Microsoft Windows - 'CiSetFileCache' WDAC Security Feature Bypass TOCTOU
2018-09-19T00:00:00
ID EDB-ID:45435 Type exploitdb Reporter Exploit-DB Modified 2018-09-19T00:00:00
Description
Microsoft Windows - 'CiSetFileCache' WDAC Security Feature Bypass TOCTOU. CVE-2018-8449. Dos exploit for Windows platform. Tags: Race Condition
Windows: CiSetFileCache TOCTOU CVE-2017-11830 Variant WDAC Security Feature Bypass
Platform: Windows 10 1803, 1709 (should include S-Mode but not tested)
Class: Security Feature Bypass
Summary:
While the TOCTOU attack against cache signing has been mitigated through NtSetCachedSigningLevel it’s possible to reach the same code via NtCreateSection leading to circumventing WDAC policies and CIG/PPL.
Description:
I'm reporting this as you've fixed the previous issues (cases 43036 and 40101) so I'm making an assumption you'd also fix this one. The previous issues allowed a unprivileged caller to exploit a race condition in the CiSetFileCache kernel function by calling NtSetCachedSigningLevel. These issues should now be fixed. During my research into PPL/PP bypasses I noticed that the cache will also be written during the initial creation of an image section, when the process is running with an increased section signing level. This is presumably to allow the kernel to cache the signature automatically. This is an issue because it’s possible to create an image section with a writable (and executable) handle to the file and no part of CI then checks whether the caller has write access. It’s possible to have an elevated section signing level by enabling the ProcessSignaturePolicy process mitigation policy, it’s not required to be in a PPL. In fact, while I’ve not tested it, it’s possible that just running inside a process on Windows 10 S-Mode would be sufficient as the section signing level should be elevated for WDAC.
So to exploit this we can do the following:
1. Elevated the section signing level of the current process using SetProcessMitigationPolicy or just running in a WDAC/CIG process.
2. Copy a valid signed file to a known name then open a writable and executable handle to that file.
3. Set an oplock on a known catalog file which will be checked
4. Call NtCreateSection with the handle requesting SEC_IMAGE.
5. Wait for oplock to fire, rewrite the file with an untrusted binary, then release oplock.
6. Close section and file handles. The cache should have been applied to the untrusted file.
Perhaps CI should check whether the file handle has been opened for write access and not write out the cache in those cases as realistically creating an image section from a writable handle should be an unusual operation. The normal loader process opens the handle only for read/execute.
Proof of Concept:
I’ve provided a PoC as a C# project. It will allow you to “cache sign” an arbitrary executable. To test on S-Mode you’ll need to sign the PoC (and the NtApitDotNet.dll assembly) so it’ll run. It copies notepad to a file, attempts to verify it but uses an oplock to rewrite the contents of the file with the untrusted file before it can set the kernel EA.
1) Compile the C# project. It will need to grab the NtApiDotNet v1.1.15 package from NuGet to work.
2) Execute the PoC passing the path to an unsigned file and to the output “cache signed” file, e.g. poc unsigned.exe output.exe. Make sure the output file is on a volume which supports cached signing level such as the main boot volume.
3) You should see it print the signing level, if successful.
4) You should now be able to execute the unsigned file, bypassing the security policy enforcement.
NOTE: If it prints an exception then the exploit failed. The opened catalog files seemed to be cached for some unknown period of time after use so if the catalog file I’m using for a timing signal is already open then the oplock is never broken. Just rerun the poc which will pick a different catalog file to use. Also the output file must be on to a NTFS volume with the USN Change Journal enabled as that’s relied upon by the signature level cache code. Best to do it to the boot drive as that ensures everything should work correctly.
Expected Result:
Access denied or at least an error setting the cached signing level.
Observed Result:
The signing level cache is applied to the file with no further verification. You can now execute the file as if it was signed.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45435.zip
{"id": "EDB-ID:45435", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Microsoft Windows - 'CiSetFileCache' WDAC Security Feature Bypass TOCTOU", "description": "Microsoft Windows - 'CiSetFileCache' WDAC Security Feature Bypass TOCTOU. CVE-2018-8449. Dos exploit for Windows platform. Tags: Race Condition", "published": "2018-09-19T00:00:00", "modified": "2018-09-19T00:00:00", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/45435/", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2018-8449", "CVE-2017-11830"], "lastseen": "2018-10-07T14:34:08", "viewCount": 72, "enchantments": {"score": {"value": 3.9, "vector": "NONE", "modified": "2018-10-07T14:34:08", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-8449", "CVE-2017-11830"]}, {"type": "symantec", "idList": ["SMNTC-101714", "SMNTC-105272"]}, {"type": "zdt", "idList": ["1337DAY-ID-31132", "1337DAY-ID-29021"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:F00D06636B5FA7134F577F25D468FE09", "EXPLOITPACK:189B60FC47D75EEEF92163E424C60897"]}, {"type": "exploitdb", "idList": ["EDB-ID:44466", "EDB-ID:43162"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:246DBEFB9DAB01371CE765DD5B1F54C8"]}, {"type": "kaspersky", "idList": ["KLA11316", "KLA11136"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:97274435F9F49556ED060635FD9081E2"]}, {"type": "thn", "idList": ["THN:96CCD36932DBF3F5BEFCC18D4EC4E5C2"]}, {"type": "threatpost", "idList": ["THREATPOST:BF3CD27D3018BF7BD8E93D42325DAA73"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310814011", "OPENVAS:1361412562310812136", "OPENVAS:1361412562310812082", "OPENVAS:1361412562310812089", "OPENVAS:1361412562310812081", "OPENVAS:1361412562310814012", "OPENVAS:1361412562310814014", "OPENVAS:1361412562310814215", "OPENVAS:1361412562310814013"]}, {"type": "nessus", "idList": ["SMB_NT_MS18_SEP_4457142.NASL", "SMB_NT_MS18_SEP_4457128.NASL", "SMB_NT_MS17_NOV_4048952.NASL", "SMB_NT_MS17_NOV_4048954.NASL", "SMB_NT_MS17_NOV_4048953.NASL", "SMB_NT_MS17_NOV_4048955.NASL", "SMB_NT_MS18_SEP_4457138.NASL", "SMB_NT_MS17_NOV_4048956.NASL", "SMB_NT_MS18_SEP_4457131.NASL", "SMB_NT_MS18_SEP_4457132.NASL"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:3D0DF0AC0B5B6A3B4D80A495AF488F03"]}, {"type": "talosblog", "idList": ["TALOSBLOG:116422E24074F675755331EBA739BEB9", "TALOSBLOG:A69C35FFFCE6FA744216C7784C7D2148"]}], "modified": "2018-10-07T14:34:08", "rev": 2}, "vulnersScore": 3.9}, "sourceHref": "https://www.exploit-db.com/download/45435/", "sourceData": "Windows: CiSetFileCache TOCTOU CVE-2017-11830 Variant WDAC Security Feature Bypass\r\nPlatform: Windows 10 1803, 1709 (should include S-Mode but not tested)\r\nClass: Security Feature Bypass\r\n\r\nSummary:\r\nWhile the TOCTOU attack against cache signing has been mitigated through NtSetCachedSigningLevel it\u2019s possible to reach the same code via NtCreateSection leading to circumventing WDAC policies and CIG/PPL. \r\n\r\nDescription:\r\nI'm reporting this as you've fixed the previous issues (cases 43036 and 40101) so I'm making an assumption you'd also fix this one. The previous issues allowed a unprivileged caller to exploit a race condition in the CiSetFileCache kernel function by calling NtSetCachedSigningLevel. These issues should now be fixed. During my research into PPL/PP bypasses I noticed that the cache will also be written during the initial creation of an image section, when the process is running with an increased section signing level. This is presumably to allow the kernel to cache the signature automatically. This is an issue because it\u2019s possible to create an image section with a writable (and executable) handle to the file and no part of CI then checks whether the caller has write access. It\u2019s possible to have an elevated section signing level by enabling the ProcessSignaturePolicy process mitigation policy, it\u2019s not required to be in a PPL. In fact, while I\u2019ve not tested it, it\u2019s possible that just running inside a process on Windows 10 S-Mode would be sufficient as the section signing level should be elevated for WDAC. \r\n\r\nSo to exploit this we can do the following:\r\n\r\n1. Elevated the section signing level of the current process using SetProcessMitigationPolicy or just running in a WDAC/CIG process.\r\n2. Copy a valid signed file to a known name then open a writable and executable handle to that file.\r\n3. Set an oplock on a known catalog file which will be checked\r\n4. Call NtCreateSection with the handle requesting SEC_IMAGE.\r\n5. Wait for oplock to fire, rewrite the file with an untrusted binary, then release oplock.\r\n6. Close section and file handles. The cache should have been applied to the untrusted file.\r\n\r\nPerhaps CI should check whether the file handle has been opened for write access and not write out the cache in those cases as realistically creating an image section from a writable handle should be an unusual operation. The normal loader process opens the handle only for read/execute.\r\n\r\nProof of Concept:\r\n\r\nI\u2019ve provided a PoC as a C# project. It will allow you to \u201ccache sign\u201d an arbitrary executable. To test on S-Mode you\u2019ll need to sign the PoC (and the NtApitDotNet.dll assembly) so it\u2019ll run. It copies notepad to a file, attempts to verify it but uses an oplock to rewrite the contents of the file with the untrusted file before it can set the kernel EA.\r\n\r\n1) Compile the C# project. It will need to grab the NtApiDotNet v1.1.15 package from NuGet to work.\r\n2) Execute the PoC passing the path to an unsigned file and to the output \u201ccache signed\u201d file, e.g. poc unsigned.exe output.exe. Make sure the output file is on a volume which supports cached signing level such as the main boot volume.\r\n3) You should see it print the signing level, if successful.\r\n4) You should now be able to execute the unsigned file, bypassing the security policy enforcement.\r\n\r\nNOTE: If it prints an exception then the exploit failed. The opened catalog files seemed to be cached for some unknown period of time after use so if the catalog file I\u2019m using for a timing signal is already open then the oplock is never broken. Just rerun the poc which will pick a different catalog file to use. Also the output file must be on to a NTFS volume with the USN Change Journal enabled as that\u2019s relied upon by the signature level cache code. Best to do it to the boot drive as that ensures everything should work correctly.\r\n\r\nExpected Result:\r\nAccess denied or at least an error setting the cached signing level.\r\n\r\nObserved Result:\r\nThe signing level cache is applied to the file with no further verification. You can now execute the file as if it was signed.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45435.zip", "osvdbidlist": []}
{"cve": [{"lastseen": "2020-10-03T13:07:33", "description": "Device Guard in Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016, and Windows Server, version 1709 allows an attacker to make an unsigned file appear to be signed, due to a security feature bypass, aka \"Device Guard Security Feature Bypass Vulnerability\".", "edition": 4, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 5.3, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.4}, "published": "2017-11-15T03:29:00", "title": "CVE-2017-11830", "type": "cve", "cwe": ["CWE-367"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11830"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_server:1709", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2017-11830", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11830", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:20:26", "description": "A security feature bypass exists when Device Guard incorrectly validates an untrusted file, aka \"Device Guard Security Feature Bypass Vulnerability.\" This affects Windows Server 2016, Windows 10, Windows 10 Servers.", "edition": 4, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 3.3, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 1.4}, "published": "2018-09-13T00:29:00", "title": "CVE-2018-8449", "type": "cve", "cwe": ["CWE-367"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8449"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2016:1709", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2018-8449", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8449", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}], "symantec": [{"lastseen": "2018-03-14T22:39:41", "bulletinFamily": "software", "cvelist": ["CVE-2017-11830"], "description": "### Description\n\nMicrosoft Windows is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may aid in further attacks.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 10 version 1709 for 32-bit Systems \n * Microsoft Windows 10 version 1709 for x64-based Systems \n * Microsoft Windows Server 2016 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of exploits.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Communicate sensitive information through secure means.** \nUse multiple layers of encryption when communicating sensitive information between a client and a server. This will reduce the chance of a successful exploit.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2017-11-14T00:00:00", "published": "2017-11-14T00:00:00", "id": "SMNTC-101714", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/101714", "type": "symantec", "title": "Microsoft Windows Device Guard CVE-2017-11830 Security Bypass Vulnerability", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-12T00:45:40", "bulletinFamily": "software", "cvelist": ["CVE-2018-8449"], "description": "### Description\n\nMicrosoft Windows is prone to a remote security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may aid in further attacks.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 Version 1803 for 32-bit Systems \n * Microsoft Windows 10 Version 1803 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 10 version 1709 for 32-bit Systems \n * Microsoft Windows 10 version 1709 for x64-based Systems \n * Microsoft Windows Server 1709 \n * Microsoft Windows Server 1803 \n * Microsoft Windows Server 2016 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of successful exploits. \n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights. \n\n**Do not accept or execute files from untrusted or unknown sources.** \nUsers should be cautious when installing and running application from untrusted sources. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2018-09-11T00:00:00", "published": "2018-09-11T00:00:00", "id": "SMNTC-105272", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/105272", "type": "symantec", "title": "Microsoft Windows Device Guard CVE-2018-8449 Remote Security Bypass Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-04-12T07:54:15", "edition": 1, "description": "Exploit for windows platform in category local exploits", "published": "2017-11-20T00:00:00", "title": "Microsoft Windows 10 - CiSetFileCache TOCTOU Security Feature Bypass Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-11830"], "modified": "2017-11-20T00:00:00", "href": "https://0day.today/exploit/description/29021", "id": "1337DAY-ID-29021", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1332\r\n \r\nWindows: CiSetFileCache TOCTOU Security Feature Bypass\r\nPlatform: Windows 10 10586/14393/10S not tested 8.1 Update 2 or Windows 7\r\nClass: Security Feature Bypass\r\n \r\nSummary:\r\nIt\u2019s possible to add a cached signing level to an unsigned file by exploiting a TOCTOU in CI leading to to circumventing Device Guard policies and possibly PPL signing levels.\r\n \r\nDescription:\r\n \r\nWindows Code Integrity has the concept of caching signing level decisions made on individual files. This is done by storing an extended attribute with the name $KERNEL.PURGE.ESBCACHE and filling it with related binary information. As the EA name is a kernel EA it means it can\u2019t be set by user mode code, only kernel mode code calling FsRtlSetKernelEaFile. Also crucially it\u2019s a purgeable EA which means it will be deleted automatically by the USN journal code if any attempt is made to write to the file after being set. \r\n \r\nAs far as I can tell the binary data doesn\u2019t need to correspond to anything inside the file itself, so if we replace the contents of the file with a valid cached signing level the kernel is entirely relying on the automatic purging of the kernel EA to prevent spoofing. To test that theory I copied the EA entry from a valid signed file onto an unsigned file with a non-kernel EA name then used a disk editor to modify the name offline. This worked when I rebooted the machine, so I was confident it could work if you could write the kernel EA entry. Of course if this was the only way to exploit it I wouldn\u2019t be sending this report.\r\n \r\nAs user mode code can\u2019t directly set the kernel EA the facility to write the cache entry is exposed through ZwSetCachedSigningLevel(2). This takes a number of arguments, including flags, a list of associated file handles and the target handle to write the EA to. There seems to be 3 modes which are specified through the flags:\r\n \r\nMode 1 - This is used by mscorsvw.exe and seems to be used for blessing NGEN binaries. Calling this requires the caller to be a PPL so I didn\u2019t investigate this too much. I\u2019m sure there\u2019s probably race conditions in NGEN which could be exploited, or ways to run in a PPL if you\u2019re admin. The advantage here is you don\u2019t need to apply the cache to a signed file. This is what piqued my interesting in the first place.