675/>)\n\n* * *\n\n## Discover and Prioritize Vulnerabilities in [Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) \n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its KnowledgeBase (KB). \n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n \n \n vulnerabilities.vulnerability:( qid:`91937` OR qid:`91938` OR qid:`91939` OR qid:`91940` OR qid:`91941` OR qid:`91942` OR qid:`91943` OR qid:`91944` OR qid:`91945` OR qid:`91946` OR qid:`91947` OR qid:`110415` OR qid:`110416` OR qid:`377590` ) \n\n\n\n [Qualys VMDR Recognized as Best VM Solution by SC Awards 2022 & Leader by GigaOm](<https://blog.qualys.com/product-tech/2022/08/22/qualys-vmdr-recognized-as-best-vm-solution-by-sc-awards-2022-leader-by-gigaom>) **_New_**\n\n [A Deep Dive into VMDR 2.0 with Qualys TruRisk\u2122](<https://blog.qualys.com/product-tech/2022/08/08/a-deep-dive-into-vmdr-2-0-with-qualys-trurisk>)\n\n* * *\n\n## Rapid Response with [Patch Management (PM)](<https://www.qualys.com/apps/patch-management/>)\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches with one click.\n\nThe following QQL will return the missing patches for this Patch Tuesday:\n \n \n ( qid:`91937` OR qid:`91938` OR qid:`91939` OR qid:`91940` OR qid:`91941` OR qid:`91942` OR qid:`91943` OR qid:`91944` OR qid:`91945` OR qid:`91946` OR qid:`91947` OR qid:`110415` OR qid:`110416` OR qid:`377590` ) \n\n\n\n [Let Smart Automation Reduce the Risk of Zero-Day Attacks on Third-Party Applications](<https://blog.qualys.com/qualys-insights/2022/09/08/let-smart-automation-reduce-the-risk-of-zero-day-attacks-on-third-party-applications-2>) **_New_**\n\n [Risk-based Remediation Powered by Patch Management in Qualys VMDR 2.0](<https://blog.qualys.com/product-tech/2022/06/22/risk-based-remediation-powered-by-patch-management-in-qualys-vmdr-2-0>)\n\n* * *\n\n## Evaluate Vendor-Suggested Workarounds with [Policy Compliance](<https://www.qualys.com/forms/policy-compliance/>)\n\nQualys\u2019 [Policy Compliance Control Library](<https://vimeo.com/700790353>) makes it easy to evaluate your technology infrastructure when the current situation requires the implementation of a vendor-suggested workaround. A workaround is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn't working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned. _ [Source](<https://www.techtarget.com/whatis/definition/workaround>)_\n\nThe following Qualys [Policy Compliance Control IDs (CIDs), and System Defined Controls (SDC) ](<https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/module_pc/controls/controls_lp.htm>)have been updated to support Microsoft recommended workaround for this Patch Tuesday:\n\n#### [CVE-2022-38007](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38007>)** | Azure Guest Configuration and Azure Arc-enabled Servers Elevation of Privilege (EoP) Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nPolicy Compliance Control IDs (CIDs) for Checking Azure Arc-Enabled Servers on Linux:\n\n * **14112**: Status of the services installed on the Linux/UNIX host (stopped, running, failed, dead, \u2026) \n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n#### [CVE-2022-34718](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34718>)**** | ****Windows TCP/IP Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * **3720**: Status of the 'IPSEC Services' service\n * **14916**: Status of Windows Services \n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely_**\n\n* * *\n\n#### [CVE-2022-35838](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35838>)****** | **HTTP V3 Denial of Service (DoS) Vulnerability****\n\nThis vulnerability has a CVSSv3.1 score of 7.5/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * **24717**: Status of the 'HTTP/3' service\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n#### [CVE-2022-33679 ](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33679>), [CVE-2022-33647](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33647>)**** | **Windows Kerberos Elevation of Privilege (EoP) Vulnerability**\n\nThese vulnerabilities have a CVSSv3.1 score of 8.1/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * **17108**: Status of the 'KDC support for claims, compound authentication and Kerberos armoring' setting (Enabled / Disabled)\n * **17109**: Status of the 'Kerberos client support for claims, compound authentication and Kerberos armoring' setting\n * **17197**: Status of the 'KDC support for claims, compound authentication, and Kerberos armoring' setting\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n#### [CVE-2022-38004](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38004>) **| Windows Network File System Remote Code Execution (RCE) Vulnerability** \n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * **1161**: Status of the 'Fax' service\n * **14916**: Status of Windows Services\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\nThe following QQL will return a posture assessment for the CIDs for this Patch Tuesday:\n \n \n control:( id:`1161` OR id:`3720` OR id:`14112` OR id:`14916` OR id:`14916` OR id:`17108` OR id:`17108` OR id:`17109` OR id:`17109` OR id:`17197` OR id:`17197` OR id:`24717` ) \n\n\n\n [Mitigating the Risk of Zero-Day Vulnerabilities by using Compensating Controls](<https://blog.qualys.com/vulnerabilities-threat-research/2022/08/23/mitigating-the-risk-of-zero-day-vulnerabilities-by-using-compensating-controls>) **_New_**\n\n [Policy Compliance (PC) | Policy Library Update Blogs](<https://notifications.qualys.com/tag/policy-library>)\n\n* * *\n\n**Patch Tuesday is Complete.**\n\n* * *\n\n# Qualys [This Month in Vulnerabilities and Patches](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>) Webinar Series \n\n\n\nThe Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys[ Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) and Qualys [Patch Management](<https://www.qualys.com/apps/patch-management/>). Combining these two solutions can reduce the median time to remediate critical vulnerabilities. \n\nDuring the webcast, we will discuss this month\u2019s high-impact vulnerabilities, including those that are part of this month's Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management. \n\n* * *\n\n### **Join the webinar**\n\n## **This Month in Vulnerabilities & Patches**\n\n[Register Now](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>)\n\n* * *\n\n## NEW & NOTEWORTHY UPCOMING EVENTS\n\nThe content within this section will spotlight Vulnerability Management, Patch Management, Threat Protections, and Policy Compliance adjacent events available to our new and existing customers.\n\n* * *\n\n[WEBINARS](<https://gateway.on24.com/wcc/eh/3347108/category/91385/upcoming-webinars>)\n\n## [Introducing Qualys Threat Thursdays](<https://blog.qualys.com/vulnerabilities-threat-research/2022/09/01/introducing-qualys-threat-research-thursdays>)\n\n\n\nThe **Qualys Research Team** announces the first in a series of regular monthly webinars covering the latest threat intelligence analysis and insight. Join us each month for Threat Thursdays, where we will zero in on a specific malware or other exploit observed in the wild\u2026 and how to defend against it.\n\nPlease join us for the first [Threat Thursdays](<https://event.on24.com/wcc/r/3925198/52A4000CBD17D2B16AFD5F56B3C9D15A>) monthly webinar where the Qualys Threat Research Team will present the latest threat intelligence\u2026 each and every month! \n\nTo quickly navigate to Threat Thursday blog posts, please use <https://blog.qualys.com/tag/threat-thursday>\n\n* * *\n\n[CONFERENCES](<https://www.qualys.com/qsc/locations/>)\n\n[](<https://www.qualys.com/qsc/2022/las-vegas/?utm_source=qualys-homepage&utm_medium=event&utm_campaign=homepage-banner-qsc-2022&utm_term=qsc-q4-2022&utm_content=qualys-homepage-qsc&leadsource=344572821>)[Register Now](<https://www.qualys.com/qsc/2022/las-vegas/?utm_source=qualys-homepage&utm_medium=event&utm_campaign=homepage-banner-qsc-2022&utm_term=qsc-q4-2022&utm_content=qualys-homepage-qsc&leadsource=344572821>)\n\n## [Qualys Annual Security Conference](<https://www.qualys.com/qsc/get-notified/#las-vegas/>) #QSC22\n\nNovember 7-10, 2022 \n\nThe Venetian Resort Las Vegas, 3355 Las Vegas Blvd. South, Las Vegas, NV 89109, US\n\n[Book your hotel here](<https://book.passkey.com/gt/218594637?gtid=9914abda1b2fe722d872e0ac3e0bdc09>) & take advantage of the discounted QSC rate of $229+ per night\n\nOr find a conference [near you](<https://www.qualys.com/qsc/locations/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T20:00:00", "type": "qualysblog", "title": "September 2022 Patch Tuesday | Microsoft Releases 63 Vulnerabilities with 5 Critical, plus 16 Microsoft Edge (Chromium-Based); Adobe Releases 7 Advisories, 63 Vulnerabilities with 35 Critical.", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0028", "CVE-2022-22047", "CVE-2022-23960", "CVE-2022-26929", "CVE-2022-2856", "CVE-2022-2884", "CVE-2022-30134", "CVE-2022-3075", "CVE-2022-31672", "CVE-2022-31673", "CVE-2022-31674", "CVE-2022-31675", "CVE-2022-32893", "CVE-2022-32894", "CVE-2022-33647", "CVE-2022-33679", "CVE-2022-34718", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-35838", "CVE-2022-36804", "CVE-2022-37969", "CVE-2022-38004", "CVE-2022-38007", "CVE-2022-38009", "CVE-2022-38012"], "modified": "2022-09-13T20:00:00", "id": "QUALYSBLOG:DE2E40D3BB574E53C7448F3A304849C9", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-01-30T16:16:48", "description": "The remote Windows host is missing security update 5017371. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30200)\n\n - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-33647, CVE-2022-33679)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T00:00:00", "type": "nessus", "title": "KB5017371: Windows Server 2008 Security Update (September 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26929", "CVE-2022-30170", "CVE-2022-30200", "CVE-2022-33647", "CVE-2022-33679", "CVE-2022-34718", "CVE-2022-34719", "CVE-2022-34720", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34724", "CVE-2022-34726", "CVE-2022-34727", "CVE-2022-34728", "CVE-2022-34729", "CVE-2022-34730", "CVE-2022-34731", "CVE-2022-34732", "CVE-2022-34733", "CVE-2022-34734", "CVE-2022-35803", "CVE-2022-35830", "CVE-2022-35834", "CVE-2022-35835", "CVE-2022-35836", "CVE-2022-35837", "CVE-2022-35840", "CVE-2022-37955", "CVE-2022-37956", "CVE-2022-37964", "CVE-2022-37969", "CVE-2022-38004", "CVE-2022-38005", "CVE-2022-38006"], "modified": "2023-01-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_SEP_5017371.NASL", "href": "https://www.tenable.com/plugins/nessus/165004", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165004);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/30\");\n\n script_cve_id(\n \"CVE-2022-26929\",\n \"CVE-2022-30170\",\n \"CVE-2022-30200\",\n \"CVE-2022-33647\",\n \"CVE-2022-33679\",\n \"CVE-2022-34718\",\n \"CVE-2022-34719\",\n \"CVE-2022-34720\",\n \"CVE-2022-34721\",\n \"CVE-2022-34722\",\n \"CVE-2022-34724\",\n \"CVE-2022-34726\",\n \"CVE-2022-34727\",\n \"CVE-2022-34728\",\n \"CVE-2022-34729\",\n \"CVE-2022-34730\",\n \"CVE-2022-34731\",\n \"CVE-2022-34732\",\n \"CVE-2022-34733\",\n \"CVE-2022-34734\",\n \"CVE-2022-35803\",\n \"CVE-2022-35830\",\n \"CVE-2022-35834\",\n \"CVE-2022-35835\",\n \"CVE-2022-35836\",\n \"CVE-2022-35837\",\n \"CVE-2022-35840\",\n \"CVE-2022-37955\",\n \"CVE-2022-37956\",\n \"CVE-2022-37964\",\n \"CVE-2022-37969\",\n \"CVE-2022-38004\",\n \"CVE-2022-38005\",\n \"CVE-2022-38006\"\n );\n script_xref(name:\"MSKB\", value:\"5017358\");\n script_xref(name:\"MSKB\", value:\"5017371\");\n script_xref(name:\"MSFT\", value:\"MS22-5017358\");\n script_xref(name:\"MSFT\", value:\"MS22-5017371\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/05\");\n script_xref(name:\"IAVA\", value:\"2022-A-0369-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0368-S\");\n\n script_name(english:\"KB5017371: Windows Server 2008 Security Update (September 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5017371. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30200)\n\n - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-33647, CVE-2022-33679)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017358\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017371\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017358\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017371\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5017371 or Cumulative Update 5017358\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-35840\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-34722\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-09';\nkbs = make_list(\n '5017371',\n '5017358'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0',\n sp:2,\n rollup_date:'09_2022',\n bulletin:bulletin,\n rollup_kb_list:[5017371, 5017358])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-30T16:15:38", "description": "The remote Windows host is missing security update 5017373. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30200)\n\n - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-33647, CVE-2022-33679)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T00:00:00", "type": "nessus", "title": "KB5017373: Windows Server 2008 R2 Security Update (September 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26929", "CVE-2022-30170", "CVE-2022-30200", "CVE-2022-33647", "CVE-2022-33679", "CVE-2022-34718", "CVE-2022-34719", "CVE-2022-34720", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34724", "CVE-2022-34726", "CVE-2022-34727", "CVE-2022-34728", "CVE-2022-34729", "CVE-2022-34730", "CVE-2022-34731", "CVE-2022-34732", "CVE-2022-34733", "CVE-2022-34734", "CVE-2022-35803", "CVE-2022-35830", "CVE-2022-35832", "CVE-2022-35833", "CVE-2022-35834", "CVE-2022-35835", "CVE-2022-35836", "CVE-2022-35837", "CVE-2022-35840", "CVE-2022-37955", "CVE-2022-37956", "CVE-2022-37958", "CVE-2022-37964", "CVE-2022-37969", "CVE-2022-38004", "CVE-2022-38005", "CVE-2022-38006"], "modified": "2023-01-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_SEP_5017373.NASL", "href": "https://www.tenable.com/plugins/nessus/165002", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165002);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/30\");\n\n script_cve_id(\n \"CVE-2022-26929\",\n \"CVE-2022-30170\",\n \"CVE-2022-30200\",\n \"CVE-2022-33647\",\n \"CVE-2022-33679\",\n \"CVE-2022-34718\",\n \"CVE-2022-34719\",\n \"CVE-2022-34720\",\n \"CVE-2022-34721\",\n \"CVE-2022-34722\",\n \"CVE-2022-34724\",\n \"CVE-2022-34726\",\n \"CVE-2022-34727\",\n \"CVE-2022-34728\",\n \"CVE-2022-34729\",\n \"CVE-2022-34730\",\n \"CVE-2022-34731\",\n \"CVE-2022-34732\",\n \"CVE-2022-34733\",\n \"CVE-2022-34734\",\n \"CVE-2022-35803\",\n \"CVE-2022-35830\",\n \"CVE-2022-35832\",\n \"CVE-2022-35833\",\n \"CVE-2022-35834\",\n \"CVE-2022-35835\",\n \"CVE-2022-35836\",\n \"CVE-2022-35837\",\n \"CVE-2022-35840\",\n \"CVE-2022-37955\",\n \"CVE-2022-37956\",\n \"CVE-2022-37958\",\n \"CVE-2022-37964\",\n \"CVE-2022-37969\",\n \"CVE-2022-38004\",\n \"CVE-2022-38005\",\n \"CVE-2022-38006\"\n );\n script_xref(name:\"MSKB\", value:\"5017361\");\n script_xref(name:\"MSKB\", value:\"5017373\");\n script_xref(name:\"MSFT\", value:\"MS22-5017361\");\n script_xref(name:\"MSFT\", value:\"MS22-5017373\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/05\");\n script_xref(name:\"IAVA\", value:\"2022-A-0376-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0369-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0368-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0042\");\n\n script_name(english:\"KB5017373: Windows Server 2008 R2 Security Update (September 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5017373. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30200)\n\n - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-33647, CVE-2022-33679)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017361\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017373\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017361\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017373\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5017373 or Cumulative Update 5017361\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-35840\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-34722\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-09';\nkbs = make_list(\n '5017373',\n '5017361'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1',\n sp:1,\n rollup_date:'09_2022',\n bulletin:bulletin,\n rollup_kb_list:[5017373, 5017361])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-30T16:15:55", "description": "The remote Windows host is missing security update 5017377. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30200)\n\n - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-33647, CVE-2022-33679)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T00:00:00", "type": "nessus", "title": "KB5017377: Windows Server 2012 Security Update (September 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26929", "CVE-2022-30170", "CVE-2022-30200", "CVE-2022-33647", "CVE-2022-33679", "CVE-2022-34718", "CVE-2022-34719", "CVE-2022-34720", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34724", "CVE-2022-34725", "CVE-2022-34726", "CVE-2022-34727", "CVE-2022-34728", "CVE-2022-34729", "CVE-2022-34730", "CVE-2022-34731", "CVE-2022-34732", "CVE-2022-34733", "CVE-2022-34734", "CVE-2022-35803", "CVE-2022-35830", "CVE-2022-35833", "CVE-2022-35834", "CVE-2022-35835", "CVE-2022-35836", "CVE-2022-35837", "CVE-2022-35840", "CVE-2022-37955", "CVE-2022-37956", "CVE-2022-37958", "CVE-2022-37969", "CVE-2022-38004", "CVE-2022-38005", "CVE-2022-38006"], "modified": "2023-01-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_SEP_5017377.NASL", "href": "https://www.tenable.com/plugins/nessus/165007", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165007);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/30\");\n\n script_cve_id(\n \"CVE-2022-26929\",\n \"CVE-2022-30170\",\n \"CVE-2022-30200\",\n \"CVE-2022-33647\",\n \"CVE-2022-33679\",\n \"CVE-2022-34718\",\n \"CVE-2022-34719\",\n \"CVE-2022-34720\",\n \"CVE-2022-34721\",\n \"CVE-2022-34722\",\n \"CVE-2022-34724\",\n \"CVE-2022-34725\",\n \"CVE-2022-34726\",\n \"CVE-2022-34727\",\n \"CVE-2022-34728\",\n \"CVE-2022-34729\",\n \"CVE-2022-34730\",\n \"CVE-2022-34731\",\n \"CVE-2022-34732\",\n \"CVE-2022-34733\",\n \"CVE-2022-34734\",\n \"CVE-2022-35803\",\n \"CVE-2022-35830\",\n \"CVE-2022-35833\",\n \"CVE-2022-35834\",\n \"CVE-2022-35835\",\n \"CVE-2022-35836\",\n \"CVE-2022-35837\",\n \"CVE-2022-35840\",\n \"CVE-2022-37955\",\n \"CVE-2022-37956\",\n \"CVE-2022-37958\",\n \"CVE-2022-37969\",\n \"CVE-2022-38004\",\n \"CVE-2022-38005\",\n \"CVE-2022-38006\"\n );\n script_xref(name:\"MSKB\", value:\"5017370\");\n script_xref(name:\"MSKB\", value:\"5017377\");\n script_xref(name:\"MSFT\", value:\"MS22-5017370\");\n script_xref(name:\"MSFT\", value:\"MS22-5017377\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/05\");\n script_xref(name:\"IAVA\", value:\"2022-A-0376-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0369-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0368-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0042\");\n\n script_name(english:\"KB5017377: Windows Server 2012 Security Update (September 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5017377. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30200)\n\n - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-33647, CVE-2022-33679)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017370\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017377\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017370\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017377\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5017377 or Cumulative Update 5017370\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-35840\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-34722\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-09';\nkbs = make_list(\n '5017377',\n '5017370'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2',\n sp:0,\n rollup_date:'09_2022',\n bulletin:bulletin,\n rollup_kb_list:[5017377, 5017370])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-30T16:16:10", "description": "The remote Windows host is missing security update 5017365. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30200)\n\n - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-33647, CVE-2022-33679)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T00:00:00", "type": "nessus", "title": "KB5017365: Windows Server 2012 R2 Security Update (September 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-30170", "CVE-2022-30200", "CVE-2022-33647", "CVE-2022-33679", "CVE-2022-34718", "CVE-2022-34719", "CVE-2022-34720", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34724", "CVE-2022-34725", "CVE-2022-34726", "CVE-2022-34727", "CVE-2022-34728", "CVE-2022-34729", "CVE-2022-34730", "CVE-2022-34731", "CVE-2022-34732", "CVE-2022-34733", "CVE-2022-34734", "CVE-2022-35803", "CVE-2022-35830", "CVE-2022-35831", "CVE-2022-35832", "CVE-2022-35833", "CVE-2022-35834", "CVE-2022-35835", "CVE-2022-35836", "CVE-2022-35837", "CVE-2022-35840", "CVE-2022-37955", "CVE-2022-37956", "CVE-2022-37958", "CVE-2022-37959", "CVE-2022-37969", "CVE-2022-38004", "CVE-2022-38005", "CVE-2022-38006"], "modified": "2023-01-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_SEP_5017365.NASL", "href": "https://www.tenable.com/plugins/nessus/165005", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165005);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/30\");\n\n script_cve_id(\n \"CVE-2022-30170\",\n \"CVE-2022-30200\",\n \"CVE-2022-33647\",\n \"CVE-2022-33679\",\n \"CVE-2022-34718\",\n \"CVE-2022-34719\",\n \"CVE-2022-34720\",\n \"CVE-2022-34721\",\n \"CVE-2022-34722\",\n \"CVE-2022-34724\",\n \"CVE-2022-34725\",\n \"CVE-2022-34726\",\n \"CVE-2022-34727\",\n \"CVE-2022-34728\",\n \"CVE-2022-34729\",\n \"CVE-2022-34730\",\n \"CVE-2022-34731\",\n \"CVE-2022-34732\",\n \"CVE-2022-34733\",\n \"CVE-2022-34734\",\n \"CVE-2022-35803\",\n \"CVE-2022-35830\",\n \"CVE-2022-35831\",\n \"CVE-2022-35832\",\n \"CVE-2022-35833\",\n \"CVE-2022-35834\",\n \"CVE-2022-35835\",\n \"CVE-2022-35836\",\n \"CVE-2022-35837\",\n \"CVE-2022-35840\",\n \"CVE-2022-37955\",\n \"CVE-2022-37956\",\n \"CVE-2022-37958\",\n \"CVE-2022-37959\",\n \"CVE-2022-37969\",\n \"CVE-2022-38004\",\n \"CVE-2022-38005\",\n \"CVE-2022-38006\"\n );\n script_xref(name:\"MSKB\", value:\"5017365\");\n script_xref(name:\"MSKB\", value:\"5017367\");\n script_xref(name:\"MSFT\", value:\"MS22-5017365\");\n script_xref(name:\"MSFT\", value:\"MS22-5017367\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/05\");\n script_xref(name:\"IAVA\", value:\"2022-A-0376-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0369-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0368-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0042\");\n\n script_name(english:\"KB5017365: Windows Server 2012 R2 Security Update (September 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5017365. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30200)\n\n - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-33647, CVE-2022-33679)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017365\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017367\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017365\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017367\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5017365 or Cumulative Update 5017367\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-35840\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-34722\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-09';\nkbs = make_list(\n '5017367',\n '5017365'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3',\n sp:0,\n rollup_date:'09_2022',\n bulletin:bulletin,\n rollup_kb_list:[5017367, 5017365])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-30T16:15:55", "description": "The remote Windows host is missing security update 5017392. It is, therefore, affected by multiple vulnerabilities\n\n - HTTP V3 Denial of Service Vulnerability (CVE-2022-35838)\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Secure Channel Denial of Service Vulnerability (CVE-2022-30196, CVE-2022-35833)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T00:00:00", "type": "nessus", "title": "KB5017392: Windows Server 2022 Security Update (September 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-30170", "CVE-2022-30196", "CVE-2022-30200", "CVE-2022-33647", "CVE-2022-33679", "CVE-2022-34718", "CVE-2022-34719", "CVE-2022-34720", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34724", "CVE-2022-34725", "CVE-2022-34726", "CVE-2022-34727", "CVE-2022-34728", "CVE-2022-34729", "CVE-2022-34730", "CVE-2022-34731", "CVE-2022-34732", "CVE-2022-34733", "CVE-2022-34734", "CVE-2022-35803", "CVE-2022-35830", "CVE-2022-35831", "CVE-2022-35832", "CVE-2022-35833", "CVE-2022-35834", "CVE-2022-35835", "CVE-2022-35836", "CVE-2022-35837", "CVE-2022-35838", "CVE-2022-35840", "CVE-2022-35841", "CVE-2022-37954", "CVE-2022-37955", "CVE-2022-37956", "CVE-2022-37958", "CVE-2022-37959", "CVE-2022-37969", "CVE-2022-38005", "CVE-2022-38006"], "modified": "2023-01-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_SEP_5017392.NASL", "href": "https://www.tenable.com/plugins/nessus/165000", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165000);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/30\");\n\n script_cve_id(\n \"CVE-2022-30170\",\n \"CVE-2022-30196\",\n \"CVE-2022-30200\",\n \"CVE-2022-33647\",\n \"CVE-2022-33679\",\n \"CVE-2022-34718\",\n \"CVE-2022-34719\",\n \"CVE-2022-34720\",\n \"CVE-2022-34721\",\n \"CVE-2022-34722\",\n \"CVE-2022-34724\",\n \"CVE-2022-34725\",\n \"CVE-2022-34726\",\n \"CVE-2022-34727\",\n \"CVE-2022-34728\",\n \"CVE-2022-34729\",\n \"CVE-2022-34730\",\n \"CVE-2022-34731\",\n \"CVE-2022-34732\",\n \"CVE-2022-34733\",\n \"CVE-2022-34734\",\n \"CVE-2022-35803\",\n \"CVE-2022-35830\",\n \"CVE-2022-35831\",\n \"CVE-2022-35832\",\n \"CVE-2022-35833\",\n \"CVE-2022-35834\",\n \"CVE-2022-35835\",\n \"CVE-2022-35836\",\n \"CVE-2022-35837\",\n \"CVE-2022-35838\",\n \"CVE-2022-35840\",\n \"CVE-2022-35841\",\n \"CVE-2022-37954\",\n \"CVE-2022-37955\",\n \"CVE-2022-37956\",\n \"CVE-2022-37958\",\n \"CVE-2022-37959\",\n \"CVE-2022-37969\",\n \"CVE-2022-38005\",\n \"CVE-2022-38006\"\n );\n script_xref(name:\"MSKB\", value:\"5017392\");\n script_xref(name:\"MSFT\", value:\"MS22-5017392\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/05\");\n script_xref(name:\"IAVA\", value:\"2022-A-0369-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0368-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0042\");\n\n script_name(english:\"KB5017392: Windows Server 2022 Security Update (September 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5017392. It is, therefore, affected by multiple vulnerabilities\n\n - HTTP V3 Denial of Service Vulnerability (CVE-2022-35838)\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Secure Channel Denial of Service Vulnerability (CVE-2022-30196, CVE-2022-35833)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017316\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017316\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017392\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017392\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5017392\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-35840\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-34722\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-09';\nkbs = make_list(\n '5017316',\n '5017392'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:20348,\n rollup_date:'09_2022',\n bulletin:bulletin,\n rollup_kb_list:[5017316, 5017392])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-30T16:15:38", "description": "The remote Windows host is missing security update 5017305. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Photo Import API Elevation of Privilege Vulnerability (CVE-2022-26928)\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30200)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T00:00:00", "type": "nessus", "title": "KB5017305: Windows 10 Version 1607 and Windows Server 2016 Security Update (September 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26928", "CVE-2022-26929", "CVE-2022-30170", "CVE-2022-30200", "CVE-2022-33647", "CVE-2022-33679", "CVE-2022-34718", "CVE-2022-34719", "CVE-2022-34720", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34724", "CVE-2022-34725", "CVE-2022-34726", "CVE-2022-34727", "CVE-2022-34728", "CVE-2022-34729", "CVE-2022-34730", "CVE-2022-34731", "CVE-2022-34732", "CVE-2022-34733", "CVE-2022-34734", "CVE-2022-35803", "CVE-2022-35830", "CVE-2022-35831", "CVE-2022-35832", "CVE-2022-35833", "CVE-2022-35834", "CVE-2022-35835", "CVE-2022-35836", "CVE-2022-35837", "CVE-2022-35840", "CVE-2022-35841", "CVE-2022-37955", "CVE-2022-37956", "CVE-2022-37957", "CVE-2022-37958", "CVE-2022-37959", "CVE-2022-37969", "CVE-2022-38004", "CVE-2022-38005", "CVE-2022-38006"], "modified": "2023-01-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_SEP_5017305.NASL", "href": "https://www.tenable.com/plugins/nessus/164996", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164996);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/30\");\n\n script_cve_id(\n \"CVE-2022-26928\",\n \"CVE-2022-26929\",\n \"CVE-2022-30170\",\n \"CVE-2022-30200\",\n \"CVE-2022-33647\",\n \"CVE-2022-33679\",\n \"CVE-2022-34718\",\n \"CVE-2022-34719\",\n \"CVE-2022-34720\",\n \"CVE-2022-34721\",\n \"CVE-2022-34722\",\n \"CVE-2022-34724\",\n \"CVE-2022-34725\",\n \"CVE-2022-34726\",\n \"CVE-2022-34727\",\n \"CVE-2022-34728\",\n \"CVE-2022-34729\",\n \"CVE-2022-34730\",\n \"CVE-2022-34731\",\n \"CVE-2022-34732\",\n \"CVE-2022-34733\",\n \"CVE-2022-34734\",\n \"CVE-2022-35803\",\n \"CVE-2022-35830\",\n \"CVE-2022-35831\",\n \"CVE-2022-35832\",\n \"CVE-2022-35833\",\n \"CVE-2022-35834\",\n \"CVE-2022-35835\",\n \"CVE-2022-35836\",\n \"CVE-2022-35837\",\n \"CVE-2022-35840\",\n \"CVE-2022-35841\",\n \"CVE-2022-37955\",\n \"CVE-2022-37956\",\n \"CVE-2022-37957\",\n \"CVE-2022-37958\",\n \"CVE-2022-37959\",\n \"CVE-2022-37969\",\n \"CVE-2022-38004\",\n \"CVE-2022-38005\",\n \"CVE-2022-38006\"\n );\n script_xref(name:\"MSKB\", value:\"5017305\");\n script_xref(name:\"MSFT\", value:\"MS22-5017305\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/05\");\n script_xref(name:\"IAVA\", value:\"2022-A-0376-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0369-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0368-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0042\");\n\n script_name(english:\"KB5017305: Windows 10 Version 1607 and Windows Server 2016 Security Update (September 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5017305. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Photo Import API Elevation of Privilege Vulnerability (CVE-2022-26928)\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30200)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017305\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017305\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5017305\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-35840\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-34722\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-09';\nkbs = make_list(\n '5017305'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:14393,\n rollup_date:'09_2022',\n bulletin:bulletin,\n rollup_kb_list:[5017305])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-30T16:15:37", "description": "The remote Windows host is missing security update 5017315. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Photo Import API Elevation of Privilege Vulnerability (CVE-2022-26928)\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Secure Channel Denial of Service Vulnerability (CVE-2022-30196, CVE-2022-35833)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T00:00:00", "type": "nessus", "title": "KB5017315: Windows 10 version 1809 / Windows Server 2019 Security Update (September 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26928", "CVE-2022-26929", "CVE-2022-30170", "CVE-2022-30196", "CVE-2022-30200", "CVE-2022-33647", "CVE-2022-33679", "CVE-2022-34718", "CVE-2022-34719", "CVE-2022-34720", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34724", "CVE-2022-34725", "CVE-2022-34726", "CVE-2022-34727", "CVE-2022-34728", "CVE-2022-34729", "CVE-2022-34730", "CVE-2022-34731", "CVE-2022-34732", "CVE-2022-34733", "CVE-2022-34734", "CVE-2022-35803", "CVE-2022-35830", "CVE-2022-35831", "CVE-2022-35832", "CVE-2022-35833", "CVE-2022-35834", "CVE-2022-35835", "CVE-2022-35836", "CVE-2022-35837", "CVE-2022-35840", "CVE-2022-35841", "CVE-2022-37954", "CVE-2022-37955", "CVE-2022-37956", "CVE-2022-37957", "CVE-2022-37958", "CVE-2022-37959", "CVE-2022-37969", "CVE-2022-38004", "CVE-2022-38005", "CVE-2022-38006"], "modified": "2023-01-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_SEP_5017315.NASL", "href": "https://www.tenable.com/plugins/nessus/164997", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164997);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/30\");\n\n script_cve_id(\n \"CVE-2022-26928\",\n \"CVE-2022-26929\",\n \"CVE-2022-30170\",\n \"CVE-2022-30196\",\n \"CVE-2022-30200\",\n \"CVE-2022-33647\",\n \"CVE-2022-33679\",\n \"CVE-2022-34718\",\n \"CVE-2022-34719\",\n \"CVE-2022-34720\",\n \"CVE-2022-34721\",\n \"CVE-2022-34722\",\n \"CVE-2022-34724\",\n \"CVE-2022-34725\",\n \"CVE-2022-34726\",\n \"CVE-2022-34727\",\n \"CVE-2022-34728\",\n \"CVE-2022-34729\",\n \"CVE-2022-34730\",\n \"CVE-2022-34731\",\n \"CVE-2022-34732\",\n \"CVE-2022-34733\",\n \"CVE-2022-34734\",\n \"CVE-2022-35803\",\n \"CVE-2022-35830\",\n \"CVE-2022-35831\",\n \"CVE-2022-35832\",\n \"CVE-2022-35833\",\n \"CVE-2022-35834\",\n \"CVE-2022-35835\",\n \"CVE-2022-35836\",\n \"CVE-2022-35837\",\n \"CVE-2022-35840\",\n \"CVE-2022-35841\",\n \"CVE-2022-37954\",\n \"CVE-2022-37955\",\n \"CVE-2022-37956\",\n \"CVE-2022-37957\",\n \"CVE-2022-37958\",\n \"CVE-2022-37959\",\n \"CVE-2022-37969\",\n \"CVE-2022-38004\",\n \"CVE-2022-38005\",\n \"CVE-2022-38006\"\n );\n script_xref(name:\"MSKB\", value:\"5017315\");\n script_xref(name:\"MSFT\", value:\"MS22-5017315\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/05\");\n script_xref(name:\"IAVA\", value:\"2022-A-0376-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0369-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0368-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0042\");\n\n script_name(english:\"KB5017315: Windows 10 version 1809 / Windows Server 2019 Security Update (September 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5017315. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Photo Import API Elevation of Privilege Vulnerability (CVE-2022-26928)\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Secure Channel Denial of Service Vulnerability (CVE-2022-30196, CVE-2022-35833)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017315\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017315\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5017315\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-35840\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-34722\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-09';\nkbs = make_list(\n '5017315'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:17763,\n rollup_date:'09_2022',\n bulletin:bulletin,\n rollup_kb_list:[5017315])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "kaspersky": [{"lastseen": "2023-02-08T15:38:12", "description": "### *Detect date*:\n09/13/2022\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Security Update). Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, cause denial of service, obtain sensitive information.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-35840](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35840>) \n[CVE-2022-38004](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38004>) \n[CVE-2022-34727](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34727>) \n[CVE-2022-37969](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37969>) \n[CVE-2022-30170](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30170>) \n[CVE-2022-34724](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34724>) \n[CVE-2022-33647](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33647>) \n[CVE-2022-34732](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34732>) \n[CVE-2022-35830](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35830>) \n[CVE-2022-34726](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34726>) \n[CVE-2022-34718](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34718>) \n[CVE-2022-34721](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34721>) \n[CVE-2022-37955](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37955>) \n[CVE-2022-34731](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34731>) \n[CVE-2022-35803](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35803>) \n[CVE-2022-30200](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30200>) \n[CVE-2022-34730](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34730>) \n[CVE-2022-34729](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34729>) \n[CVE-2022-38006](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38006>) \n[CVE-2022-38005](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38005>) \n[CVE-2022-37964](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37964>) \n[CVE-2022-37956](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37956>) \n[CVE-2022-34733](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34733>) \n[CVE-2022-35836](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35836>) \n[CVE-2022-35833](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35833>) \n[CVE-2022-35832](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35832>) \n[CVE-2022-37958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37958>) \n[CVE-2022-35835](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35835>) \n[CVE-2022-33679](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33679>) \n[CVE-2022-34734](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34734>) \n[CVE-2022-34728](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34728>) \n[CVE-2022-34720](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34720>) \n[CVE-2022-34719](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34719>) \n[CVE-2022-34722](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34722>) \n[CVE-2022-35837](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35837>) \n[CVE-2022-35834](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35834>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2022-35840](<https://vulners.com/cve/CVE-2022-35840>)5.0Critical \n[CVE-2022-38004](<https://vulners.com/cve/CVE-2022-38004>)5.0Critical \n[CVE-2022-34727](<https://vulners.com/cve/CVE-2022-34727>)5.0Critical \n[CVE-2022-37969](<https://vulners.com/cve/CVE-2022-37969>)5.0Critical \n[CVE-2022-30170](<https://vulners.com/cve/CVE-2022-30170>)5.0Critical \n[CVE-2022-34724](<https://vulners.com/cve/CVE-2022-34724>)5.0Critical \n[CVE-2022-33647](<https://vulners.com/cve/CVE-2022-33647>)5.0Critical \n[CVE-2022-34732](<https://vulners.com/cve/CVE-2022-34732>)5.0Critical \n[CVE-2022-35830](<https://vulners.com/cve/CVE-2022-35830>)5.0Critical \n[CVE-2022-34726](<https://vulners.com/cve/CVE-2022-34726>)5.0Critical \n[CVE-2022-34718](<https://vulners.com/cve/CVE-2022-34718>)5.0Critical \n[CVE-2022-34721](<https://vulners.com/cve/CVE-2022-34721>)5.0Critical \n[CVE-2022-37955](<https://vulners.com/cve/CVE-2022-37955>)5.0Critical \n[CVE-2022-34731](<https://vulners.com/cve/CVE-2022-34731>)5.0Critical \n[CVE-2022-35803](<https://vulners.com/cve/CVE-2022-35803>)5.0Critical \n[CVE-2022-30200](<https://vulners.com/cve/CVE-2022-30200>)5.0Critical \n[CVE-2022-34730](<https://vulners.com/cve/CVE-2022-34730>)5.0Critical \n[CVE-2022-34729](<https://vulners.com/cve/CVE-2022-34729>)5.0Critical \n[CVE-2022-38006](<https://vulners.com/cve/CVE-2022-38006>)5.0Critical \n[CVE-2022-38005](<https://vulners.com/cve/CVE-2022-38005>)5.0Critical \n[CVE-2022-37956](<https://vulners.com/cve/CVE-2022-37956>)5.0Critical \n[CVE-2022-34733](<https://vulners.com/cve/CVE-2022-34733>)5.0Critical \n[CVE-2022-35836](<https://vulners.com/cve/CVE-2022-35836>)5.0Critical \n[CVE-2022-35833](<https://vulners.com/cve/CVE-2022-35833>)5.0Critical \n[CVE-2022-35832](<https://vulners.com/cve/CVE-2022-35832>)5.0Critical \n[CVE-2022-37958](<https://vulners.com/cve/CVE-2022-37958>)5.0Critical \n[CVE-2022-35835](<https://vulners.com/cve/CVE-2022-35835>)5.0Critical \n[CVE-2022-33679](<https://vulners.com/cve/CVE-2022-33679>)5.0Critical \n[CVE-2022-34734](<https://vulners.com/cve/CVE-2022-34734>)5.0Critical \n[CVE-2022-34728](<https://vulners.com/cve/CVE-2022-34728>)5.0Critical \n[CVE-2022-34720](<https://vulners.com/cve/CVE-2022-34720>)5.0Critical \n[CVE-2022-34719](<https://vulners.com/cve/CVE-2022-34719>)5.0Critical \n[CVE-2022-34722](<https://vulners.com/cve/CVE-2022-34722>)5.0Critical \n[CVE-2022-35837](<https://vulners.com/cve/CVE-2022-35837>)5.0Critical \n[CVE-2022-35834](<https://vulners.com/cve/CVE-2022-35834>)5.0Critical \n[CVE-2022-37964](<https://vulners.com/cve/CVE-2022-37964>)5.0Critical\n\n### *KB list*:\n[5017361](<http://support.microsoft.com/kb/5017361>) \n[5017373](<http://support.microsoft.com/kb/5017373>) \n[5017371](<http://support.microsoft.com/kb/5017371>) \n[5017358](<http://support.microsoft.com/kb/5017358>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T00:00:00", "type": "kaspersky", "title": "KLA19249 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-30170", "CVE-2022-30200", "CVE-2022-33647", "CVE-2022-33679", "CVE-2022-34718", "CVE-2022-34719", "CVE-2022-34720", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34724", "CVE-2022-34726", "CVE-2022-34727", "CVE-2022-34728", "CVE-2022-34729", "CVE-2022-34730", "CVE-2022-34731", "CVE-2022-34732", "CVE-2022-34733", "CVE-2022-34734", "CVE-2022-35803", "CVE-2022-35830", "CVE-2022-35832", "CVE-2022-35833", "CVE-2022-35834", "CVE-2022-35835", "CVE-2022-35836", "CVE-2022-35837", "CVE-2022-35840", "CVE-2022-37955", "CVE-2022-37956", "CVE-2022-37958", "CVE-2022-37964", "CVE-2022-37969", "CVE-2022-38004", "CVE-2022-38005", "CVE-2022-38006"], "modified": "2022-09-15T00:00:00", "id": "KLA19249", "href": "https://threats.kaspersky.com/en/vulnerability/KLA19249/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-08T15:38:15", "description": "### *Detect date*:\n09/13/2022\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, cause denial of service, obtain sensitive information, bypass security restrictions.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server 2016 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows Server 2012 (Server Core installation) \nWindows 11 for x64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 for x64-based Systems \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2012 R2 \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows 10 Version 21H1 for 32-bit Systems \nWindows Server 2012 \nWindows Server 2019 (Server Core installation) \nRaw Image Extension \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2022 Azure Edition Core Hotpatch \nWindows 11 for ARM64-based Systems \nWindows Server 2022 \nAV1 Video Extension \nWindows Server 2012 R2 (Server Core installation) \nWindows RT 8.1 \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 21H2 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows Server 2019 \nWindows Server 2022 (Server Core installation) \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 21H2 for ARM64-based Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 8.1 for x64-based systems \nWindows Server 2016 \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 Version 21H2 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-35840](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35840>) \n[CVE-2022-38004](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38004>) \n[CVE-2022-34727](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34727>) \n[CVE-2022-37969](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37969>) \n[CVE-2022-30170](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30170>) \n[CVE-2022-34724](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34724>) \n[CVE-2022-33647](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33647>) \n[CVE-2022-34732](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34732>) \n[CVE-2022-35830](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35830>) \n[CVE-2022-34726](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34726>) \n[CVE-2022-34718](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34718>) \n[CVE-2022-34721](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34721>) \n[CVE-2022-37957](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37957>) \n[CVE-2022-37955](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37955>) \n[CVE-2022-34731](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34731>) \n[CVE-2022-35803](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35803>) \n[CVE-2022-30200](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30200>) \n[CVE-2022-34730](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34730>) \n[CVE-2022-34729](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34729>) \n[CVE-2022-38006](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38006>) \n[CVE-2022-38005](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38005>) \n[CVE-2022-35831](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35831>) \n[CVE-2022-34723](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34723>) \n[CVE-2022-37959](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37959>) \n[CVE-2022-34725](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34725>) \n[CVE-2022-38011](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38011>) \n[CVE-2022-37956](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37956>) \n[CVE-2022-34733](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34733>) \n[CVE-2022-35836](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35836>) \n[CVE-2022-35833](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35833>) \n[CVE-2022-35832](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35832>) \n[CVE-2022-37958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37958>) \n[CVE-2022-35835](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35835>) \n[CVE-2022-33679](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33679>) \n[CVE-2022-26928](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26928>) \n[CVE-2022-37954](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37954>) \n[CVE-2022-34734](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34734>) \n[CVE-2022-34728](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34728>) \n[CVE-2022-23960](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23960>) \n[CVE-2022-35841](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35841>) \n[CVE-2022-34720](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34720>) \n[CVE-2022-34719](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34719>) \n[CVE-2022-34722](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34722>) \n[CVE-2022-35837](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35837>) \n[CVE-2022-38019](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38019>) \n[CVE-2022-30196](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30196>) \n[CVE-2022-35838](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35838>) \n[CVE-2022-35834](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35834>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2022-35840](<https://vulners.com/cve/CVE-2022-35840>)5.0Critical \n[CVE-2022-38004](<https://vulners.com/cve/CVE-2022-38004>)5.0Critical \n[CVE-2022-34727](<https://vulners.com/cve/CVE-2022-34727>)5.0Critical \n[CVE-2022-37969](<https://vulners.com/cve/CVE-2022-37969>)5.0Critical \n[CVE-2022-30170](<https://vulners.com/cve/CVE-2022-30170>)5.0Critical \n[CVE-2022-34724](<https://vulners.com/cve/CVE-2022-34724>)5.0Critical \n[CVE-2022-33647](<https://vulners.com/cve/CVE-2022-33647>)5.0Critical \n[CVE-2022-34732](<https://vulners.com/cve/CVE-2022-34732>)5.0Critical \n[CVE-2022-35830](<https://vulners.com/cve/CVE-2022-35830>)5.0Critical \n[CVE-2022-34726](<https://vulners.com/cve/CVE-2022-34726>)5.0Critical \n[CVE-2022-34718](<https://vulners.com/cve/CVE-2022-34718>)5.0Critical \n[CVE-2022-34721](<https://vulners.com/cve/CVE-2022-34721>)5.0Critical \n[CVE-2022-37957](<https://vulners.com/cve/CVE-2022-37957>)5.0Critical \n[CVE-2022-37955](<https://vulners.com/cve/CVE-2022-37955>)5.0Critical \n[CVE-2022-34731](<https://vulners.com/cve/CVE-2022-34731>)5.0Critical \n[CVE-2022-35803](<https://vulners.com/cve/CVE-2022-35803>)5.0Critical \n[CVE-2022-30200](<https://vulners.com/cve/CVE-2022-30200>)5.0Critical \n[CVE-2022-34730](<https://vulners.com/cve/CVE-2022-34730>)5.0Critical \n[CVE-2022-34729](<https://vulners.com/cve/CVE-2022-34729>)5.0Critical \n[CVE-2022-38006](<https://vulners.com/cve/CVE-2022-38006>)5.0Critical \n[CVE-2022-38005](<https://vulners.com/cve/CVE-2022-38005>)5.0Critical \n[CVE-2022-35831](<https://vulners.com/cve/CVE-2022-35831>)5.0Critical \n[CVE-2022-34723](<https://vulners.com/cve/CVE-2022-34723>)5.0Critical \n[CVE-2022-37959](<https://vulners.com/cve/CVE-2022-37959>)5.0Critical \n[CVE-2022-34725](<https://vulners.com/cve/CVE-2022-34725>)5.0Critical \n[CVE-2022-38011](<https://vulners.com/cve/CVE-2022-38011>)5.0Critical \n[CVE-2022-37956](<https://vulners.com/cve/CVE-2022-37956>)5.0Critical \n[CVE-2022-34733](<https://vulners.com/cve/CVE-2022-34733>)5.0Critical \n[CVE-2022-35836](<https://vulners.com/cve/CVE-2022-35836>)5.0Critical \n[CVE-2022-35833](<https://vulners.com/cve/CVE-2022-35833>)5.0Critical \n[CVE-2022-35832](<https://vulners.com/cve/CVE-2022-35832>)5.0Critical \n[CVE-2022-37958](<https://vulners.com/cve/CVE-2022-37958>)5.0Critical \n[CVE-2022-35835](<https://vulners.com/cve/CVE-2022-35835>)5.0Critical \n[CVE-2022-33679](<https://vulners.com/cve/CVE-2022-33679>)5.0Critical \n[CVE-2022-26928](<https://vulners.com/cve/CVE-2022-26928>)5.0Critical \n[CVE-2022-37954](<https://vulners.com/cve/CVE-2022-37954>)5.0Critical \n[CVE-2022-34734](<https://vulners.com/cve/CVE-2022-34734>)5.0Critical \n[CVE-2022-34728](<https://vulners.com/cve/CVE-2022-34728>)5.0Critical \n[CVE-2022-23960](<https://vulners.com/cve/CVE-2022-23960>)1.9Warning \n[CVE-2022-35841](<https://vulners.com/cve/CVE-2022-35841>)5.0Critical \n[CVE-2022-34720](<https://vulners.com/cve/CVE-2022-34720>)5.0Critical \n[CVE-2022-34719](<https://vulners.com/cve/CVE-2022-34719>)5.0Critical \n[CVE-2022-34722](<https://vulners.com/cve/CVE-2022-34722>)5.0Critical \n[CVE-2022-35837](<https://vulners.com/cve/CVE-2022-35837>)5.0Critical \n[CVE-2022-38019](<https://vulners.com/cve/CVE-2022-38019>)5.0Critical \n[CVE-2022-30196](<https://vulners.com/cve/CVE-2022-30196>)5.0Critical \n[CVE-2022-35838](<https://vulners.com/cve/CVE-2022-35838>)5.0Critical \n[CVE-2022-35834](<https://vulners.com/cve/CVE-2022-35834>)5.0Critical\n\n### *KB list*:\n[5017392](<http://support.microsoft.com/kb/5017392>) \n[5017377](<http://support.microsoft.com/kb/5017377>) \n[5017316](<http://support.microsoft.com/kb/5017316>) \n[5017327](<http://support.microsoft.com/kb/5017327>) \n[5017365](<http://support.microsoft.com/kb/5017365>) \n[5017367](<http://support.microsoft.com/kb/5017367>) \n[5017315](<http://support.microsoft.com/kb/5017315>) \n[5017305](<http://support.microsoft.com/kb/5017305>) \n[5017328](<http://support.microsoft.com/kb/5017328>) \n[5017308](<http://support.microsoft.com/kb/5017308>) \n[5017370](<http://support.microsoft.com/kb/5017370>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T00:00:00", "type": "kaspersky", "title": "KLA19245 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-23960", "CVE-2022-26928", "CVE-2022-30170", "CVE-2022-30196", "CVE-2022-30200", "CVE-2022-33647", "CVE-2022-33679", "CVE-2022-34718", "CVE-2022-34719", "CVE-2022-34720", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34723", "CVE-2022-34724", "CVE-2022-34725", "CVE-2022-34726", "CVE-2022-34727", "CVE-2022-34728", "CVE-2022-34729", "CVE-2022-34730", "CVE-2022-34731", "CVE-2022-34732", "CVE-2022-34733", "CVE-2022-34734", "CVE-2022-35803", "CVE-2022-35830", "CVE-2022-35831", "CVE-2022-35832", "CVE-2022-35833", "CVE-2022-35834", "CVE-2022-35835", "CVE-2022-35836", "CVE-2022-35837", "CVE-2022-35838", "CVE-2022-35840", "CVE-2022-35841", "CVE-2022-37954", "CVE-2022-37955", "CVE-2022-37956", "CVE-2022-37957", "CVE-2022-37958", "CVE-2022-37959", "CVE-2022-37969", "CVE-2022-38004", "CVE-2022-38005", "CVE-2022-38006", "CVE-2022-38011", "CVE-2022-38019"], "modified": "2022-09-15T00:00:00", "id": "KLA19245", "href": "https://threats.kaspersky.com/en/vulnerability/KLA19245/", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}], "avleonov": [{"lastseen": "2022-09-24T00:03:21", "description": "Hello everyone! Let's take a look at Microsoft's September Patch Tuesday. This time it is quite compact. There were 63 CVEs released on Patch Tuesday day. If we add the vulnerabilities released between August and September Patch Tuesdays (as usual, they were in Microsoft Edge), the final number is 90. Much less than usual.\n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239101>\n \n \n $ cat comments_links.txt \n Qualys|September 2022 Patch Tuesday|https://blog.qualys.com/vulnerabilities-threat-research/2022/09/13/september-2022-patch-tuesday\n ZDI|THE SEPTEMBER 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/9/13/the-september-2022-security-update-review\n Kaspersky|Patches for 64 vulnerabilities in Microsoft products released|https://www.kaspersky.com/blog/microsoft-patch-tuesday-september-2022/45501/\n \n $ python3.8 vulristics.py --report-type \"ms_patch_tuesday_extended\" --mspt-year 2022 --mspt-month \"September\" --mspt-comments-links-path \"comments_links.txt\" --rewrite-flag \"True\"\n ...\n MS PT Year: 2022\n MS PT Month: September\n MS PT Date: 2022-09-13\n MS PT CVEs found: 63\n Ext MS PT Date from: 2022-08-10\n Ext MS PT Date to: 2022-09-12\n Ext MS PT CVEs found: 27\n ALL MS PT CVEs: 90\n ...\n\n * Urgent: 0\n * Critical: 1\n * High: 41\n * Medium: 44\n * Low: 4\n\n## Exploitable vulnerabilities\n\nThere are no vulnerabilities with public exploits yet. There are 3 vulnerabilities for which there is a Proof-of-Concept Exploit according to data from CVSS.\n\n 1. **Elevation of Privilege **- Kerberos (CVE-2022-33679). An unauthenticated attacker could perform a man-in-the-middle network exploit to downgrade a client's encryption to the RC4-md4 cypher, followed by cracking the user's cypher key. The attacker could then compromise the user's Kerberos session key to elevate privileges.\n 2. **Elevation of Privilege **- Azure Guest Configuration and Azure Arc-enabled servers (CVE-2022-38007). An attacker who successfully exploited the vulnerability could replace Microsoft-shipped code with their own code, which would then be run as root in the context of a Guest Configuration daemon. On an Azure VM with the Guest Configuration Linux Extension installed, this would run in the context of the GC Policy Agent daemon. On an Azure Arc-enabled server, it could run in the context of the GC Arc Service or Extension Service daemons. \n 3. **Elevation of Privilege** - Windows GDI (CVE-2022-34729). An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.\n\nBut the likelihood that these exploits will be used in real attacks seems low.\n\n## Exploitation in the wild\n\nThere are 3 vulnerabilities with a sign of exploitation in the wild:\n\n * **Elevation of Privilege** - Windows Common Log File System Driver (CVE-2022-37969). An attacker must already have access and the ability to run code on the target system. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. This vulnerability affects many versions of Windows, there are patches even for EOL versions. In addition to this vulnerability, there was a bunch of EoPs in Windows with no signs of exploitation in the wild, for example **Elevation of Privilege** - Windows Kernel (CVE-2022-37956, CVE-2022-37957, CVE-2022-37964)\n * **Security Feature Bypass** - Microsoft Edge (CVE-2022-2856, CVE-2022-3075). Edge vulnerabilities are actually Chromium vulnerabilities. This is the downside of using the same engine. Chrome vulnerabilities also affect Edge, Opera, Brave, Vivaldi, etc.\n\n## IP packet causes RCE\n\n**Remote Code Execution** - Windows TCP/IP (CVE-2022-34718). An unauthorized attacker can use it to execute arbitrary code on the attacked Windows computer with the IPSec service enabled by sending a specially crafted IPv6 packet to it. This vulnerability can only be exploited against systems with Internet Protocol Security (IPsec) enabled. IPsec and IPv6 are evil.  But seriously, it's bad that this is even possible.\n\nAnd that's not all, there's more. **Remote Code Execution** - Windows Internet Key Exchange (IKE) Protocol Extensions (CVE-2022-34721, CVE-2022-34722). The IKE protocol is a component of IPsec used to set up security associations (relationships among devices based on shared security attributes). An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation. Although these vulnerabilities only affect the IKEv1 protocol version, Microsoft reminds that all Windows Server systems are vulnerable because they accept both v1 and v2 packets.\n\n## Windows DNS Server DoS\n\n**Denial of Service** - Windows DNS Server (CVE-2022-34724). This bug is only rated Important since there\u2019s no chance of code execution, but you should probably treat it as Critical due to its potential impact. A remote, unauthenticated attacker could create a denial-of-service (DoS) condition on your DNS server. It\u2019s not clear if the DoS just kills the DNS service or the whole system. Shutting down DNS is always bad, but with so many resources in the cloud, a loss of DNS pointing the way to those resources could be catastrophic for many enterprises.\n\n## Spectre-BHB\n\n**Memory Corruption** - ARM processor (CVE-2022-23960). This is yet another variation of the Spectre vulnerability (this time Specter-BHB), which interferes with a processor\u2019s speculative execution of instructions mechanism. In other words, the probability of its use in real attacks is extremely small \u2014 the danger is somewhat theoretical. But almost all Patch Tuesday reviewers paid attention to this vulnerability.\n\nFull Vulristics report: [ms_patch_tuesday_september2022](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_september2022_report_with_comments_ext_img.html>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-23T22:44:11", "type": "avleonov", "title": "Microsoft Patch Tuesday September 2022: CLFS Driver EoP, IP packet causes RCE, Windows DNS Server DoS, Spectre-BHB", "bulletinFamily": "blog", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-23960", "CVE-2022-2856", "CVE-2022-3075", "CVE-2022-33679", "CVE-2022-34718", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34724", "CVE-2022-34729", "CVE-2022-37956", "CVE-2022-37957", "CVE-2022-37964", "CVE-2022-37969", "CVE-2022-38007"], "modified": "2022-09-23T22:44:11", "id": "AVLEONOV:75C789BDAA68C1C2CEC0F20F1D138B01", "href": "https://avleonov.com/2022/09/24/microsoft-patch-tuesday-september-2022-clfs-driver-eop-ip-packet-causes-rce-windows-dns-server-dos-spectre-bhb/", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}], "rapid7blog": [{"lastseen": "2022-09-13T22:03:40", "description": "\n\nThis month\u2019s [Patch Tuesday](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Sep>) is on the lighter side, with 79 CVEs being fixed by Microsoft (including 16 CVEs affecting Chromium, used by their Edge browser, that were already available). One zero-day was announced: [CVE-2022-37969](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37969>) is an elevation of privilege vulnerability affecting the Log File System Driver in all supported versions of Windows, allowing attackers to gain SYSTEM-level access on an asset they\u2019ve already got an initial foothold in. Interestingly, Microsoft credits four separate researchers/organizations for independently reporting this, which may be indicative of relatively widespread exploitation. Also previously disclosed (in March), though less useful to attackers, Microsoft has released a fix for [CVE-2022-23960](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-23960>) (aka Spectre-BHB) for Windows 11 on ARM64.\n\nSome of the more noteworthy vulnerabilities this month affect Windows systems with IPSec enabled. [CVE-2022-34718](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34718>) allows remote code execution (RCE) on any Windows system reachable via IPv6; [CVE-2022-34721](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34721>) and [CVE-2022-34722](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34722>) are RCE vulnerabilities in the Windows Internet Key Exchange (IKE) Protocol Extensions. All three CVEs are ranked Critical and carry a CVSSv3 base score of 9.8. Rounding out the Critical RCEs this month are [CVE-2022-35805](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35805>) and [CVE-2022-34700](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34700>), both of which affect Microsoft Dynamics (on-premise) and have a CVSSv3 base score of 8.8. Any such systems should be updated immediately.\n\nSharePoint administrators should also be aware of four separate RCEs being addressed this month. They\u2019re ranked Important, meaning Microsoft recommends applying the updates at the earliest opportunity. Finally, a large swath of CVEs affecting OLE DB Provider for SQL Server and the Microsoft ODBC Driver were also fixed. These require some social engineering to exploit, by convincing a user to either connect to a malicious SQL Server or open a maliciously crafted .mdb (Access) file.\n\n## Summary charts\n\n\n\n## Summary tables\n\n### Azure vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-38007](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-38007>) | Azure Guest Configuration and Azure Arc-enabled servers Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n \n### Browser vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-38012](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-38012>) | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | No | No | 7.7 | Yes \n[CVE-2022-3075](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-3075>) | Chromium: CVE-2022-3075 Insufficient data validation in Mojo | No | No | N/A | Yes \n[CVE-2022-3058](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-3058>) | Chromium: CVE-2022-3058 Use after free in Sign-In Flow | No | No | N/A | Yes \n[CVE-2022-3057](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-3057>) | Chromium: CVE-2022-3057 Inappropriate implementation in iframe Sandbox | No | No | N/A | Yes \n[CVE-2022-3056](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-3056>) | Chromium: CVE-2022-3056 Insufficient policy enforcement in Content Security Policy | No | No | N/A | Yes \n[CVE-2022-3055](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-3055>) | Chromium: CVE-2022-3055 Use after free in Passwords | No | No | N/A | Yes \n[CVE-2022-3054](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-3054>) | Chromium: CVE-2022-3054 Insufficient policy enforcement in DevTools | No | No | N/A | Yes \n[CVE-2022-3053](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-3053>) | Chromium: CVE-2022-3053 Inappropriate implementation in Pointer Lock | No | No | N/A | Yes \n[CVE-2022-3047](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-3047>) | Chromium: CVE-2022-3047 Insufficient policy enforcement in Extensions API | No | No | N/A | Yes \n[CVE-2022-3046](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-3046>) | Chromium: CVE-2022-3046 Use after free in Browser Tag | No | No | N/A | Yes \n[CVE-2022-3045](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-3045>) | Chromium: CVE-2022-3045 Insufficient validation of untrusted input in V8 | No | No | N/A | Yes \n[CVE-2022-3044](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-3044>) | Chromium: CVE-2022-3044 Inappropriate implementation in Site Isolation | No | No | N/A | Yes \n[CVE-2022-3041](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-3041>) | Chromium: CVE-2022-3041 Use after free in WebSQL | No | No | N/A | Yes \n[CVE-2022-3040](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-3040>) | Chromium: CVE-2022-3040 Use after free in Layout | No | No | N/A | Yes \n[CVE-2022-3039](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-3039>) | Chromium: CVE-2022-3039 Use after free in WebSQL | No | No | N/A | Yes \n[CVE-2022-3038](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-3038>) | Chromium: CVE-2022-3038 Use after free in Network Service | No | No | N/A | Yes \n \n### Developer Tools vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-26929](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26929>) | .NET Framework Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-38013](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-38013>) | .NET Core and Visual Studio Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2022-38020](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-38020>) | Visual Studio Code Elevation of Privilege Vulnerability | No | No | 7.3 | Yes \n \n### ESU vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-37964](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-37964>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 | No \n \n### Microsoft Dynamics vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-35805](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35805>) | Microsoft Dynamics CRM (on-premises) Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-34700](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34700>) | Microsoft Dynamics CRM (on-premises) Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n \n### Microsoft Office vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-38008](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-38008>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-38009](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-38009>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-37961](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-37961>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-35823](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35823>) | Microsoft