\r\nMode 2 - Didn\u2019t dig into this one TBH\r\nMode 5 - This sets a cache on a signed file, the list of files must only have 1 entry and the handle must match the target file handle. This is the one we\u2019ll be exploiting as it doesn\u2019t require any privileges to call.\r\n \r\nLooking through the code inside the kernel the handles passed to ZwSetCachedSigningLevel are also passed as handles into CiSetFileCache which is slightly odd on the face of it. My first thought was you could race the handle lookup when ObReferenceObjectByHandle is called for the target handle and when the code is enumerating the list of handles. The time window would be short but it\u2019s usually pretty easy to force the kernel to reuse a handle number. However it turns out in Mode 5 as the handle is verified to be equal the code just uses the looked up FILE_OBJECT from the target handle instead which removes this issue (I believe).\r\n \r\nSo instead I looked at racing the writing of the cache EA with the signature verification. If you could rewrite the file between the kernel verifying the signature of the file and the writing of the kernel EA you could ensure your USN journal entries from the writes are flushed through before hand and so doesn\u2019t cause the EA to be purged. The kernel code calls FsRtlKernelFsControlFile with FSCTL_WRITE_USN_CLOSE_RECORD to force this flush just before writing the EA so that should work. \r\n \r\nThe question is can you write to the file while you\u2019re doing this? There\u2019s no locking taking place on the file from what I could tell. There is a check for the target file being opened with FILE_SHARE_WRITE (the check for FileObject->SharedWrite) but that\u2019s not the same as the file handle already being writable. So it looks like it\u2019s possible to write to the file.\r\n \r\nThe final question is whether there\u2019s a time period between signature verification and applying the EA that we can exploit? Turns out CI maps the file as a read only section and calls HashKComputeImageHash to generate the hash once. The code then proceeds to lookup the hash inside a catalog (presumably unless the file has an embedded signature). Therefore there's a clear window of time between the validation and the setting of the kernel EA to write.\r\n \r\nThe final piece of the puzzle is how to win that race reliably. The key is the validation against the catalog files. We can use an exclusive oplock to block the kernel opening the catalog file temporarily, which crucially happens after the target file has already been hashed. By choosing a catalog we know the kernel will check we can get a timing signal, modify the target file to be an unsigned, untrusted file then release the oplock and let the kernel complete the verification and writing of the cache. \r\n \r\nAlmost all files on a locked down system such as Win10S are Microsoft Platform signed and so end up in catalogs such as Microsoft-Windows-Client-Features-Package. This seems like a hot-path file which might always be opened by the kernel and so couldn\u2019t be exploited for an oplock. However another useful feature now comes into play, the fact that there\u2019s also an EA which can specify a hint name for the catalog the file is signed in. This is called $CI.CATALOGHINT and so isn\u2019t a kernel EA which means we can set it. It contains a UTF8 encoded file name (without path information). Importantly while CI will check this catalog first, if it can\u2019t find the hash in that catalog it continues searching everything else, so we can pick a non-hot-path catalog (such as Adobe\u2019s Flash catalogs) which we can oplock on, do the write then release and the verification will find the correct real catalog instead. I don\u2019t think you need to do this, but it makes it considerably more convenient.\r\n \r\nNote that to exploit this you\u2019d likely need executable code already running, but we already know there\u2019s multiple DG bypasses and things like Office on Win10S can run macros. Or this could be used from shellcode as I can\u2019t see any obvious limitation on exploiting this from a sandbox as long as you can write a file to an NTFS drive with the USN Change Journal enabled. Running this once would give you an executable or a DLL which bypasses the CI policies, so it could be used as a stage in an attack chain to get arbitrary code executing on a DG system.\r\n \r\nIn theory it think this would also allow you to specify the signing level for an untrusted file which would allow the DLL to be loaded inside a PPL service so you could use this on a vanilla system to try and attack the kernel through PPL\u2019s such as CSRSS as an administrator. I don\u2019t know how long the cache is valid for, but it\u2019s at least a day or two and might only get revoked if you update your system or replace the file.\r\n \r\nProof of Concept:\r\n \r\nI\u2019ve provided a PoC as a C# project. It will allow you to \u201ccache sign\u201d an arbitrary executable. If you want to test this on a locked down system such as Win10S you\u2019ll need to sign the PoC (and the NtApitDotNet.dll assembly) so it\u2019ll run. Or use it via one of my .NET based DG bypasses, in that case you can call the POC.Exploit.Run method directly. It copies notepad to a file, attempts to verify it but uses an oplock to rewrite the contents of the file with the untrusted file before it can set the kernel EA.\r\n \r\n1) Compile the C# project. It will need to grab the NtApiDotNet v1.0.8 package from NuGet to work.\r\n2) Execute the PoC passing the path to an unsigned file and to the output \u201ccache signed\u201d file, e.g. poc unsigned.exe output.exe\r\n3) You should see it print the signing level, if successful.\r\n4) You should not be able to execute the unsigned file, bypassing the security policy enforcement.\r\n \r\nNOTE: If it prints an exception then the exploit failed. The opened catalog files seemed to be cached for some unknown period of time after use so if the catalog file I\u2019m using for a timing signal is already open then the oplock is never broken. Wait a period of time and try again. Also the output file must be on to a NTFS volume with the USN Change Journal enabled as that\u2019s relied upon by the signature level cache code. Best to do it to the boot drive as that ensures everything should work correctly.\r\n \r\nExpected Result:\r\nAccess denied or at least an error setting the cached signing level.\r\n \r\nObserved Result:\r\nThe signing level cache is applied to the file with no further verification. You can now execute the file as if it was signed with valid Microsoft signature.\r\n\n\n# 0day.today [2018-04-12] #", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/29021"}, {"lastseen": "2018-09-19T23:38:57", "description": "Exploit for windows platform in category dos / poc", "edition": 1, "published": "2018-09-19T00:00:00", "title": "Microsoft Windows - CiSetFileCache WDAC Security Feature Bypass TOCTOU Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-8449"], "modified": "2018-09-19T00:00:00", "id": "1337DAY-ID-31132", "href": "https://0day.today/exploit/description/31132", "sourceData": "Windows: CiSetFileCache TOCTOU CVE-2017-11830 Variant WDAC Security Feature Bypass\r\nPlatform: Windows 10 1803, 1709 (should include S-Mode but not tested)\r\nClass: Security Feature Bypass\r\n \r\nSummary:\r\nWhile the TOCTOU attack against cache signing has been mitigated through NtSetCachedSigningLevel it\u2019s possible to reach the same code via NtCreateSection leading to circumventing WDAC policies and CIG/PPL. \r\n \r\nDescription:\r\nI'm reporting this as you've fixed the previous issues (cases 43036 and 40101) so I'm making an assumption you'd also fix this one. The previous issues allowed a unprivileged caller to exploit a race condition in the CiSetFileCache kernel function by calling NtSetCachedSigningLevel. These issues should now be fixed. During my research into PPL/PP bypasses I noticed that the cache will also be written during the initial creation of an image section, when the process is running with an increased section signing level. This is presumably to allow the kernel to cache the signature automatically. This is an issue because it\u2019s possible to create an image section with a writable (and executable) handle to the file and no part of CI then checks whether the caller has write access. It\u2019s possible to have an elevated section signing level by enabling the ProcessSignaturePolicy process mitigation policy, it\u2019s not required to be in a PPL. In fact, while I\u2019ve not tested it, it\u2019s possible that just running inside a process on Windows 10 S-Mode would be sufficient as the section signing level should be elevated for WDAC. \r\n \r\nSo to exploit this we can do the following:\r\n \r\n1. Elevated the section signing level of the current process using SetProcessMitigationPolicy or just running in a WDAC/CIG process.\r\n2. Copy a valid signed file to a known name then open a writable and executable handle to that file.\r\n3. Set an oplock on a known catalog file which will be checked\r\n4. Call NtCreateSection with the handle requesting SEC_IMAGE.\r\n5. Wait for oplock to fire, rewrite the file with an untrusted binary, then release oplock.\r\n6. Close section and file handles. The cache should have been applied to the untrusted file.\r\n \r\nPerhaps CI should check whether the file handle has been opened for write access and not write out the cache in those cases as realistically creating an image section from a writable handle should be an unusual operation. The normal loader process opens the handle only for read/execute.\r\n \r\nProof of Concept:\r\n \r\nI\u2019ve provided a PoC as a C# project. It will allow you to \u201ccache sign\u201d an arbitrary executable. To test on S-Mode you\u2019ll need to sign the PoC (and the NtApitDotNet.dll assembly) so it\u2019ll run. It copies notepad to a file, attempts to verify it but uses an oplock to rewrite the contents of the file with the untrusted file before it can set the kernel EA.\r\n \r\n1) Compile the C# project. It will need to grab the NtApiDotNet v1.1.15 package from NuGet to work.\r\n2) Execute the PoC passing the path to an unsigned file and to the output \u201ccache signed\u201d file, e.g. poc unsigned.exe output.exe. Make sure the output file is on a volume which supports cached signing level such as the main boot volume.\r\n3) You should see it print the signing level, if successful.\r\n4) You should now be able to execute the unsigned file, bypassing the security policy enforcement.\r\n \r\nNOTE: If it prints an exception then the exploit failed. The opened catalog files seemed to be cached for some unknown period of time after use so if the catalog file I\u2019m using for a timing signal is already open then the oplock is never broken. Just rerun the poc which will pick a different catalog file to use. Also the output file must be on to a NTFS volume with the USN Change Journal enabled as that\u2019s relied upon by the signature level cache code. Best to do it to the boot drive as that ensures everything should work correctly.\r\n \r\nExpected Result:\r\nAccess denied or at least an error setting the cached signing level.\r\n \r\nObserved Result:\r\nThe signing level cache is applied to the file with no further verification. You can now execute the file as if it was signed.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/45435.zip\n\n# 0day.today [2018-09-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31132"}], "exploitdb": [{"lastseen": "2017-11-20T21:00:37", "description": "Microsoft Windows 10 - CiSetFileCache TOCTOU Security Feature Bypass. CVE-2017-11830. Local exploit for Windows platform", "published": "2017-11-20T00:00:00", "type": "exploitdb", "title": "Microsoft Windows 10 - CiSetFileCache TOCTOU Security Feature Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-11830"], "modified": "2017-11-20T00:00:00", "id": "EDB-ID:43162", "href": "https://www.exploit-db.com/exploits/43162/", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1332\r\n\r\nWindows: CiSetFileCache TOCTOU Security Feature Bypass\r\nPlatform: Windows 10 10586/14393/10S not tested 8.1 Update 2 or Windows 7\r\nClass: Security Feature Bypass\r\n\r\nSummary:\r\nIt\u2019s possible to add a cached signing level to an unsigned file by exploiting a TOCTOU in CI leading to to circumventing Device Guard policies and possibly PPL signing levels.\r\n\r\nDescription:\r\n\r\nWindows Code Integrity has the concept of caching signing level decisions made on individual files. This is done by storing an extended attribute with the name $KERNEL.PURGE.ESBCACHE and filling it with related binary information. As the EA name is a kernel EA it means it can\u2019t be set by user mode code, only kernel mode code calling FsRtlSetKernelEaFile. Also crucially it\u2019s a purgeable EA which means it will be deleted automatically by the USN journal code if any attempt is made to write to the file after being set. \r\n\r\nAs far as I can tell the binary data doesn\u2019t need to correspond to anything inside the file itself, so if we replace the contents of the file with a valid cached signing level the kernel is entirely relying on the automatic purging of the kernel EA to prevent spoofing. To test that theory I copied the EA entry from a valid signed file onto an unsigned file with a non-kernel EA name then used a disk editor to modify the name offline. This worked when I rebooted the machine, so I was confident it could work if you could write the kernel EA entry. Of course if this was the only way to exploit it I wouldn\u2019t be sending this report.\r\n\r\nAs user mode code can\u2019t directly set the kernel EA the facility to write the cache entry is exposed through ZwSetCachedSigningLevel(2). This takes a number of arguments, including flags, a list of associated file handles and the target handle to write the EA to. There seems to be 3 modes which are specified through the flags:\r\n\r\nMode 1 - This is used by mscorsvw.exe and seems to be used for blessing NGEN binaries. Calling this requires the caller to be a PPL so I didn\u2019t investigate this too much. I\u2019m sure there\u2019s probably race conditions in NGEN which could be exploited, or ways to run in a PPL if you\u2019re admin. The advantage here is you don\u2019t need to apply the cache to a signed file. This is what piqued my interesting in the first place.\r\nMode 2 - Didn\u2019t dig into this one TBH\r\nMode 5 - This sets a cache on a signed file, the list of files must only have 1 entry and the handle must match the target file handle. This is the one we\u2019ll be exploiting as it doesn\u2019t require any privileges to call.\r\n\r\nLooking through the code inside the kernel the handles passed to ZwSetCachedSigningLevel are also passed as handles into CiSetFileCache which is slightly odd on the face of it. My first thought was you could race the handle lookup when ObReferenceObjectByHandle is called for the target handle and when the code is enumerating the list of handles. The time window would be short but it\u2019s usually pretty easy to force the kernel to reuse a handle number. However it turns out in Mode 5 as the handle is verified to be equal the code just uses the looked up FILE_OBJECT from the target handle instead which removes this issue (I believe).\r\n\r\nSo instead I looked at racing the writing of the cache EA with the signature verification. If you could rewrite the file between the kernel verifying the signature of the file and the writing of the kernel EA you could ensure your USN journal entries from the writes are flushed through before hand and so doesn\u2019t cause the EA to be purged. The kernel code calls FsRtlKernelFsControlFile with FSCTL_WRITE_USN_CLOSE_RECORD to force this flush just before writing the EA so that should work. \r\n\r\nThe question is can you write to the file while you\u2019re doing this? There\u2019s no locking taking place on the file from what I could tell. There is a check for the target file being opened with FILE_SHARE_WRITE (the check for FileObject->SharedWrite) but that\u2019s not the same as the file handle already being writable. So it looks like it\u2019s possible to write to the file.\r\n\r\nThe final question is whether there\u2019s a time period between signature verification and applying the EA that we can exploit? Turns out CI maps the file as a read only section and calls HashKComputeImageHash to generate the hash once. The code then proceeds to lookup the hash inside a catalog (presumably unless the file has an embedded signature). Therefore there's a clear window of time between the validation and the setting of the kernel EA to write.\r\n\r\nThe final piece of the puzzle is how to win that race reliably. The key is the validation against the catalog files. We can use an exclusive oplock to block the kernel opening the catalog file temporarily, which crucially happens after the target file has already been hashed. By choosing a catalog we know the kernel will check we can get a timing signal, modify the target file to be an unsigned, untrusted file then release the oplock and let the kernel complete the verification and writing of the cache. \r\n\r\nAlmost all files on a locked down system such as Win10S are Microsoft Platform signed and so end up in catalogs such as Microsoft-Windows-Client-Features-Package. This seems like a hot-path file which might always be opened by the kernel and so couldn\u2019t be exploited for an oplock. However another useful feature now comes into play, the fact that there\u2019s also an EA which can specify a hint name for the catalog the file is signed in. This is called $CI.CATALOGHINT and so isn\u2019t a kernel EA which means we can set it. It contains a UTF8 encoded file name (without path information). Importantly while CI will check this catalog first, if it can\u2019t find the hash in that catalog it continues searching everything else, so we can pick a non-hot-path catalog (such as Adobe\u2019s Flash catalogs) which we can oplock on, do the write then release and the verification will find the correct real catalog instead. I don\u2019t think you need to do this, but it makes it considerably more convenient.