SharePoint Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-37962](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-37962>) | Microsoft PowerPoint Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-38010](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-38010>) | Microsoft Office Visio Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-37963](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-37963>) | Microsoft Office Visio Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n### System Center vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-35828](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35828>) | Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n \n### Windows vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-35841](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35841>) | Windows Enterprise App Management Service Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-30196](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30196>) | Windows Secure Channel Denial of Service Vulnerability | No | No | 8.2 | Yes \n[CVE-2022-37957](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-37957>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-37954](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-37954>) | DirectX Graphics Kernel Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-38019](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-38019>) | AV1 Video Extension Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35838](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35838>) | HTTP V3 Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2022-38011](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-38011>) | Raw Image Extension Remote Code Execution Vulnerability | No | No | 7.3 | Yes \n[CVE-2022-26928](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26928>) | Windows Photo Import API Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-34725](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34725>) | Windows ALPC Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-37959](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-37959>) | Network Device Enrollment Service (NDES) Security Feature Bypass Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35831](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35831>) | Windows Remote Access Connection Manager Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-34723](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34723>) | Windows DPAPI (Data Protection Application Programming Interface) Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-23960](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23960>) | Arm: CVE-2022-23960 Cache Speculation Restriction Vulnerability | No | Yes | N/A | Yes \n \n### Windows ESU vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-34718](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34718>) | Windows TCP/IP Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-34721](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34721>) | Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-34722](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34722>) | Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-35834](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35834>) | Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-35835](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35835>) | Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-35836](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35836>) | Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-35840](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35840>) | Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-34731](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34731>) | Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-34733](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34733>) | Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-34726](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34726>) | Microsoft ODBC Driver Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-34727](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34727>) | Microsoft ODBC Driver Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-34730](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34730>) | Microsoft ODBC Driver Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-34732](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34732>) | Microsoft ODBC Driver Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-34734](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34734>) | Microsoft ODBC Driver Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-33679](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33679>) | Windows Kerberos Elevation of Privilege Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-33647](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33647>) | Windows Kerberos Elevation of Privilege Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-35830](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35830>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-38005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-38005>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-30200](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30200>) | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-37956](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-37956>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-37955](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-37955>) | Windows Group Policy Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-34729](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34729>) | Windows GDI Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-38004](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-38004>) | Windows Fax Service Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-34719](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34719>) | Windows Distributed File System (DFS) Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-37969](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-37969>) | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Yes | Yes | 7.8 | Yes \n[CVE-2022-35803](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35803>) | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35833](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35833>) | Windows Secure Channel Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2022-34720](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34720>) | Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2022-34724](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34724>) | Windows DNS Server Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2022-37958](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-37958>) | SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-30170](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30170>) | Windows Credential Roaming Service Elevation of Privilege Vulnerability | No | No | 7.3 | Yes \n[CVE-2022-38006](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-38006>) | Windows Graphics Component Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-34728](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34728>) | Windows Graphics Component Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-35832](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35832>) | Windows Event Tracing Denial of Service Vulnerability | No | No | 5.5 | No \n[CVE-2022-35837](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35837>) | Windows Graphics Component Information Disclosure Vulnerability | No | No | 5 | Yes \n \n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T20:11:08", "type": "rapid7blog", "title": "Patch Tuesday - September 2022", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-23960", "CVE-2022-26928", "CVE-2022-26929", "CVE-2022-30170", "CVE-2022-30196", "CVE-2022-30200", "CVE-2022-3038", "CVE-2022-3039", "CVE-2022-3040", "CVE-2022-3041", "CVE-2022-3044", "CVE-2022-3045", "CVE-2022-3046", "CVE-2022-3047", "CVE-2022-3053", "CVE-2022-3054", "CVE-2022-3055", "CVE-2022-3056", "CVE-2022-3057", "CVE-2022-3058", "CVE-2022-3075", "CVE-2022-33647", "CVE-2022-33679", "CVE-2022-34700", "CVE-2022-34718", "CVE-2022-34719", "CVE-2022-34720", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34723", "CVE-2022-34724", "CVE-2022-34725", "CVE-2022-34726", "CVE-2022-34727", "CVE-2022-34728", "CVE-2022-34729", "CVE-2022-34730", "CVE-2022-34731", "CVE-2022-34732", "CVE-2022-34733", "CVE-2022-34734", "CVE-2022-35803", "CVE-2022-35805", "CVE-2022-35823", "CVE-2022-35828", "CVE-2022-35830", "CVE-2022-35831", "CVE-2022-35832", "CVE-2022-35833", "CVE-2022-35834", "CVE-2022-35835", "CVE-2022-35836", "CVE-2022-35837", "CVE-2022-35838", "CVE-2022-35840", "CVE-2022-35841", "CVE-2022-37954", "CVE-2022-37955", "CVE-2022-37956", "CVE-2022-37957", "CVE-2022-37958", "CVE-2022-37959", "CVE-2022-37961", "CVE-2022-37962", "CVE-2022-37963", "CVE-2022-37964", "CVE-2022-37969", "CVE-2022-38004", "CVE-2022-38005", "CVE-2022-38006", "CVE-2022-38007", "CVE-2022-38008", "CVE-2022-38009", "CVE-2022-38010", "CVE-2022-38011", "CVE-2022-38012", "CVE-2022-38013", "CVE-2022-38019", "CVE-2022-38020"], "modified": "2022-09-13T20:11:08", "id": "RAPID7BLOG:207700353EDB2453B1928E90A6683A0E", "href": "https://blog.rapid7.com/2022/09/13/patch-tuesday-september-2022/", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}]}
CVE-2022-33647