\r\n\r\nNote that to exploit this you\u2019d likely need executable code already running, but we already know there\u2019s multiple DG bypasses and things like Office on Win10S can run macros. Or this could be used from shellcode as I can\u2019t see any obvious limitation on exploiting this from a sandbox as long as you can write a file to an NTFS drive with the USN Change Journal enabled. Running this once would give you an executable or a DLL which bypasses the CI policies, so it could be used as a stage in an attack chain to get arbitrary code executing on a DG system.\r\n\r\nIn theory it think this would also allow you to specify the signing level for an untrusted file which would allow the DLL to be loaded inside a PPL service so you could use this on a vanilla system to try and attack the kernel through PPL\u2019s such as CSRSS as an administrator. I don\u2019t know how long the cache is valid for, but it\u2019s at least a day or two and might only get revoked if you update your system or replace the file.\r\n\r\nProof of Concept:\r\n\r\nI\u2019ve provided a PoC as a C# project. It will allow you to \u201ccache sign\u201d an arbitrary executable. If you want to test this on a locked down system such as Win10S you\u2019ll need to sign the PoC (and the NtApitDotNet.dll assembly) so it\u2019ll run. Or use it via one of my .NET based DG bypasses, in that case you can call the POC.Exploit.Run method directly. It copies notepad to a file, attempts to verify it but uses an oplock to rewrite the contents of the file with the untrusted file before it can set the kernel EA.\r\n\r\n1) Compile the C# project. It will need to grab the NtApiDotNet v1.0.8 package from NuGet to work.\r\n2) Execute the PoC passing the path to an unsigned file and to the output \u201ccache signed\u201d file, e.g. poc unsigned.exe output.exe\r\n3) You should see it print the signing level, if successful.\r\n4) You should not be able to execute the unsigned file, bypassing the security policy enforcement.\r\n\r\nNOTE: If it prints an exception then the exploit failed. The opened catalog files seemed to be cached for some unknown period of time after use so if the catalog file I\u2019m using for a timing signal is already open then the oplock is never broken. Wait a period of time and try again. Also the output file must be on to a NTFS volume with the USN Change Journal enabled as that\u2019s relied upon by the signature level cache code. Best to do it to the boot drive as that ensures everything should work correctly.\r\n\r\nExpected Result:\r\nAccess denied or at least an error setting the cached signing level.\r\n\r\nObserved Result:\r\nThe signing level cache is applied to the file with no further verification. You can now execute the file as if it was signed with valid Microsoft signature.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/43162.zip", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/43162/"}, {"lastseen": "2018-05-24T14:15:03", "description": "Microsoft Windows - 'CiSetFileCache' TOCTOU Incomplete Fix. CVE-2018-0966. Dos exploit for Windows platform", "published": "2018-04-16T00:00:00", "type": "exploitdb", "title": "Microsoft Windows - 'CiSetFileCache' TOCTOU Incomplete Fix", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-0966", "CVE-2017-11830"], "modified": "2018-04-16T00:00:00", "id": "EDB-ID:44466", "href": "https://www.exploit-db.com/exploits/44466/", "sourceData": "Windows: CiSetFileCache TOCTOU CVE-2017-11830 Incomplete Fix\r\nPlatform: Windows 10 1709 (including Win10S)\r\nClass: Security Feature Bypass\r\n\r\nSummary:\r\nThe fix for CVE-2017-11830 is insufficient to prevent a normal user application adding a cached signing level to an unsigned file by exploiting a TOCTOU in CI leading to circumventing Device Guard policies.\r\n\r\nDescription:\r\nThe previous issue I reported was due to not checking for write access on the target file handle when setting the cache. This allows a user application to abuse a TOCTOU and rewrite the file after the hash has been generated for the file. The only changed code seems to be below:\r\n\r\nFILE_OBJECT target_file;\r\nObReferenceObjectByHandle(FileHandle, 0, *IoFileObjectType, &target_file); \r\nif (target_file->SharedWrite) {\r\n return STATUS_SHARING_VIOLATION;\r\n}\r\n\r\nif (target_file->WriteAccess) { \u2190 Additional check for the file being opened for write.\r\n if ((PsGetProcessProtection(PsGetCurrentProcess()) & 7) != ProtectedProcessLight)\r\n return STATUS_SHARING_VIOLATION;\r\n}\r\n\r\nThe fix was to add a check that the target file passed isn\u2019t writable. This combined with the check for FILE_SHARE_WRITE should mean the user can\u2019t hold on to a writable file handle. However, when the file handle is converted to a file object with ObReferenceObjectByHandle the desired access is 0, which means we can pass a handle with any granted access including SYNCHRONIZE or READ_CONTROL, which do not respect file sharing. So we can still exploit this issue by doing the following:\r\n\r\n1. Open the file for write access.\r\n2. Reopen another handle to the file for SYNCHRONIZE access. This works as this access right can be used regardless of the sharing mode.\r\n3. Set cached signing level through the handle opened in 2.\r\n4. Wait for oplock, rewrite file using handle opened in 1. Release oplock.\r\n\r\nProof of Concept:\r\n\r\nI\u2019ve provided a PoC as a C# project. It will allow you to \u201ccache sign\u201d an arbitrary executable. If you want to test this on a locked down system such as Win10S you\u2019ll need to sign the PoC (and the NtApitDotNet.dll assembly) so it\u2019ll run. Or use it via one of my .NET based DG bypasses, in that case you can call the PoC_CacheSignature.Exploit.Run method directly. It copies notepad to a file, attempts to verify it but uses an oplock to rewrite the contents of the file with the untrusted file before it can set the kernel EA.\r\n\r\n1) Compile the C# project. It will need to grab the NtApiDotNet v1.1.7 package from NuGet to work.\r\n2) Execute the PoC passing the path to an unsigned file and to the output \u201ccache signed\u201d file, e.g. poc unsigned.exe output.exe\r\n3) You should see it print the signing level, if successful.\r\n4) You should not be able to execute the unsigned file, bypassing the security policy enforcement.\r\n\r\nNOTE: If it prints an exception then the exploit failed. The opened catalog files seemed to be cached for some unknown period of time after use so if the catalog file I\u2019m using for a timing signal is already open then the oplock is never broken. Just rerun the poc which will pick a different catalog file to use. Also the output file must be on to a NTFS volume with the USN Change Journal enabled as that\u2019s relied upon by the signature level cache code. Best to do it to the boot drive as that ensures everything should work correctly.\r\n\r\nExpected Result:\r\nAccess denied or at least an error setting the cached signing level.\r\n\r\nObserved Result:\r\nThe signing level cache is applied to the file with no further verification. You can now execute the file as if it was signed.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44466.zip", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/44466/"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:32", "description": "\nMicrosoft Windows - CiSetFileCache TOCTOU Incomplete Fix", "edition": 1, "published": "2018-04-16T00:00:00", "title": "Microsoft Windows - CiSetFileCache TOCTOU Incomplete Fix", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-11830"], "modified": "2018-04-16T00:00:00", "id": "EXPLOITPACK:F00D06636B5FA7134F577F25D468FE09", "href": "", "sourceData": "Windows: CiSetFileCache TOCTOU CVE-2017-11830 Incomplete Fix\nPlatform: Windows 10 1709 (including Win10S)\nClass: Security Feature Bypass\n\nSummary:\nThe fix for CVE-2017-11830 is insufficient to prevent a normal user application adding a cached signing level to an unsigned file by exploiting a TOCTOU in CI leading to circumventing Device Guard policies.\n\nDescription:\nThe previous issue I reported was due to not checking for write access on the target file handle when setting the cache. This allows a user application to abuse a TOCTOU and rewrite the file after the hash has been generated for the file. The only changed code seems to be below:\n\nFILE_OBJECT target_file;\nObReferenceObjectByHandle(FileHandle, 0, *IoFileObjectType, &target_file); \nif (target_file->SharedWrite) {\n return STATUS_SHARING_VIOLATION;\n}\n\nif (target_file->WriteAccess) { \u2190 Additional check for the file being opened for write.\n if ((PsGetProcessProtection(PsGetCurrentProcess()) & 7) != ProtectedProcessLight)\n return STATUS_SHARING_VIOLATION;\n}\n\nThe fix was to add a check that the target file passed isn\u2019t writable. This combined with the check for FILE_SHARE_WRITE should mean the user can\u2019t hold on to a writable file handle. However, when the file handle is converted to a file object with ObReferenceObjectByHandle the desired access is 0, which means we can pass a handle with any granted access including SYNCHRONIZE or READ_CONTROL, which do not respect file sharing. So we can still exploit this issue by doing the following:\n\n1. Open the file for write access.\n2. Reopen another handle to the file for SYNCHRONIZE access. This works as this access right can be used regardless of the sharing mode.\n3. Set cached signing level through the handle opened in 2.\n4. Wait for oplock, rewrite file using handle opened in 1. Release oplock.\n\nProof of Concept:\n\nI\u2019ve provided a PoC as a C# project. It will allow you to \u201ccache sign\u201d an arbitrary executable. If you want to test this on a locked down system such as Win10S you\u2019ll need to sign the PoC (and the NtApitDotNet.dll assembly) so it\u2019ll run. Or use it via one of my .NET based DG bypasses, in that case you can call the PoC_CacheSignature.Exploit.Run method directly. It copies notepad to a file, attempts to verify it but uses an oplock to rewrite the contents of the file with the untrusted file before it can set the kernel EA.\n\n1) Compile the C# project. It will need to grab the NtApiDotNet v1.1.7 package from NuGet to work.\n2) Execute the PoC passing the path to an unsigned file and to the output \u201ccache signed\u201d file, e.g. poc unsigned.exe output.exe\n3) You should see it print the signing level, if successful.\n4) You should not be able to execute the unsigned file, bypassing the security policy enforcement.\n\nNOTE: If it prints an exception then the exploit failed. The opened catalog files seemed to be cached for some unknown period of time after use so if the catalog file I\u2019m using for a timing signal is already open then the oplock is never broken. Just rerun the poc which will pick a different catalog file to use. Also the output file must be on to a NTFS volume with the USN Change Journal enabled as that\u2019s relied upon by the signature level cache code. Best to do it to the boot drive as that ensures everything should work correctly.\n\nExpected Result:\nAccess denied or at least an error setting the cached signing level.\n\nObserved Result:\nThe signing level cache is applied to the file with no further verification. You can now execute the file as if it was signed.\n\n\nProof of Concept:\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/44466.zip", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:32", "description": "\nMicrosoft Windows - CiSetFileCache WDAC Security Feature Bypass TOCTOU", "edition": 1, "published": "2018-09-19T00:00:00", "title": "Microsoft Windows - CiSetFileCache WDAC Security Feature Bypass TOCTOU", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-11830"], "modified": "2018-09-19T00:00:00", "id": "EXPLOITPACK:189B60FC47D75EEEF92163E424C60897", "href": "", "sourceData": "Windows: CiSetFileCache TOCTOU CVE-2017-11830 Variant WDAC Security Feature Bypass\nPlatform: Windows 10 1803, 1709 (should include S-Mode but not tested)\nClass: Security Feature Bypass\n\nSummary:\nWhile the TOCTOU attack against cache signing has been mitigated through NtSetCachedSigningLevel it\u2019s possible to reach the same code via NtCreateSection leading to circumventing WDAC policies and CIG/PPL. \n\nDescription:\nI'm reporting this as you've fixed the previous issues (cases 43036 and 40101) so I'm making an assumption you'd also fix this one. The previous issues allowed a unprivileged caller to exploit a race condition in the CiSetFileCache kernel function by calling NtSetCachedSigningLevel. These issues should now be fixed. During my research into PPL/PP bypasses I noticed that the cache will also be written during the initial creation of an image section, when the process is running with an increased section signing level. This is presumably to allow the kernel to cache the signature automatically. This is an issue because it\u2019s possible to create an image section with a writable (and executable) handle to the file and no part of CI then checks whether the caller has write access. It\u2019s possible to have an elevated section signing level by enabling the ProcessSignaturePolicy process mitigation policy, it\u2019s not required to be in a PPL. In fact, while I\u2019ve not tested it, it\u2019s possible that just running inside a process on Windows 10 S-Mode would be sufficient as the section signing level should be elevated for WDAC. \n\nSo to exploit this we can do the following:\n\n1. Elevated the section signing level of the current process using SetProcessMitigationPolicy or just running in a WDAC/CIG process.\n2. Copy a valid signed file to a known name then open a writable and executable handle to that file.\n3. Set an oplock on a known catalog file which will be checked\n4. Call NtCreateSection with the handle requesting SEC_IMAGE.\n5. Wait for oplock to fire, rewrite the file with an untrusted binary, then release oplock.\n6. Close section and file handles. The cache should have been applied to the untrusted file.\n\nPerhaps CI should check whether the file handle has been opened for write access and not write out the cache in those cases as realistically creating an image section from a writable handle should be an unusual operation. The normal loader process opens the handle only for read/execute.\n\nProof of Concept:\n\nI\u2019ve provided a PoC as a C# project. It will allow you to \u201ccache sign\u201d an arbitrary executable. To test on S-Mode you\u2019ll need to sign the PoC (and the NtApitDotNet.dll assembly) so it\u2019ll run. It copies notepad to a file, attempts to verify it but uses an oplock to rewrite the contents of the file with the untrusted file before it can set the kernel EA.\n\n1) Compile the C# project. It will need to grab the NtApiDotNet v1.1.15 package from NuGet to work.\n2) Execute the PoC passing the path to an unsigned file and to the output \u201ccache signed\u201d file, e.g. poc unsigned.exe output.exe. Make sure the output file is on a volume which supports cached signing level such as the main boot volume.\n3) You should see it print the signing level, if successful.\n4) You should now be able to execute the unsigned file, bypassing the security policy enforcement.\n\nNOTE: If it prints an exception then the exploit failed. The opened catalog files seemed to be cached for some unknown period of time after use so if the catalog file I\u2019m using for a timing signal is already open then the oplock is never broken. Just rerun the poc which will pick a different catalog file to use. Also the output file must be on to a NTFS volume with the USN Change Journal enabled as that\u2019s relied upon by the signature level cache code. Best to do it to the boot drive as that ensures everything should work correctly.\n\nExpected Result:\nAccess denied or at least an error setting the cached signing level.\n\nObserved Result:\nThe signing level cache is applied to the file with no further verification. You can now execute the file as if it was signed.\n\n\nProof of Concept:\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45435.zip", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "googleprojectzero": [{"lastseen": "2020-12-14T19:21:45", "bulletinFamily": "info", "cvelist": ["CVE-2018-8449"], "description": "Posted by James Forshaw, Google Project Zero\n\n \n\n\nAt [Recon Montreal 2018](<https://recon.cx/2018/montreal/>) I presented \u201cUnknown Known DLLs and other Code Integrity Trust Violations\u201d with [Alex Ionescu](<https://twitter.com/aionescu>). We described the implementation of Microsoft Windows\u2019 Code Integrity mechanisms and how Microsoft implemented Protected Processes (PP). As part of that I demonstrated various ways of bypassing Protected Process Light (PPL), some requiring administrator privileges, others not.\n\n** \n**\n\nIn this blog I\u2019m going to describe the process I went through to discover a way of injecting code into a PPL on Windows 10 1803. As the only [issue](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1597>) Microsoft considered to be violating a defended security boundary has now been [fixed](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8449>) I can discuss the exploit in more detail.\n\n# Background on Windows Protected Processes\n\nThe origins of the Windows Protected Process (PP) model stretch back to [Vista](<http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/process_vista.doc>) where it was introduced to protect DRM processes. The protected process model was heavily restricted, limiting loaded DLLs to a subset of code installed with the operating system. Also for an executable to be considered eligible to be started protected it must be signed with a specific Microsoft certificate which is embedded in the binary. One protection that the kernel enforced is that a non-protected process couldn\u2019t open a handle to a protected process with enough rights to inject arbitrary code or read memory.\n\n** \n**\n\nIn Windows 8.1 a new mechanism was introduced, Protected Process Light (PPL), which made the protection more generalized. PPL loosened some of the restrictions on what DLLs were considered valid for loading into a protected process and introduced different signing requirements for the main executable. Another big change was the introduction of a set of signing levels to separate out different types of protected processes. A PPL in one level can open for full access any process at the same signing level or below, with a restricted set of access granted to levels above. These signing levels were extended to the old PP model, a PP at one level can open all PP and PPL at the same signing level or below, however the reverse was not true, a PPL can never open a PP at any signing level for full access. Some of the levels and this relationship are shown below:\n\n** \n**\n\n\n\nSigning levels allow Microsoft to open up protected processes to third-parties, although at the current time the only type of protected process that a third party can create is an Anti-Malware PPL. The Anti-Malware level is special as it allows the third party to add additional permitted signing keys by registering an [Early Launch Anti-Malware (ELAM)](<https://msdn.microsoft.com/en-us/library/windows/desktop/dn313124%28v=vs.85%29.aspx>) certificate. There is also Microsoft\u2019s TruePlay, which is an Anti-Cheat technology for games which uses components of PPL but it isn\u2019t really important for this discussion.\n\n** \n**\n\nI could spend a lot of this blog post describing how PP and PPL work under the hood, but I recommend reading the blog post series by Alex Ionescu instead (Parts [1](<http://www.alex-ionescu.com/?p=97>), [2](<http://www.alex-ionescu.com/?p=116>) and [3](<http://www.alex-ionescu.com/?p=146>)) which will do a better job. While the blog posts are primarily based on Windows 8.1, most of the concepts haven\u2019t changed substantially in Windows 10.\n\n** \n**\n\nI\u2019ve written about Protected Processes before [[link]](<https://googleprojectzero.blogspot.com/2017/08/bypassing-virtualbox-process-hardening.html>), in the form of the custom implementation by Oracle in their VirtualBox virtualization platform on Windows. The blog showed how I bypassed the process protection using multiple different techniques. What I didn\u2019t mention at the time was the first technique I described, injecting JScript code into the process, also worked against Microsoft's PPL implementation. I reported that I could inject arbitrary code into a PPL to Microsoft (see Issue [1336](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1336>)) from an abundance of caution in case Microsoft wanted to fix it. In this case Microsoft decided it wouldn\u2019t be fixed as a security bulletin. However Microsoft did fix the issue in the next major release on Windows (version 1803) by adding the following code to CI.DLL, the Kernel\u2019s Code Integrity library:\n\n** \n**\n\nUNICODE_STRING g_BlockedDllsForPPL[] = { \nDECLARE_USTR(\"scrobj.dll\"), \nDECLARE_USTR(\"scrrun.dll\"), \nDECLARE_USTR(\"jscript.dll\"), \nDECLARE_USTR(\"jscript9.dll\"), \nDECLARE_USTR(\"vbscript.dll\") \n}; \n \nNTSTATUS CipMitigatePPLBypassThroughInterpreters(PEPROCESS Process, \nLPBYTE Image, \nSIZE_T ImageSize) { \nif (!PsIsProtectedProcess(Process)) \nreturn STATUS_SUCCESS; \n \nUNICODE_STRING OriginalImageName; \n// Get the original filename from the image resources. \nSIPolicyGetOriginalFilenameAndVersionFromImageBase( \nImage, ImageSize, &OriginalImageName); \nfor(int i = 0; i < _countof(g_BlockedDllsForPPL); ++i) { \nif (RtlEqualUnicodeString(g_BlockedDllsForPPL[i], \n&OriginalImageName, TRUE)) { \nreturn STATUS_DYNAMIC_CODE_BLOCKED; \n} \n} \nreturn STATUS_SUCCESS; \n}\n\n** \n**\n\nThe fix checks the original file name in the resource section of the image being loaded against a blacklist of 5 DLLs. The blacklist includes DLLs such as JSCRIPT.DLL, which implements the original JScript scripting engine, and SCROBJ.DLL, which implements scriptlet objects. If the kernel detects a PP or PPL loading one of these DLLs the image load is rejected with STATUS_DYNAMIC_CODE_BLOCKED. This kills my exploit, if you modify the resource section of one of the listed DLLs the signature of the image will be invalidated resulting in the image load failing due to a cryptographic hash mismatch. It\u2019s actually the same fix that Oracle used to block the attack in VirtualBox, although that was implemented in user-mode.\n\n## Finding New Targets\n\nThe previous injection technique using script code was a generic technique that worked on any PPL which loaded a COM object. With the technique fixed I decided to go back and look at what executables will load as a PPL to see if they have any obvious vulnerabilities I could exploit to get arbitrary code execution. I could have chosen to go after a full PP, but PPL seemed the easier of the two and I\u2019ve got to start somewhere. There\u2019s so many ways to inject into a PPL if we could just get administrator privileges, the least of which is just loading a kernel driver. For that reason any vulnerability I discover must work from a normal user account. Also I wanted to get the highest signing level I can get, which means PPL at Windows TCB signing level.\n\n** \n**\n\nThe first step was to identify executables which run as a protected process, this gives us the maximum attack surface to analyze for vulnerabilities. Based on the blog posts from Alex it seemed that in order to be loaded as PP or PPL the signing certificate needs a special Object Identifier (OID) in the certificate\u2019s Enhanced Key Usage (EKU) extension. There are separate OID for PP and PPL; we can see this below with a comparison between WERFAULTSECURE.EXE, which can run as PP/PPL, and CSRSS.EXE, which can only run as PPL.\n\n** \n**\n\n\n\n** \n**\n\nI decided to look for executables which have an embedded signature with these EKU OIDs and that\u2019ll give me a list of all executables to look for exploitable behavior. I wrote the Get-EmbeddedAuthenticodeSignature cmdlet for my [NtObjectManager](<https://www.powershellgallery.com/packages/NtObjectManager>) PowerShell module to extract this information. \n\n** \n**\n\nAt this point I realized there was a problem with the approach of relying on the signing certificate, there\u2019s a lot of binaries I expected to be allowed to run as PP or PPL which were missing from the list I generated. As PP was originally designed for DRM there was no obvious executable to handle the [Protected Media Path](<https://docs.microsoft.com/en-us/windows/desktop/medfound/protected-media-path>) such as AUDIODG.EXE. Also, based on my previous research into Device Guard and Windows 10S, I knew there must be an executable in the .NET framework which could run as PPL to add cached signing level information to NGEN generated binaries (NGEN is an Ahead-of-Time JIT to convert a .NET assembly into native code). The criteria for PP/PPL were more fluid than I expected. Instead of doing static analysis I decided to perform dynamic analysis, just start protected every executable I could enumerate and query the protection level granted. I wrote the following script to test a single executable:\n\n** \n**\n\nImport-Module NtObjectManager\n\n** \n**\n\nfunction Test-ProtectedProcess {\n\n[CmdletBinding()]\n\nparam(\n\n[Parameter(Mandatory, ValueFromPipelineByPropertyName)]\n\n[string]$FullName,\n\n[NtApiDotNet.PsProtectedType]$ProtectedType = 0,\n\n[NtApiDotNet.PsProtectedSigner]$ProtectedSigner = 0\n\n)\n\nBEGIN {\n\n$config = New-NtProcessConfig abc -ProcessFlags ProtectedProcess `\n\n-ThreadFlags Suspended -TerminateOnDispose `\n\n-ProtectedType $ProtectedType `\n\n-ProtectedSigner $ProtectedSigner\n\n}\n\n** \n**\n\nPROCESS {\n\n$path = Get-NtFilePath $FullName\n\nWrite-Host $path\n\ntry {\n\nUse-NtObject($p = New-NtProcess $path -Config $config) {\n\n$prot = $p.Process.Protection\n\n$props = @{\n\nPath=$path;\n\nType=$prot.Type;\n\nSigner=$prot.Signer;\n\nLevel=$prot.Level.ToString(\"X\");\n\n}\n\n$obj = New-Object \u2013TypeName PSObject \u2013Prop $props\n\nWrite-Output $obj\n\n}\n\n} catch {\n\n}\n\n}\n\n}\n\n** \n**\n\nWhen this script is executed a function is defined, Test-ProtectedProcess. The function takes a path to an executable, starts that executable with a specified protection level and checks whether it was successful. If the ProtectedType and ProtectedSigner parameters are 0 then the kernel decides the \u201cbest\u201d process level. This leads to some annoying quirks, for example SVCHOST.EXE is explicitly marked as PPL and will run at PPL-Windows level, however as it\u2019s also a signed OS component the kernel will determine its maximum level is PP-Authenticode. Another interesting quirk is using the native process creation APIs it\u2019s possible to start a DLL as main executable image. As a significant number of system DLLs have embedded Microsoft signatures they can also be started as PP-Authenticode, even though this isn\u2019t necessarily that useful. The list of binaries that will run at PPL is shown below along with their maximum signing level.\n\n** \n**\n\nPath\n\n| \n\nSigning Level \n \n---|--- \n \nC:\\windows\\Microsoft.Net\\Framework\\v4.0.30319\\mscorsvw.exe\n\n| \n\nCodeGen \n \nC:\\windows\\Microsoft.Net\\Framework64\\v4.0.30319\\mscorsvw.exe\n\n| \n\nCodeGen \n \nC:\\windows\\system32\\SecurityHealthService.exe\n\n| \n\nWindows \n \nC:\\windows\\system32\\svchost.exe\n\n| \n\nWindows \n \nC:\\windows\\system32\\xbgmsvc.exe\n\n| \n\nWindows \n \nC:\\windows\\system32\\csrss.exe\n\n| \n\nWindows TCB \n \nC:\\windows\\system32\\services.exe\n\n| \n\nWindows TCB \n \nC:\\windows\\system32\\smss.exe\n\n| \n\nWindows TCB \n \nC:\\windows\\system32\\werfaultsecure.exe\n\n| \n\nWindows TCB \n \nC:\\windows\\system32\\wininit.exe\n\n| \n\nWindows TCB \n \n## Injecting Arbitrary Code Into NGEN\n\nAfter carefully reviewing the list of executables which run as PPL I settled on \n\ntrying to attack the previously mentioned .NET NGEN binary, MSCORSVW.EXE. My rationale for choosing the NGEN binary was:\n\n * Most of the other binaries are service binaries which might need administrator privileges to start correctly.\n\n * The binary is likely to be loading complex functionality such as the .NET framework as well as having multiple COM interactions (my go-to technology for weird behavior).\n\n * In the worst case it might still yield a Device Guard bypass as the reason it runs as PPL is to give it access to the kernel APIs to apply a cached signing level. Any bug in the operation of this binary might be exploitable even if we can\u2019t get arbitrary code running in a PPL.\n\n** \n**\n\nBut there is an issue with the NGEN binary, specifically it doesn\u2019t meet my own criteria that I get the top signing level, Windows TCB. However, I knew that when Microsoft fixed [Issue 1332](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1332>) they left in a back door where a writable handle could be maintained during the signing process if the calling process is PPL as shown below:\n\n** \n**\n\nNTSTATUS CiSetFileCache(HANDLE Handle, ...) { \n \nPFILE_OBJECT FileObject; \nObReferenceObjectByHandle(Handle, &FileObject); \n \nif (FileObject->SharedWrite || \n(FileObject->WriteAccess && \nPsGetProcessProtection().Type != PROTECTED_LIGHT)) { \nreturn STATUS_SHARING_VIOLATION; \n} \n \n// Continue setting file cache. \n}\n\n** \n**\n\nIf I could get code execution inside the NGEN binary I could reuse this backdoor to cache sign an arbitrary file which will load into any PPL. I could then DLL hijack a full PPL-WindowsTCB process to reach my goal.\n\n** \n**\n\nTo begin the investigation we need to determine how to use the MSCORSVW executable. Using MSCORSVW is not documented anywhere by Microsoft, so we\u2019ll have to do a bit of digging. First off, this binary is not supposed to be run directly, instead it\u2019s invoked by NGEN when creating an NGEN\u2019ed binary. Therefore, we can run the NGEN binary and use a tool such as Process Monitor to capture what command line is being used for the MSCORSVW process. Executing the command:\n\n** \n**\n\nC:\\> NGEN install c:\\some\\binary.dll\n\n** \n**\n\nResults in the following command line being executed:\n\n** \n**\n\nMSCORSVW -StartupEvent A -InterruptEvent B -NGENProcess C -Pipe D\n\n** \n**\n\nA, B, C and D are handles which NGEN ensures are inherited into the new process before it starts. As we don\u2019t see any of the original NGEN command line parameters it seems likely they\u2019re being passed over an IPC mechanism. The \u201cPipe\u201d parameter gives an indication that named pipes are used for IPC. Digging into the code in MSCORSVW, we find the method NGenWorkerEmbedding, which looks like the following:\n\n** \n**\n\nvoid NGenWorkerEmbedding(HANDLE hPipe) { \nCoInitializeEx(nullptr, COINIT_APARTMENTTHREADED); \nCorSvcBindToWorkerClassFactory factory; \n \n// Marshal class factory. \nIStream* pStm; \nCreateStreamOnHGlobal(nullptr, TRUE, &pStm); \nCoMarshalInterface(pStm, &IID_IClassFactory, &factory,\n\nMSHCTX_LOCAL, nullptr, MSHLFLAGS_NORMAL); \n \n// Read marshaled object and write to pipe. \nDWORD length; \nchar* buffer = ReadEntireIStream(pStm, &length); \nWriteFile(hPipe, &length, sizeof(length)); \nWriteFile(hPipe, buffer, length); \nCloseHandle(hPipe); \n \n// Set event to synchronize with parent. \nSetEvent(hStartupEvent); \n \n// Pump message loop to handle COM calls. \nMessageLoop(); \n \n// ... \n}\n\n** \n**\n\nThis code is not quite what I expected. Rather than using the named pipe for the entire communication channel it\u2019s only used to transfer a marshaled COM object back to the calling process. The COM object is a class factory instance, normally you\u2019d register the factory using CoRegisterClassObject but that would make it accessible to all processes at the same security level so instead by using marshaling the connection can be left private only to the NGEN binary which spawned MSCORSVW. A .NET related process using COM gets me interested as I\u2019ve previously described in [another blog post](<https://googleprojectzero.blogspot.com/2017/04/exploiting-net-managed-dcom.html>) how you can exploit COM objects implemented in .NET. If we\u2019re lucky this COM object is implemented in .NET, we can determine if it is implemented in .NET by querying for its interfaces, for example we use the Get-ComInterface command in my [OleViewDotNet PowerShell module](<https://www.powershellgallery.com/packages/OleViewDotNet>) as shown in the following screenshot.\n\n** \n**\n\n\n\n** \n**\n\nWe\u2019re out of luck, this object is not implemented in .NET, as you\u2019d at least expect to see an instance of the _Object interface. There\u2019s only one interface implemented, ICorSvcBindToWorker so let\u2019s dig into that interface to see if there\u2019s anything we can exploit. \n\n** \n**\n\nSomething caught my eye, in the screenshot there\u2019s a HasTypeLib column, for ICorSvcBindToWorker we see that the column is set to True. What HasTypeLib indicates is rather than the interface\u2019s proxy code being implemented using an predefined NDR byte stream it\u2019s generated on the fly from a type library. I\u2019ve abused this auto-generating proxy mechanism before to elevate to SYSTEM, reported as [issue 1112](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1112>). In the issue I used some interesting behavior of the system\u2019s Running Object Table (ROT) to force a type confusion in a system COM service. While Microsoft has fixed the issue for User to SYSTEM there\u2019s nothing stopping us using the type confusion trick to exploit the MSCORSVW process running as PPL at the same privilege level and get arbitrary code execution. Another advantage of using a type library is a normal proxy would be loaded as a DLL which means that it must meet the PPL signing level requirements; however a type library is just data so can be loaded into a PPL without any signing level violations.\n\n** \n**\n\nHow does the type confusion work? Looking at the ICorSvcBindToWorker interface from the type library:\n\n** \n**\n\ninterface ICorSvcBindToWorker : IUnknown { \nHRESULT BindToRuntimeWorker( \n[in] BSTR pRuntimeVersion, \n[in] unsigned long ParentProcessID, \n[in] BSTR pInterruptEventName, \n[in] ICorSvcLogger* pCorSvcLogger, \n[out] ICorSvcWorker** pCorSvcWorker); \n};\n\n** \n**\n\nThe single BindToRuntimeWorker takes 5 parameters, 4 are inbound and 1 is outbound. When trying to access the method over DCOM from our untrusted process the system will automatically generate the proxy and stub for the call. This will include marshaling COM interface parameters into a buffer, sending the buffer to the remote process and then unmarshaling to a pointer before calling the real function. For example imagine a simpler function, DoSomething which takes a single IUnknown pointer. The marshaling process looks like the following: \n\n** \n**\n\n\n\nThe operation of the method call is as follow:\n\n 1. The untrusted process calls DoSomething on the interface which is actually a pointer to DoSomethingProxy which was auto-generated from the type library passing an IUnknown pointer parameter.\n\n 2. DoSomethingProxy marshals the IUnknown pointer parameter into the buffer and calls over RPC to the Stub in the protected process.\n\n 3. The COM runtime calls the DoSomethingStub method to handle the call. This method will unmarshal the interface pointer from the buffer. Note that this pointer is not the original pointer from step 1, it\u2019s likely to be a new proxy which calls back to the untrusted process.\n\n 4. The stub invokes the real implemented method inside the server, passing the unmarshaled interface pointer. \n\n 5. DoSomething uses the interface pointer, for example by calling AddRef on it via the object\u2019s VTable.\n\n** \n**\n\nHow would we exploit this? All we need to do is modify the type library so that instead of passing an interface pointer we pass almost anything else. While the type library file is in a system location which we can\u2019t modify we can just replace the registration for it in the current user\u2019s registry hive, or use the same ROT trick from before issue 1112. For example if we modifying the type library to pass an integer instead of an interface pointer we get the following:\n\n** \n**\n\n\n\nThe operation of the marshal now changes as follows:\n\n 1. The untrusted process calls DoSomething on the interface which is actually a pointer to DoSomethingProxy which was auto-generated from the type library passing an arbitrary integer parameter.\n\n 2. DoSomethingProxy marshals the integer parameter into the buffer and calls over RPC to the Stub in the protected process.\n\n 3. The COM runtime calls the DoSomethingStub method to handle the call. This method will unmarshal the integer from the buffer.\n\n 4. The stub invokes the real implement method inside the server, passing the integer as the parameter. However DoSomething hasn\u2019t changed, it\u2019s still the same method which accepts an interface pointer. As the COM runtime has no more type information at this point the integer is type confused with the interface pointer.\n\n 5. DoSomething uses the interface pointer, for example by calling AddRef on it via the object\u2019s VTable. As this pointer is completely under control of the untrusted process this likely results in arbitrary code execution.\n\n** \n**\n\nBy changing the type of parameter from an interface pointer to an integer we induce a type confusion which allows us to get an arbitrary pointer dereferenced, resulting in arbitrary code execution. We could even simplify the attack by adding to the type library the following structure:\n\n** \n**\n\nstruct FakeObject { \nBSTR FakeVTable; \n};\n\n** \n**\n\nIf we pass a pointer to a FakeObject instead of the interface pointer the auto-generated proxy will marshal the structure and its BSTR, recreating it on the other side in the stub. As a BSTR is a counted string it can contain NULLs so this will create a pointer to an object, which contains a pointer to an arbitrary byte array which can act as a VTable. Place known function pointers in that BSTR and you can easily redirect execution without having to guess the location of a suitable VTable buffer. \n\n** \n**\n\nTo fully exploit this we\u2019d need to call a suitable method, probably running a ROP chain and we might also have to bypass CFG. That all sounds too much like hard work, so instead I\u2019ll take a different approach to get arbitrary code running in the PPL binary, by abusing KnownDlls.\n\n## KnownDlls and Protected Processes.\n\nIn my [previous blog post](<https://googleprojectzero.blogspot.com/2018/08/windows-exploitation-tricks-exploiting.html>) I described a technique to elevate privileges from an arbitrary object directory creation vulnerability to SYSTEM by adding an entry into the KnownDlls directory and getting an arbitrary DLL loaded into a privileged process. I noted that this was also an administrator to PPL code injection as PPL will also load DLLs from the system\u2019s KnownDlls location. As the code signing check is performed during section creation not section mapping as long as you can place an entry into KnownDlls you can load anything into a PPL even unsigned code.\n\n** \n**\n\nThis doesn\u2019t immediately seem that useful, we can\u2019t write to KnownDlls without being an administrator, and even then without some clever tricks. However it\u2019s worth looking at how a Known DLL is loaded to get an understanding on how it can be abused. Inside NTDLL\u2019s loader (LDR) code is the following function to determine if there\u2019s a preexisting Known DLL.\n\n** \n**\n\nNTSTATUS LdrpFindKnownDll(PUNICODE_STRING DllName, HANDLE *SectionHandle) { \n// If KnownDll directory handle not open then return error. \nif (!LdrpKnownDllDirectoryHandle) \nreturn STATUS_DLL_NOT_FOUND; \n \nOBJECT_ATTRIBUTES ObjectAttributes; \nInitializeObjectAttributes(&ObjectAttributes, \n&DllName, \nOBJ_CASE_INSENSITIVE, \nLdrpKnownDllDirectoryHandle, \nnullptr); \n \nreturn NtOpenSection(SectionHandle, \nSECTION_ALL_ACCESS, \n&ObjectAttributes); \n}\n\n** \n**\n\nThe LdrpFindKnownDll function calls NtOpenSection to open the named section object for the Known DLL. It doesn\u2019t open an absolute path, instead it uses the feature of the native system calls to specify a root directory for the object name lookup in the OBJECT_ATTRIBUTES structure. This root directory comes from the global variable LdrpKnownDllDirectoryHandle. Implementing the call this way allows the loader to only specify the filename (e.g. EXAMPLE.DLL) and not have to reconstruct the absolute path as the lookup with be relative to an existing directory. Chasing references to LdrpKnownDllDirectoryHandle we can find it\u2019s initialized in LdrpInitializeProcess as follows:\n\n** \n**\n\nNTSTATUS LdrpInitializeProcess() { \n// ... \nPPEB peb = // ... \n// If a full protected process don't use KnownDlls. \nif (peb->IsProtectedProcess && !peb->IsProtectedProcessLight) { \nLdrpKnownDllDirectoryHandle = nullptr; \n} else { \nOBJECT_ATTRIBUTES ObjectAttributes; \nUNICODE_STRING DirName; \nRtlInitUnicodeString(&DirName, L\"\\\\\\KnownDlls\"); \nInitializeObjectAttributes(&ObjectAttributes, \n&DirName, \nOBJ_CASE_INSENSITIVE, \nnullptr, nullptr); \n// Open KnownDlls directory. \nNtOpenDirectoryObject(&LdrpKnownDllDirectoryHandle, \nDIRECTORY_QUERY | DIRECTORY_TRAVERSE, \n&ObjectAttributes); \n}\n\n** \n**\n\nThis code shouldn\u2019t be that unexpected, the implementation calls NtOpenDirectoryObject, passing the absolute path to the KnownDlls directory as the object name. The opened handle is stored in the LdrpKnownDllDirectoryHandle global variable for later use. It\u2019s worth noting that this code checks the PEB to determine if the current process is a full protected process. Support for loading Known DLLs is disabled in full protected process mode, which is why even with administrator privileges and the clever trick I outlined in the last blog post we could only compromise PPL, not PP.\n\n** \n**\n\nHow does this knowledge help us? We can use our COM type confusion trick to write values into arbitrary memory locations instead of trying to hijack code execution resulting in a data only attack. As we can inherit any handles we like into the new PPL process we can setup an object directory with a named section, then use the type confusion to change the value of LdrpKnownDllDirectoryHandle to the value of the inherited handle. If we induce a DLL load from System32 with a known name the LDR will check our fake directory for the named section and map our unsigned code into memory, even calling DllMain for us. No need for injecting threads, ROP or bypassing CFG.\n\n** \n**\n\nAll we need is a suitable primitive to write an arbitrary value, unfortunately while I could find methods which would cause an arbitrary write I couldn\u2019t sufficiently control the value being written. In the end I used the following interface and method which was implemented on the object returned by ICorSvcBindToWorker::BindToRuntimeWorker. \n\n** \n**\n\ninterface ICorSvcPooledWorker : IUnknown { \nHRESULT CanReuseProcess( \n[in] OptimizationScenario scenario, \n[in] ICorSvcLogger* pCorSvcLogger, \n[out] long* pCanContinue); \n}; \n\n\nIn the implementation of CanReuseProcess the target value of pCanContinue is always initialized to 0. Therefore by replacing the [out] long* in the type library definition with [in] long we can get 0 written to any memory location we specify. By prefilling the lower 16 bits of the new process\u2019 handle table with handles to a fake KnownDlls directory we can be sure of an alias between the real KnownDlls which will be opened once the process starts and our fake ones by just modifying the top 16 bits of the handle to 0. This is shown in the following diagram:\n\n** \n**\n\n\n\n** \n**\n\nOnce we\u2019ve overwritten the top 16 bits with 0 (the write is 32 bits but handles are 64 bits in 64 bit mode, so we won\u2019t overwrite anything important) LdrpKnownDllDirectoryHandle now points to one of our fake KnownDlls handles. We can then easily induce a DLL load by sending a custom marshaled object to the same method and we\u2019ll get arbitrary code execution inside the PPL.\n\n## Elevating to PPL-Windows TCB\n\nWe can\u2019t stop here, attacking MSCORSVW only gets us PPL at the CodeGen signing level, not Windows TCB. Knowing that generating a fake cached signed DLL should run in a PPL as well as Microsoft leaving a backdoor for PPL processes at any signing level I converted my C# code from [Issue 1332](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1332>) to C++ to generate a fake cached signed DLL. By abusing a DLL hijack in WERFAULTSECURE.EXE which will run as PPL Windows TCB we should get code execution at the desired signing level. This worked on Windows 10 1709 and earlier, however it didn\u2019t work on 1803. Clearly Microsoft had changed the behavior of cached signing level in some way, perhaps they\u2019d removed its trust in PPL entirely. That seemed unlikely as it would have a negative performance impact.\n\n** \n**\n\nAfter discussing this a bit with Alex Ionescu I decided to put together a quick parser with information from Alex for the cached signing data on a file. This is exposed in NtObjectManager as the Get-NtCachedSigningLevel command. I ran this command against a fake signed binary and a system binary which was also cached signed and immediately noticed a difference:\n\n** \n**\n\n\n\n** \n**\n\nFor the fake signed file the Flags are set to TrustedSignature (0x02), however for the system binary PowerShell couldn\u2019t decode the enumeration and so just outputs the integer value of 66 which is 0x42 in hex. The value 0x40 was an extra flag on top of the original trusted signature flag. It seemed likely that without this flag set the DLL wouldn\u2019t be loaded into a PPL process. Something must be setting this flag so I decided to check what happened if I loaded a valid cached signed DLL without the extra flag into a PPL process. Monitoring it in Process Monitor I got my answer:\n\n** \n**\n\n\n\n** \n**\n\nThe Process Monitor trace shows that first the kernel queries for the Extended Attributes (EA) from the DLL. The cached signing level data is stored in the file\u2019s EA so this is almost certainly an indication of the cached signing level being read. In the full trace artifacts of checking the full signature are shown such as enumerating catalog files, I\u2019ve removed those artifacts from the screenshot for brevity. Finally the EA is set, if I check the cached signing level of the file it now includes the extra flag. So setting the cached signing level is done automatically, the question is how? By pulling up the stack trace we can see how it happens:\n\n** \n**\n\n\n\n** \n**\n\nLooking at the middle of the stack trace we can see the call to CipSetFileCache originates from the call to NtCreateSection. The kernel is automatically caching the signature when it makes sense to do so, e.g. in a PPL so that subsequent image mapping don\u2019t need to recheck the signature. It\u2019s possible to map an image section from a file with write access so we can reuse the same attack from Issue 1332 and replace the call to NtSetCachedSigningLevel with NtCreateSection and we can fake sign any DLL. It turned out that the call to set the file cache happened after the write check introducted to fix Issue 1332 and so it was possible to use this to bypass Device Guard again. For that reason I reported the bypass as [Issue 1597](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1597>) which was fixed in September 2018 as [CVE-2018-8449](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8449>). However, as with Issue 1332 the back door for PPL is still in place so even though the fix eliminated the Device Guard bypass it can still be used to get us from PPL-CodeGen to PPL-WindowsTCB. \n\n## Conclusions\n\nThis blog showed how I was able to inject arbitrary code into a PPL without requiring administrator privileges. What could you do with this new found power? Actually not a great deal as a normal user but there are some parts of the OS, such as the Windows Store which rely on PPL to secure files and resources which you can\u2019t modify as a normal user. If you elevate to administrator and then inject into a PPL you\u2019ll get many more things to attack such as CSRSS (through which you can certainly get kernel code execution) or attack Windows Defender which runs as PPL Anti-Malware. Over time I\u2019m sure the majority of the use cases for PPL will be replaced with Virtual Secure Mode (VSM) and Isolated User Mode (IUM) applications which have greater security guarantees and are also considered security boundaries that Microsoft will defend and fix.\n\n** \n**\n\nDid I report these issues to Microsoft? Microsoft has made it clear that they will not fix issues only affecting PP and PPL in a security bulletin. Without a security bulletin the researcher receives no acknowledgement for the find, such as a CVE. The issue will not be fixed in current versions of Windows although it might be fixed in the next major version. Previously confirming Microsoft\u2019s policy on fixing a particular security issue was based on precedent, however they\u2019ve recently published a list of Windows technologies that will or will not be fixed in the [Windows Security Service Criteria](<https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria>) which, as shown below for Protected Process Light, Microsoft will not fix or pay a bounty for issues relating to the feature. Therefore, from now on I will not be engaging Microsoft if I discover issues which I believe to only affect PP or PPL. \n\n** \n**\n\n\n\n** \n**\n\nThe one bug I reported to Microsoft was only fixed because it could be used to bypass Device Guard. When you think about it, only fixing for Device Guard is somewhat odd. I can still bypass Device Guard by injecting into a PPL and setting a cached signing level, and yet Microsoft won\u2019t fix PPL issues but will fix Device Guard issues. Much as the Windows Security Service Criteria document really helps to clarify what Microsoft will and won\u2019t fix it\u2019s still somewhat arbitrary. A secure feature is rarely secure in isolation, the feature is almost certainly secure because other features enable it to be so.\n\n \n\n\nIn part 2 of this blog we\u2019ll go into how I was also able to break into Full PP-WindowsTCB processes using another interesting feature of COM.\n", "modified": "2018-10-16T00:00:00", "published": "2018-10-16T00:00:00", "id": "GOOGLEPROJECTZERO:246DBEFB9DAB01371CE765DD5B1F54C8", "href": "https://googleprojectzero.blogspot.com/2018/10/injecting-code-into-windows-protected.html", "type": "googleprojectzero", "title": "\nInjecting Code into Windows Protected Processes using COM - Part 1\n", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}], "kaspersky": [{"lastseen": "2020-09-02T11:48:10", "bulletinFamily": "info", "cvelist": ["CVE-2017-11880", "CVE-2017-11851", "CVE-2017-11842", "CVE-2017-11831", "CVE-2017-11830", "CVE-2017-11788", "CVE-2017-11832", "CVE-2017-11849", "CVE-2017-11847", "CVE-2017-11853", "CVE-2017-11850", "CVE-2017-11768"], "description": "### *Detect date*:\n11/14/2017\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to obtain sensitive information, cause denial of service, bypass security restrictions, gain privileges.\n\n### *Affected products*:\nWindows 10 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows 10 Version 1511 for 32-bit Systems \nWindows 10 Version 1511 for x64-based Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 1703 for 32-bit Systems \nWindows 10 Version 1703 for x64-based Systems \nWindows 10 Version 1709 for 32-bit Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 8.1 for 32-bit systems \nWindows 8.1 for x64-based systems \nWindows RT 8.1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2012 \nWindows Server 2012 (Server Core installation) \nWindows Server 2012 R2 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2016 \nWindows Server 2016 (Server Core installation) \nWindows 10 Version 1709 for x64-based Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2017-11768](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11768>) \n[CVE-2017-11788](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11788>) \n[CVE-2017-11830](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11830>) \n[CVE-2017-11831](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11831>) \n[CVE-2017-11832](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11832>) \n[CVE-2017-11842](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11842>) \n[CVE-2017-11847](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11847>) \n[CVE-2017-11849](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11849>) \n[CVE-2017-11850](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11850>) \n[CVE-2017-11851](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11851>) \n[CVE-2017-11853](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11853>) \n[CVE-2017-11880](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11880>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2017-11768](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11768>)0.0Unknown \n[CVE-2017-11788](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11788>)0.0Unknown \n[CVE-2017-11830](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11830>)0.0Unknown \n[CVE-2017-11831](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11831>)0.0Unknown \n[CVE-2017-11832](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11832>)0.0Unknown \n[CVE-2017-11842](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11842>)0.0Unknown \n[CVE-2017-11847](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11847>)0.0Unknown \n[CVE-2017-11849](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11849>)0.0Unknown \n[CVE-2017-11850](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11850>)0.0Unknown \n[CVE-2017-11851](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11851>)0.0Unknown \n[CVE-2017-11853](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11853>)0.0Unknown \n[CVE-2017-11880](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11880>)0.0Unknown\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4048955](<http://support.microsoft.com/kb/4048955>) \n[4048952](<http://support.microsoft.com/kb/4048952>) \n[4048953](<http://support.microsoft.com/kb/4048953>) \n[4048954](<http://support.microsoft.com/kb/4048954>) \n[4048956](<http://support.microsoft.com/kb/4048956>) \n[4048958](<http://support.microsoft.com/kb/4048958>) \n[4048959](<http://support.microsoft.com/kb/4048959>) \n[4048961](<http://support.microsoft.com/kb/4048961>) \n[4048962](<http://support.microsoft.com/kb/4048962>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 45, "modified": "2020-07-22T00:00:00", "published": "2017-11-14T00:00:00", "id": "KLA11136", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11136", "title": "\r KLA11136Multiple vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-02T11:56:20", "bulletinFamily": "info", "cvelist": ["CVE-2018-8441", "CVE-2018-8443", "CVE-2018-8410", "CVE-2018-8442", "CVE-2018-8419", "CVE-2018-8433", "CVE-2018-8271", "CVE-2018-0965", "CVE-2018-8436", "CVE-2018-8439", "CVE-2018-8449", "CVE-2018-8424", "CVE-2018-8434", "CVE-2018-8437", "CVE-2018-8337", "CVE-2018-8392", "CVE-2018-8440", "CVE-2018-8420", "CVE-2018-8393", "CVE-2018-8332", "CVE-2018-8455", "CVE-2018-8438", "CVE-2018-8475", "CVE-2018-8435", "CVE-2018-8446", "CVE-2018-8444", "CVE-2018-8462", "CVE-2018-8468", "CVE-2018-8445", "CVE-2018-8335"], "description": "### *Detect date*:\n09/11/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to obtain sensitive information, gain privileges, cause denial of service, execute arbitrary code, bypass security restrictions.\n\n### *Affected products*:\nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 1703 for 32-bit Systems \nWindows 10 Version 1703 for x64-based Systems \nWindows 10 Version 1709 for 32-bit Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows 10 Version 1803 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 8.1 for 32-bit systems \nWindows 8.1 for x64-based systems \nWindows RT 8.1 \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2012 \nWindows Server 2012 (Server Core installation) \nWindows Server 2012 R2 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2016 \nWindows Server 2016 (Server Core installation) \nWindows Server, version 1803 (Server Core Installation) \nWindows 10 Version 1709 for x64-based Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2018-8433](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8433>) \n[CVE-2018-8462](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8462>) \n[CVE-2018-8442](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8442>) \n[CVE-2018-8440](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8440>) \n[CVE-2018-8438](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8438>) \n[CVE-2018-8455](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8455>) \n[CVE-2018-8392](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8392>) \n[CVE-2018-8410](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8410>) \n[CVE-2018-8335](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8335>) \n[CVE-2018-8444](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8444>) \n[CVE-2018-8441](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8441>) \n[CVE-2018-8332](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8332>) \n[CVE-2018-0965](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-0965>) \n[CVE-2018-8271](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8271>) \n[CVE-2018-8437](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8437>) \n[CVE-2018-8443](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8443>) \n[CVE-2018-8475](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8475>) \n[CVE-2018-8419](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8419>) \n[CVE-2018-8434](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8434>) \n[CVE-2018-8420](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8420>) \n[CVE-2018-8436](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8436>) \n[CVE-2018-8439](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8439>) \n[CVE-2018-8449](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8449>) \n[CVE-2018-8435](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8435>) \n[CVE-2018-8424](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8424>) \n[CVE-2018-8468](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8468>) \n[CVE-2018-8393](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8393>) \n[CVE-2018-8445](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8445>) \n[CVE-2018-8337](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8337>) \n[CVE-2018-8446](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8446>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2018-8433](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8433>)0.0Unknown \n[CVE-2018-8462](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8462>)0.0Unknown \n[CVE-2018-8442](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8442>)0.0Unknown \n[CVE-2018-8440](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8440>)0.0Unknown \n[CVE-2018-8438](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8438>)0.0Unknown \n[CVE-2018-8455](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8455>)0.0Unknown \n[CVE-2018-8392](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8392>)0.0Unknown \n[CVE-2018-8410](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8410>)0.0Unknown \n[CVE-2018-8335](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8335>)0.0Unknown \n[CVE-2018-8444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8444>)0.0Unknown \n[CVE-2018-8441](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8441>)0.0Unknown \n[CVE-2018-8332](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8332>)0.0Unknown \n[CVE-2018-0965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0965>)0.0Unknown \n[CVE-2018-8271](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8271>)0.0Unknown \n[CVE-2018-8437](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8437>)0.0Unknown \n[CVE-2018-8443](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8443>)0.0Unknown \n[CVE-2018-8475](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8475>)0.0Unknown \n[CVE-2018-8419](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8419>)0.0Unknown \n[CVE-2018-8434](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8434>)0.0Unknown \n[CVE-2018-8420](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8420>)0.0Unknown \n[CVE-2018-8436](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8436>)0.0Unknown \n[CVE-2018-8439](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8439>)0.0Unknown \n[CVE-2018-8449](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8449>)0.0Unknown \n[CVE-2018-8435](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8435>)0.0Unknown \n[CVE-2018-8424](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8424>)0.0Unknown \n[CVE-2018-8468](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8468>)0.0Unknown \n[CVE-2018-8393](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8393>)0.0Unknown \n[CVE-2018-8445](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8445>)0.0Unknown \n[CVE-2018-8337](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8337>)0.0Unknown \n[CVE-2018-8446](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8446>)0.0Unknown\n\n### *KB list*:\n[4457984](<http://support.microsoft.com/kb/4457984>) \n[4458010](<http://support.microsoft.com/kb/4458010>) \n[4457128](<http://support.microsoft.com/kb/4457128>) \n[4457131](<http://support.microsoft.com/kb/4457131>) \n[4457132](<http://support.microsoft.com/kb/4457132>) \n[4457142](<http://support.microsoft.com/kb/4457142>) \n[4457138](<http://support.microsoft.com/kb/4457138>) \n[4457129](<http://support.microsoft.com/kb/4457129>) \n[4457143](<http://support.microsoft.com/kb/4457143>) \n[4457144](<http://support.microsoft.com/kb/4457144>) \n[4457145](<http://support.microsoft.com/kb/4457145>) \n[4457135](<http://support.microsoft.com/kb/4457135>) \n[4457140](<http://support.microsoft.com/kb/4457140>)\n\n### *Microsoft official advisories*:\n\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 29, "modified": "2020-07-22T00:00:00", "published": "2018-09-11T00:00:00", "id": "KLA11316", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11316", "title": "\r KLA11316Multiple vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2019-01-23T20:50:13", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11827", "CVE-2017-11830", "CVE-2017-11836", "CVE-2017-11837", "CVE-2017-11838", "CVE-2017-11839", "CVE-2017-11847", "CVE-2017-11848", "CVE-2017-11871", "CVE-2017-11873", "CVE-2017-11882", "CVE-2017-11883", "CVE-2017-13080", "CVE-2017-8700"], "description": "This November Patch Tuesday is moderate in volume and severity. Microsoft released patches to address 53 unique vulnerabilities, with 25 focused on Remote Code Execution fixes. Windows OS receives 14 patches, while the lion's share is focused on Browsers, Microsoft Office, and Adobe. According to Microsoft, there do not appear to be any actively attacked vulnerabilities in the wild in this patch release.\n\nInterestingly enough, none of the Windows OS patches are listed as Critical this month, but we do recommend focusing on [CVE-2017-11830](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11830>) and [CVE-2017-11847](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11847>), as they address a Security Feature Bypass, and a Privilege Elevation respectively. \n\nIt should also be noted that [CVE-2017-11848](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11848>), [CVE-2017-11827](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11827>), [CVE-2017-11883](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11883>), [CVE-2017-8700](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8700>) have public exploits, but they do not appear to be used in any active campaigns.\n\nFrom a prioritization standpoint, focus on the fixes for [CVE-2017-11836](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11836>), [CVE-2017-11837](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11837>), [CVE-2017-11838](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11838>), [CVE-2017-11839](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11839>), [CVE-2017-11871](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11871>), and [CVE-2017-11873](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11873>), which all address the Scripting Engine in Edge and Internet Explorer, especially on laptops, and other workstation-type systems where the logged in user may have administrative privileges. Microsoft lists exploitation as More Likely for these vulnerabilities, especially if a user is tricked into viewing a malicious site or opening an attachment.\n\nWhile Microsoft lists the fix for [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>) as Important, there may be POC code for this vulnerability, so it is recommended that you give the Office updates attention this month as well.\n\nIt should also be noted that [last Patch Tuesday](<https://blog.qualys.com/laws-of-vulnerabilities/2017/10/10/october-patch-tuesday-28-critical-microsoft-vulnerabilities>), Microsoft quietly released the fix for [CVE-2017-13080](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-13080>), widely known as the KRACK vulnerability in WPA2 wireless protocol, but did not make it known until a week later, when the vulnerability was publicly disclosed. Therefore, it is recommended you ensure last month\u2019s security patches are fully addressed. Alternatively, you can install this month\u2019s Monthly Rollups, as they should include this fix.\n\nAdobe has also [released patches for 9 advisories](<https://helpx.adobe.com/security.html>), fixing a stunning 62 CVEs for Acrobat and Reader alone, so ensure that you are updating Adobe across your environment to stay protected.", "modified": "2017-11-14T19:37:26", "published": "2017-11-14T19:37:26", "id": "QUALYSBLOG:97274435F9F49556ED060635FD9081E2", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2017/11/14/november-patch-tuesday-53-vulnerabilities-and-a-massive-adobe-update", "type": "qualysblog", "title": "November Patch Tuesday: 53 Vulnerabilities and a Massive Adobe Update", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-01-27T09:17:27", "bulletinFamily": "info", "cvelist": ["CVE-2017-11839", "CVE-2017-13080", "CVE-2017-11882", "CVE-2017-11871", "CVE-2017-11848", "CVE-2017-8700", "CVE-2017-11836", "CVE-2017-11830", "CVE-2017-11873", "CVE-2017-11837", "CVE-2017-11838", "CVE-2017-11877", "CVE-2017-11827", "CVE-2017-11847", "CVE-2017-11883"], "description": "[](<https://1.bp.blogspot.com/-bw77Fu5JHFk/WgvsCj_FSNI/AAAAAAAAuvQ/ndA-2CYcAZEXy-7GyBeD6Snp-urYFhaPwCLcBGAs/s1600/microsoft-security-patch-updates.png>)\n\nIt's Patch Tuesday\u2014time to update your Windows devices. \n \nMicrosoft has [released](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/bae9d0d8-e497-e711-80e5-000d3a32fc99>) a large batch of security updates as part of its November Patch Tuesday in order to fix a total of 53 new security vulnerabilities in various Windows products, 19 of which rated as critical, 31 important and 3 moderate. \n \nThe vulnerabilities impact the Windows OS, Microsoft Office, Microsoft Edge, Internet Explorer, Microsoft Scripting Engine, .NET Core, and more. \n \nAt least four of these vulnerabilities that the tech giant has now fixed have public exploits, allowing attackers to exploit them easily. But fortunately, none of the four are being used in the wild, according to Gill Langston at security firm [Qualys](<https://blog.qualys.com/laws-of-vulnerabilities/2017/11/14/november-patch-tuesday-53-vulnerabilities-and-a-massive-adobe-update>). \n \nThe four vulnerabilities with public exploits identified by Microsoft as CVE-2017-8700 (an information disclosure flaw in ASP.NET Core), CVE-2017-11827 (Microsoft browsers remote code execution), CVE-2017-11848 (Internet Explorer information disclosure) and CVE-2017-11883 (denial of service affecting ASP.NET Core). \n \n\n\n### Potentially Exploitable Security Vulnerabilities\n\n \nWhat's interesting about this month's patch Tuesday is that none of the Windows OS patches are rated as Critical. However, Device Guard Security Feature Bypass Vulnerability (CVE-2017-11830) and Privilege Elevation flaw (CVE-2017-11847) are something you should focus on. \n \nAlso, according to an [analysis](<https://www.zerodayinitiative.com/blog/2017/11/14/the-november-2017-security-update-review>) of Patch Tuesday fixes by Zero-Day Initiative, [CVE-2017-11830](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11830>) and another flaw identified as [CVE-2017-11877](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11877>) can be exploited to spread malware. \n\n\n> \"CVE-2017-11830 patches a Device Guard security feature bypass vulnerability that would allow malware authors to falsely authenticated files,\" Zero-Day Initiative said. \n \n\"CVE-2017-11877 fixes an Excel security feature bypass vulnerability that fails to enforce macro settings, which are often used by malware developers.\"\n\nThe tech giant also fixed six remote code execution vulnerabilities exist \"in the way the scripting engine handles objects in memory in Microsoft browsers.\" \n \nMicrosoft identified these vulnerabilities as CVE-2017-11836, CVE-2017-11837, CVE-2017-11838, CVE-2017-11839, CVE-2017-11871, and CVE-2017-11873, which could corrupt memory in such a way that attackers could execute malicious code in the context of the current user. \n\n\n> \"In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website,\" Microsoft said. \"These websites could contain specially crafted content that could exploit the vulnerability.\" \n\n> ### 17-Year-Old MS Office Flaw Lets Hackers Install Malware\n\n \nAlso, you should be extra careful when opening files in MS Office. \n \nAll versions of Microsoft Office released in the past 17 years found vulnerable to [remote code execution flaw](<https://thehackernews.com/2017/11/microsoft-office-rce-exploit.html>) (CVE-2017-11882) that works against all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update. \n \nHowever, due to improper memory operations, the component fails to properly handle objects in the memory, corrupting it in such a way that the attacker could execute malicious code in the context of the logged-in user. \n \nExploitation of this vulnerability requires opening a specially crafted malicious file with an affected version of Microsoft Office or Microsoft WordPad software, which could allow attackers to remotely install malware on targeted computers. \n \n\n\n### Adobe Patch Tuesday: Patches 62 Vulnerabilities\n\n \nBesides fixing vulnerabilities in its various products, Microsoft has also released updates for Adobe Flash Player. \n \nThese updates correspond with [Adobe Update APSB17-33](<https://helpx.adobe.com/security/products/flash-player/apsb17-33.html>), which patches 62 CVEs for Acrobat and Reader alone. So, Flash Player users are advised to ensure that they update Adobe across their environment to stay protected. \n \nIt should also be noted that last Patch Tuesday, Microsoft quietly released the patch for the dangerous **[KRACK vulnerability](<https://thehackernews.com/2017/10/wpa2-krack-wifi-hacking.html>)** (CVE-2017-13080) in the WPA2 wireless protocol. \n \nTherefore, users are also recommended to make sure that they have patched their systems with the last month's security patches. \n \nAlternatively, users are strongly advised to apply November security patches as soon as possible in order to keep hackers and cybercriminals away from taking control of their computers. \n \nFor installing security updates, just head on to Settings \u2192 Update & security \u2192 Windows Update \u2192 Check for updates, or you can install the updates manually.\n", "modified": "2017-11-15T10:15:50", "published": "2017-11-14T20:46:00", "id": "THN:96CCD36932DBF3F5BEFCC18D4EC4E5C2", "href": "https://thehackernews.com/2017/11/microsoft-patch-tuesday.html", "type": "thn", "title": "Patch Tuesday: Microsoft Releases Update to Fix 53 Vulnerabilities", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2019-01-23T05:28:08", "bulletinFamily": "info", "cvelist": ["CVE-2017-11770", "CVE-2017-11827", "CVE-2017-11830", "CVE-2017-11836", "CVE-2017-11837", "CVE-2017-11838", "CVE-2017-11839", "CVE-2017-11848", "CVE-2017-11871", "CVE-2017-11873", "CVE-2017-11877", "CVE-2017-11879", "CVE-2017-11882", "CVE-2017-11883", "CVE-2017-8700"], "description": "Microsoft tackled 53 vulnerabilities with today\u2019s Patch Tuesday bulletin. Remote code execution bugs dominated this month\u2019s patches, representing 25 fixes. In total, 20 of Microsoft\u2019s security fixes were rated critical.\n\nNotable are four vulnerabilities with public exploits identified by Microsoft as [CVE-2017-11848](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11848>), [CVE-2017-11827](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11827>), [CVE-2017-11883](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11883>) and [CVE-2017-8700](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8700>). But, according to an analysis of Patch Tuesday fixes by Qualys, none of the four are being [used in active campaigns](<https://blog.qualys.com/laws-of-vulnerabilities/2017/11/14/november-patch-tuesday-53-vulnerabilities-and-a-massive-adobe-update>).\n\nSecurity experts say companies should prioritize patching a half-dozen scripting engine memory corruption vulnerabilities impacting Microsoft\u2019s Edge and Internet Explorer 11 browsers running on versions of Windows 10, Windows 8.1 , Windows 7 and Windows Server (version 1709).\n\n\u201cA remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,\u201d wrote Microsoft regarding [CVE-2017-11836](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11836>), [CVE-2017-11837](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11837>), [CVE-2017-11838](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11838>), [CVE-2017-11839](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11839>), [CVE-2017-11871](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11871>), and [CVE-2017-11873](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11873>).\n\nMicrosoft said if exploited, an attacker could gain the same user rights as the current user. \u201cIn a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website,\u201d Microsoft wrote. \u201cThese websites could contain specially crafted content that could exploit the vulnerability.\u201d\n\nResearchers at Zero Day Initiative said that of the critical vulnerabilities it spotted, a distinct malware[ bypass theme emerged](<https://www.thezdi.com/blog/2017/11/14/the-november-2017-security-update-review>). It wrote, \u201c[CVE-2017-11830](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11830>) patches a Device Guard security feature bypass vulnerability that would allow malware authors to falsely authenticated files\u2026 [CVE-2017-11877](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11877>) fixes an Excel security feature bypass vulnerability that fails to enforce macro settings, which are often used by malware developers.\u201d\n\n\u201cSpeaking of malware, this patch fixes a CVE ([CVE-2017-11830](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11830>)) that allows Device Guard to incorrectly validates an untrusted file. This means attackers could make an unsigned file appear to be signed. Since Device Guard relies on a valid signature to determine trustworthiness, malicious files could be executed by making untrusted files seem trusted. This is exactly the sort of bug malware authors seek, as it allows them to have their exploit appear as a trusted file to the target,\u201d ZDI wrote.\n\nPart of Patch Tuesday also included an advisory ([ADV170020](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170020>)), which is related to Microsoft Office Defense in Depth Update series. \u201cADV170020 is likely related to the malware abusing Dynamic Data Exchange, and this advisory may help restrict abusing this protocol feature,\u201d wrote Zero Day Initiative researchers.\n\nDespite a number of [attacks that have used Dynamic Data Exchange fields in Office](<https://threatpost.com/microsoft-provides-guidance-on-mitigating-dde-attacks/128833/>), Microsoft has remained insistent that DDE is a product feature and not a vulnerability.\n\nPart of Patch Tuesday also includes something new, according to Greg Wiseman, Rapid7\u2019s senior security researcher, who said Microsoft is applying fixes to some of its open source projects. \u201cSixteen of the Edge vulnerabilities have been resolved in ChakraCore, the open source part of Edge\u2019s JavaScript engine,\u201d Wiseman said. \u201c.NET Core is being patched for a denial of service (DoS) vulnerability ([CVE-2017-11770](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11770>)), and ASP.NET Core has fixes for DoS ([CVE-2017-11883](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11883>)), privilege escalation ([CVE-2017-11879](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11879>)), and information disclosure ([CVE-2017-8700](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8700>)) vulnerabilities this month.\u201d\n\nLastly, Qualys warns ([CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>)), a Microsoft Office memory corruption vulnerability rated as important, should be prioritized. \u201cThere may be POC code for this vulnerability, so it is recommended that you give the Office updates attention this month as well,\u201d Qualys wrote.\n", "modified": "2017-11-14T17:10:48", "published": "2017-11-14T17:10:48", "id": "THREATPOST:BF3CD27D3018BF7BD8E93D42325DAA73", "href": "https://threatpost.com/microsoft-patches-20-critical-vulnerabilities/128891/", "type": "threatpost", "title": "Microsoft November Patch Tuesday Fixes 20 Critical Vulnerabilities", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2020-06-08T23:35:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11839", "CVE-2017-11880", "CVE-2017-11851", "CVE-2017-11856", "CVE-2017-11834", "CVE-2017-11848", "CVE-2017-11842", "CVE-2017-11836", "CVE-2017-11840", "CVE-2017-11831", "CVE-2017-11830", "CVE-2017-11791", "CVE-2017-11788", "CVE-2017-11837", "CVE-2017-11841", "CVE-2017-11838", "CVE-2017-11827", "CVE-2017-11869", "CVE-2017-11863", "CVE-2017-11833", "CVE-2017-11858", "CVE-2017-11855", "CVE-2017-11849", "CVE-2017-11843", "CVE-2017-11847", "CVE-2017-11853", "CVE-2017-11846", "CVE-2017-11850", "CVE-2017-11768", "CVE-2017-11866"], "description": "This host is missing a critical security\n update according to Microsoft KB4048956", "modified": "2020-06-04T00:00:00", "published": "2017-11-15T00:00:00", "id": "OPENVAS:1361412562310812082", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812082", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4048956)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4048956)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812082\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-11839\", \"CVE-2017-11840\", \"CVE-2017-11841\", \"CVE-2017-11842\",\n \"CVE-2017-11843\", \"CVE-2017-11768\", \"CVE-2017-11880\", \"CVE-2017-11788\",\n \"CVE-2017-11791\", \"CVE-2017-11827\", \"CVE-2017-11830\", \"CVE-2017-11831\",\n \"CVE-2017-11833\", \"CVE-2017-11834\", \"CVE-2017-11836\", \"CVE-2017-11837\",\n \"CVE-2017-11838\", \"CVE-2017-11846\", \"CVE-2017-11847\", \"CVE-2017-11848\",\n \"CVE-2017-11849\", \"CVE-2017-11850\", \"CVE-2017-11851\", \"CVE-2017-11853\",\n \"CVE-2017-11855\", \"CVE-2017-11856\", \"CVE-2017-11858\", \"CVE-2017-11863\",\n \"CVE-2017-11866\", \"CVE-2017-11869\");\n script_bugtraq_id(101735, 101734, 101719, 101740, 101705, 101755, 101711, 101715,\n 101703, 101714, 101721, 101706, 101725, 101727, 101722, 101737,\n 101741, 101729, 101709, 101762, 101738, 101763, 101764, 101751,\n 101753, 101716, 101748, 101732, 101742);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-11-15 07:57:04 +0530 (Wed, 15 Nov 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4048956)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4048956\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error when the Windows kernel fails to properly initialize a memory address.\n\n - A security feature bypass when Device Guard incorrectly validates an untrusted\n file.\n\n - An error in the way that Microsoft Edge handles cross-origin requests.\n\n - An error when the scripting engine does not properly handle objects in memory\n in Internet Explorer.\n\n - An error in the way the scripting engine handles objects in memory in Microsoft\n browsers.\n\n - An error in the way that the scripting engine handles objects in memory in\n Microsoft Edge.\n\n - An error when the Windows GDI component improperly discloses kernel memory\n addresses.\n\n - An error when Windows Search improperly handles objects in memory.\n\n - An error when Internet Explorer improperly accesses objects in memory.\n\n - An error in the way that Microsoft browsers access objects in memory.\n\n - An error when the scripting engine does not properly handle objects in\n memory in Microsoft browsers.\n\n - An error when the Windows kernel improperly initializes objects in memory.\n\n - An error when Windows Media Player improperly discloses file information.\n\n - An error when Microsoft Edge improperly handles redirect requests.\n\n - An error when the Microsoft Windows Graphics Component improperly handles objects\n in memory.\n\n - An error when Internet Explorer improperly handles page content, which could\n allow an attacker to detect the navigation of the user leaving a maliciously\n crafted page.\n\n - An error in Microsoft Edge when the Edge Content Security Policy (CSP) fails to\n properly validate certain specially crafted documents.\n\n - An error when the Windows kernel fails to properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to gain access to potentially sensitive information, fake unsigned file appear\n to be signed, determine the origin of all web pages in the affected browser,\n gain the same user rights as the current user, cause a remote denial of service\n against a system, test for the presence of files on disk, force the browser to\n send data that would otherwise be restricted to a destination website of the\n attacker's choice and run arbitrary code in kernel mode.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 for x64-based Systems\n\n - Microsoft Windows 10 for 32-bit Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4048956\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.10240.0\", test_version2:\"11.0.10240.17672\"))\n{\n report = report_fixed_ver( file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.10240.0 - 11.0.10240.17672\" );\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:35:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11839", "CVE-2017-11880", "CVE-2017-11851", "CVE-2017-11856", "CVE-2017-11834", "CVE-2017-11848", "CVE-2017-11842", "CVE-2017-11836", "CVE-2017-11840", "CVE-2017-11831", "CVE-2017-11830", "CVE-2017-11873", "CVE-2017-11791", "CVE-2017-11788", "CVE-2017-11837", "CVE-2017-11841", "CVE-2017-11838", "CVE-2017-11827", "CVE-2017-11869", "CVE-2017-11863", "CVE-2017-11833", "CVE-2017-11858", "CVE-2017-11855", "CVE-2017-11849", "CVE-2017-11843", "CVE-2017-11847", "CVE-2017-11853", "CVE-2017-11846", "CVE-2017-11850", "CVE-2017-11768", "CVE-2017-11866"], "description": "This host is missing a critical security\n update according to Microsoft KB4048952", "modified": "2020-06-04T00:00:00", "published": "2017-11-15T00:00:00", "id": "OPENVAS:1361412562310812136", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812136", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4048952)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4048952)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812136\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-11863\", \"CVE-2017-11866\", \"CVE-2017-11869\", \"CVE-2017-11873\",\n \"CVE-2017-11768\", \"CVE-2017-11788\", \"CVE-2017-11880\", \"CVE-2017-11791\",\n \"CVE-2017-11827\", \"CVE-2017-11834\", \"CVE-2017-11836\", \"CVE-2017-11837\",\n \"CVE-2017-11838\", \"CVE-2017-11839\", \"CVE-2017-11840\", \"CVE-2017-11841\",\n \"CVE-2017-11842\", \"CVE-2017-11843\", \"CVE-2017-11846\", \"CVE-2017-11847\",\n \"CVE-2017-11848\", \"CVE-2017-11849\", \"CVE-2017-11850\", \"CVE-2017-11851\",\n \"CVE-2017-11853\", \"CVE-2017-11855\", \"CVE-2017-11856\", \"CVE-2017-11858\",\n \"CVE-2017-11830\", \"CVE-2017-11831\", \"CVE-2017-11833\");\n script_bugtraq_id(101748, 101732, 101742, 101728, 101705, 101711, 101755, 101715, 101703,\n 101725, 101727, 101722, 101737, 101735, 101734, 101719, 101740, 101741,\n 101729, 101709, 101762, 101738, 101763, 101764, 101751, 101753, 101716,\n 101714, 101721, 101706);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-11-15 08:08:33 +0530 (Wed, 15 Nov 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4048952)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4048952\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update includes critical security updates\n\n - Addressed issue with the rendering of a graphics element in Internet Explorer.\n\n - Addressed issue where access to the Trusted Platform Module (TPM) for\n administrative operations wasn't restricted to administrative users.\n\n - Addressed issue where applications based on the Microsoft JET Database Engine\n fail when creating or opening Microsoft Excel .xls files.\n\n - Addressed a crash in Internet Explorer that was seen in machines that used large\n font-size settings.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to gain the same user rights as the current user, and obtain information to further\n compromise the user's system. Also attacker can run arbitrary code in kernel mode.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1511 x32/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4048952\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.10586.0\", test_version2:\"11.0.10586.1231\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.10586.0 - 11.0.10586.1231\");\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:55:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11839", "CVE-2017-11880", "CVE-2017-11851", "CVE-2017-11856", "CVE-2017-11834", "CVE-2017-11848", "CVE-2017-11842", "CVE-2017-11836", "CVE-2017-11840", "CVE-2017-11831", "CVE-2017-11830", "CVE-2017-11873", "CVE-2017-11872", "CVE-2017-11791", "CVE-2017-11788", "CVE-2017-11837", "CVE-2017-11841", "CVE-2017-11838", "CVE-2017-11827", "CVE-2017-11869", "CVE-2017-11861", "CVE-2017-11863", "CVE-2017-11833", "CVE-2017-11858", "CVE-2017-11855", "CVE-2017-11849", "CVE-2017-11843", "CVE-2017-11847", "CVE-2017-11853", "CVE-2017-11846", "CVE-2017-11850", "CVE-2017-11768", "CVE-2017-11866"], "description": "This host is missing a critical security\n update according to Microsoft KB4048953", "modified": "2019-12-20T00:00:00", "published": "2017-11-15T00:00:00", "id": "OPENVAS:1361412562310812081", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812081", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4048953)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4048953)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812081\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2017-11839\", \"CVE-2017-11840\", \"CVE-2017-11841\", \"CVE-2017-11842\",\n \"CVE-2017-11843\", \"CVE-2017-11768\", \"CVE-2017-11880\", \"CVE-2017-11788\",\n \"CVE-2017-11791\", \"CVE-2017-11827\", \"CVE-2017-11830\", \"CVE-2017-11831\",\n \"CVE-2017-11833\", \"CVE-2017-11834\", \"CVE-2017-11836\", \"CVE-2017-11837\",\n \"CVE-2017-11838\", \"CVE-2017-11846\", \"CVE-2017-11847\", \"CVE-2017-11848\",\n \"CVE-2017-11849\", \"CVE-2017-11850\", \"CVE-2017-11851\", \"CVE-2017-11853\",\n \"CVE-2017-11855\", \"CVE-2017-11856\", \"CVE-2017-11858\", \"CVE-2017-11861\",\n \"CVE-2017-11863\", \"CVE-2017-11866\", \"CVE-2017-11869\", \"CVE-2017-11872\",\n \"CVE-2017-11873\");\n script_bugtraq_id(101735, 101734, 101719, 101740, 101705, 101755, 101711, 101715,\n 101703, 101714, 101721, 101706, 101725, 101727, 101722, 101737,\n 101741, 101729, 101709, 101762, 101738, 101763, 101764, 101751,\n 101753, 101716, 101723, 101748, 101732, 101742, 101749, 101728);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-11-15 07:36:54 +0530 (Wed, 15 Nov 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4048953)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4048953\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error when the Windows kernel fails to properly initialize a memory address.\n\n - A security feature bypass when Device Guard incorrectly validates an untrusted\n file.\n\n - An error in the way that Microsoft Edge handles cross-origin requests.\n\n - An error when the scripting engine does not properly handle objects in memory\n in Internet Explorer.\n\n - An error in the way the scripting engine handles objects in memory in Microsoft\n browsers.\n\n - An error in the way that the scripting engine handles objects in memory in\n Microsoft Edge.\n\n - An error when the Windows GDI component improperly discloses kernel memory\n addresses.\n\n - An error when Windows Search improperly handles objects in memory.\n\n - An error when Internet Explorer improperly accesses objects in memory.\n\n - An error in the way that Microsoft browsers access objects in memory.\n\n - An error when the scripting engine does not properly handle objects in\n memory in Microsoft browsers.\n\n - An error when the Windows kernel improperly initializes objects in memory.\n\n - An error when Windows Media Player improperly discloses file information.\n\n - An error when Microsoft Edge improperly handles redirect requests.\n\n - An error when the Microsoft Windows Graphics Component improperly handles objects\n in memory.\n\n - An error when Internet Explorer improperly handles page content, which could\n allow an attacker to detect the navigation of the user leaving a maliciously\n crafted page.\n\n - An error in Microsoft Edge when the Edge Content Security Policy (CSP) fails to\n properly validate certain specially crafted documents.\n\n - An error when the Windows kernel fails to properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to gain access to potentially sensitive information, fake unsigned file appear\n to be signed, determine the origin of all web pages in the affected browser,\n gain the same user rights as the current user, cause a remote denial of service\n against a system, test for the presence of files on disk, force the browser to\n send data that would otherwise be restricted to a destination website of the\n attacker's choice and run arbitrary code in kernel mode.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows Server 2016\n\n - Microsoft Windows 10 Version 1607 x32/x64\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4048953\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2016:1, win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.1883\"))\n{\n report = report_fixed_ver( file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.14393.0 - 11.0.14393.1883\" );\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:35:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11839", "CVE-2017-11880", "CVE-2017-11851", "CVE-2017-11871", "CVE-2017-11856", "CVE-2017-11844", "CVE-2017-11834", "CVE-2017-11848", "CVE-2017-11842", "CVE-2017-11836", "CVE-2017-11870", "CVE-2017-11840", "CVE-2017-11831", "CVE-2017-11830", "CVE-2017-11873", "CVE-2017-11872", "CVE-2017-11791", "CVE-2017-11788", "CVE-2017-11837", "CVE-2017-11841", "CVE-2017-11838", "CVE-2017-11827", "CVE-2017-11845", "CVE-2017-11803", "CVE-2017-11869", "CVE-2017-11861", "CVE-2017-11863", "CVE-2017-11833", "CVE-2017-11858", "CVE-2017-11855", "CVE-2017-11849", "CVE-2017-11843", "CVE-2017-11847", "CVE-2017-11874", "CVE-2017-11853", "CVE-2017-11846", "CVE-2017-11850", "CVE-2017-11768", "CVE-2017-11866"], "description": "This host is missing a critical security\n update according to Microsoft KB4048954", "modified": "2020-06-04T00:00:00", "published": "2017-11-15T00:00:00", "id": "OPENVAS:1361412562310812089", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812089", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4048954)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4048954)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812089\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-11839\", \"CVE-2017-11840\", \"CVE-2017-11841\", \"CVE-2017-11842\",\n \"CVE-2017-11843\", \"CVE-2017-11768\", \"CVE-2017-11873\", \"CVE-2017-11874\",\n \"CVE-2017-11880\", \"CVE-2017-11788\", \"CVE-2017-11791\", \"CVE-2017-11803\",\n \"CVE-2017-11827\", \"CVE-2017-11830\", \"CVE-2017-11831\", \"CVE-2017-11833\",\n \"CVE-2017-11834\", \"CVE-2017-11836\", \"CVE-2017-11837\", \"CVE-2017-11838\",\n \"CVE-2017-11844\", \"CVE-2017-11845\", \"CVE-2017-11846\", \"CVE-2017-11847\",\n \"CVE-2017-11848\", \"CVE-2017-11849\", \"CVE-2017-11850\", \"CVE-2017-11851\",\n \"CVE-2017-11853\", \"CVE-2017-11855\", \"CVE-2017-11856\", \"CVE-2017-11858\",\n \"CVE-2017-11861\", \"CVE-2017-11863\", \"CVE-2017-11866\", \"CVE-2017-11869\",\n \"CVE-2017-11870\", \"CVE-2017-11871\", \"CVE-2017-11872\");\n script_bugtraq_id(101735, 101734, 101719, 101740, 101705, 101728, 101750, 101755,\n 101711, 101715, 101704, 101703, 101714, 101721, 101706, 101725,\n 101727, 101722, 101737, 101707, 101708, 101741, 101729, 101709,\n 101762, 101738, 101763, 101764, 101751, 101753, 101716, 101723,\n 101748, 101732, 101742, 101731, 101730, 101749);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-11-15 08:37:02 +0530 (Wed, 15 Nov 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4048954)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4048954\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error when the Windows kernel fails to properly initialize a memory address.\n\n - A security feature bypass when Device Guard incorrectly validates an untrusted\n file.\n\n - An error in the way that Microsoft Edge handles cross-origin requests.\n\n - An error when the scripting engine does not properly handle objects in memory\n in Internet Explorer.\n\n - An error in the way the scripting engine handles objects in memory in Microsoft\n browsers.\n\n - An error in the way that the scripting engine handles objects in memory in\n Microsoft Edge.\n\n - An error when the Windows GDI component improperly discloses kernel memory\n addresses.\n\n - An error when Windows Search improperly handles objects in memory.\n\n - An error when the Windows kernel fails to properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to gain access to potentially sensitive information, fake unsigned file appear\n to be signed, determine the origin of all web pages in the affected browser,\n gain the same user rights as the current user, cause a remote denial of service\n against a system, test for the presence of files on disk, force the browser to\n send data that would otherwise be restricted to a destination website of the\n attacker's choice and run arbitrary code in kernel mode.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1703 x32/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4048954\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.15063.0\", test_version2:\"11.0.15063.725\"))\n{\n report = report_fixed_ver( file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.15063.0 - 11.0.15063.725\" );\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:06:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8425", "CVE-2018-8354", "CVE-2018-8467", "CVE-2018-8443", "CVE-2018-8410", "CVE-2018-8442", "CVE-2018-8419", "CVE-2018-8433", "CVE-2018-8271", "CVE-2018-8439", "CVE-2018-8449", "CVE-2018-8424", "CVE-2018-8434", "CVE-2018-8466", "CVE-2018-8447", "CVE-2018-8367", "CVE-2018-8452", "CVE-2018-5391", "CVE-2018-8392", "CVE-2018-8440", "CVE-2018-8420", "CVE-2018-8393", "CVE-2018-8332", "CVE-2018-8457", "CVE-2018-8438", "CVE-2018-8475", "CVE-2018-8435", "CVE-2018-8446", "CVE-2018-8444", "CVE-2018-8315", "CVE-2018-8421", "CVE-2018-8462", "CVE-2018-8468", "CVE-2018-8335", "CVE-2018-8470", "CVE-2018-8469", "CVE-2018-8464"], "description": "This host is missing a critical security\n update according to Microsoft KB4457132", "modified": "2020-06-04T00:00:00", "published": "2018-09-12T00:00:00", "id": "OPENVAS:1361412562310814012", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814012", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4457132)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4457132)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814012\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-8444\", \"CVE-2018-8446\", \"CVE-2018-8447\", \"CVE-2018-8449\",\n \"CVE-2018-8452\", \"CVE-2018-5391\", \"CVE-2018-8271\", \"CVE-2018-8315\",\n \"CVE-2018-8332\", \"CVE-2018-8335\", \"CVE-2018-8354\", \"CVE-2018-8367\",\n \"CVE-2018-8392\", \"CVE-2018-8393\", \"CVE-2018-8410\", \"CVE-2018-8419\",\n \"CVE-2018-8420\", \"CVE-2018-8421\", \"CVE-2018-8424\", \"CVE-2018-8425\",\n \"CVE-2018-8433\", \"CVE-2018-8434\", \"CVE-2018-8435\", \"CVE-2018-8438\",\n \"CVE-2018-8439\", \"CVE-2018-8440\", \"CVE-2018-8442\", \"CVE-2018-8443\",\n \"CVE-2018-8457\", \"CVE-2018-8462\", \"CVE-2018-8464\", \"CVE-2018-8466\",\n \"CVE-2018-8467\", \"CVE-2018-8468\", \"CVE-2018-8469\", \"CVE-2018-8470\",\n \"CVE-2018-8475\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-09-12 11:51:41 +0530 (Wed, 12 Sep 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4457132)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4457132\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Chakra scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - Microsoft Edge PDF Reader improperly handles objects in memory.\n\n - DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory.\n\n - Microsoft XML Core Services MSXML parser processes user input.\n\n - Windows improperly parses files.\n\n - Windows kernel improperly handles objects in memory.\n\n - Windows Hyper-V on a host server fails to properly validate input from an\n authenticated user on a guest operating system.\n\n - Microsoft JET Database Engine improperly handles objects in memory.\n\n - Windows Graphics component improperly handles objects in memory.\n\n - Windows Hyper-V BIOS loader fails to provide a high-entropy source.\n\n - Windows kernel fails to properly initialize a memory address.\n\n - Windows does not properly handle specially crafted image files.\n\n - Scripting engine does not properly handle objects in memory in Microsoft\n browsers.\n\n - A universal cross-site scripting (UXSS) condition in Internet Explorer.\n\n - Microsoft Server Block Message (SMB) improperly handles crafted requests\n to the server.\n\n - Denial of service vulnerability (named FragmentSmack).\n\n - Windows font library improperly handles specially crafted embedded fonts.\n\n - Device Guard incorrectly validates an untrusted file.\n\n - Windows improperly handles calls to Advanced Local Procedure Call (ALPC).\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Microsoft Edge improperly handles specific HTML content.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to crash the affected system, execute arbitrary code on the host operating system,\n disclose contents of System memory and also read privileged data across trust\n boundaries.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 for 32-bit Systems\n\n - Microsoft Windows 10 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4457132\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.10240.0\", test_version2:\"11.0.10240.17975\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.10240.0 - 11.0.10240.17975\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:29:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8425", "CVE-2018-8354", "CVE-2018-8467", "CVE-2018-8443", "CVE-2018-8410", "CVE-2018-8442", "CVE-2018-8419", "CVE-2018-8433", "CVE-2018-8271", "CVE-2018-0965", "CVE-2018-8439", "CVE-2018-8449", "CVE-2018-8465", "CVE-2018-8424", "CVE-2018-8434", "CVE-2018-8466", "CVE-2018-8447", "CVE-2018-8367", "CVE-2018-8452", "CVE-2018-5391", "CVE-2018-8392", "CVE-2018-8440", "CVE-2018-8420", "CVE-2018-8393", "CVE-2018-8332", "CVE-2018-8457", "CVE-2018-8455", "CVE-2018-8438", "CVE-2018-8475", "CVE-2018-8435", "CVE-2018-8446", "CVE-2018-8315", "CVE-2018-8421", "CVE-2018-8462", "CVE-2018-8468", "CVE-2018-8335", "CVE-2018-8470", "CVE-2018-8469", "CVE-2018-8464"], "description": "This host is missing a critical security\n update according to Microsoft KB4457131", "modified": "2019-12-20T00:00:00", "published": "2018-09-12T00:00:00", "id": "OPENVAS:1361412562310814013", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814013", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4457131)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4457131)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814013\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2018-8446\", \"CVE-2018-8447\", \"CVE-2018-8449\", \"CVE-2018-8452\",\n \"CVE-2018-0965\", \"CVE-2018-8271\", \"CVE-2018-8315\", \"CVE-2018-8332\",\n \"CVE-2018-8335\", \"CVE-2018-8354\", \"CVE-2018-8367\", \"CVE-2018-8392\",\n \"CVE-2018-8393\", \"CVE-2018-8410\", \"CVE-2018-8419\", \"CVE-2018-8420\",\n \"CVE-2018-8421\", \"CVE-2018-8424\", \"CVE-2018-8425\", \"CVE-2018-8433\",\n \"CVE-2018-8434\", \"CVE-2018-8435\", \"CVE-2018-8438\", \"CVE-2018-8439\",\n \"CVE-2018-8440\", \"CVE-2018-8442\", \"CVE-2018-8443\", \"CVE-2018-8455\",\n \"CVE-2018-8457\", \"CVE-2018-8462\", \"CVE-2018-8464\", \"CVE-2018-8465\",\n \"CVE-2018-8466\", \"CVE-2018-8467\", \"CVE-2018-8468\", \"CVE-2018-8469\",\n \"CVE-2018-8470\", \"CVE-2018-8475\", \"CVE-2018-5391\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-09-12 12:06:44 +0530 (Wed, 12 Sep 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4457131)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4457131\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Chakra scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - Microsoft Edge PDF Reader improperly handles objects in memory.\n\n - DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory.\n\n - Microsoft XML Core Services MSXML parser processes user input.\n\n - Windows improperly parses files.\n\n - Windows kernel improperly handles objects in memory.\n\n - Windows Hyper-V on a host server fails to properly validate input from an\n authenticated user on a guest operating system.\n\n - Microsoft JET Database Engine improperly handles objects in memory.\n\n - Windows Graphics component improperly handles objects in memory.\n\n - Windows Hyper-V BIOS loader fails to provide a high-entropy source.\n\n - Windows kernel fails to properly initialize a memory address.\n\n - Windows does not properly handle specially crafted image files.\n\n - Scripting engine does not properly handle objects in memory in Microsoft\n browsers.\n\n - A universal cross-site scripting (UXSS) condition in Internet Explorer.\n\n - Microsoft Server Block Message (SMB) improperly handles crafted requests\n to the server.\n\n - Denial of service vulnerability (named FragmentSmack).\n\n - Windows font library improperly handles specially crafted embedded fonts.\n\n - Device Guard incorrectly validates an untrusted file.\n\n - Windows improperly handles calls to Advanced Local Procedure Call (ALPC).\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Microsoft Edge improperly handles specific HTML content.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to crash the affected system, execute arbitrary code on the host operating system,\n disclose contents of System memory and also read privileged data across trust\n boundaries.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1607 x32/x64\n\n - Microsoft Windows Server 2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4457131\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.2484\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.14393.0 - 11.0.14393.2484\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:06:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8425", "CVE-2018-8461", "CVE-2018-8354", "CVE-2018-8467", "CVE-2018-8443", "CVE-2018-8410", "CVE-2018-8442", "CVE-2018-8456", "CVE-2018-8419", "CVE-2018-8433", "CVE-2018-8271", "CVE-2018-0965", "CVE-2018-8439", "CVE-2018-8449", "CVE-2018-8465", "CVE-2018-8424", "CVE-2018-8434", "CVE-2018-8466", "CVE-2018-8337", "CVE-2018-8447", "CVE-2018-8367", "CVE-2018-8452", "CVE-2018-5391", "CVE-2018-8392", "CVE-2018-8440", "CVE-2018-8420", "CVE-2018-8393", "CVE-2018-8332", "CVE-2018-8457", "CVE-2018-8455", "CVE-2018-8438", "CVE-2018-8475", "CVE-2018-8435", "CVE-2018-8446", "CVE-2018-8315", "CVE-2018-8421", "CVE-2018-8462", "CVE-2018-8468", "CVE-2018-8335", "CVE-2018-8470", "CVE-2018-8469", "CVE-2018-8464"], "description": "This host is missing a critical security\n update according to Microsoft KB4457142", "modified": "2020-06-04T00:00:00", "published": "2018-09-18T00:00:00", "id": "OPENVAS:1361412562310814215", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814215", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4457142)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4457142)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814215\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-5391\", \"CVE-2018-0965\", \"CVE-2018-8271\", \"CVE-2018-8315\",\n \"CVE-2018-8332\", \"CVE-2018-8335\", \"CVE-2018-8337\", \"CVE-2018-8354\",\n \"CVE-2018-8367\", \"CVE-2018-8392\", \"CVE-2018-8393\", \"CVE-2018-8410\",\n \"CVE-2018-8419\", \"CVE-2018-8420\", \"CVE-2018-8421\", \"CVE-2018-8424\",\n \"CVE-2018-8425\", \"CVE-2018-8433\", \"CVE-2018-8434\", \"CVE-2018-8435\",\n \"CVE-2018-8438\", \"CVE-2018-8439\", \"CVE-2018-8440\", \"CVE-2018-8442\",\n \"CVE-2018-8443\", \"CVE-2018-8446\", \"CVE-2018-8447\", \"CVE-2018-8449\",\n \"CVE-2018-8452\", \"CVE-2018-8455\", \"CVE-2018-8456\", \"CVE-2018-8457\",\n \"CVE-2018-8461\", \"CVE-2018-8462\", \"CVE-2018-8464\", \"CVE-2018-8465\",\n \"CVE-2018-8466\", \"CVE-2018-8467\", \"CVE-2018-8468\", \"CVE-2018-8469\",\n \"CVE-2018-8470\", \"CVE-2018-8475\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-09-18 13:02:24 +0530 (Tue, 18 Sep 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4457142)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4457142\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - An error in the way that the Chakra scripting engine handles objects in memory.\n\n - An error when Microsoft Edge PDF Reader improperly handles objects in memory.\n\n - An error when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles\n objects in memory.\n\n - An error when Internet Explorer improperly accesses objects in memory.\n\n - An error in Windows that allows a sandbox escape.\n\n - An error in Microsoft Edge that could allow an attacker to escape from the\n AppContainer sandbox in the browser.\n\n - An error in Internet Explorer due to how scripts are handled that allows a\n universal cross-site scripting (UXSS) condition.\n\n - An error when Windows Hyper-V on a host server fails to properly validate input\n from an authenticated user on a guest operating system.\n\n - An error when Microsoft Hyper-V Network Switch on a host server fails to properly\n validate input from a privileged user on a guest operating system.\n\n - An error in the Microsoft JET Database Engine that could allow remote code\n execution on an affected system.\n\n - An error when the Windows Kernel API improperly handles registry objects in memory.\n\n - An error when the Windows kernel improperly handles objects in memory.\n\n - An error when the Windows Graphics component improperly handles objects in memory.\n\n - An error when Windows Hyper-V BIOS loader fails to provide a high-entropy source.\n\n - An error when Windows Hyper-V on a host operating system fails to properly\n validate input from an authenticated user on a guest operating system.\n\n - An error when the Windows kernel fails to properly initialize a memory address.\n\n - A security feature bypass exists when Device Guard incorrectly validates an\n untrusted file.\n\n - An error when Windows does not properly handle specially crafted image files.\n\n - An error when the scripting engine does not properly handle objects in memory in\n Microsoft browsers.\n\n - An error in the way that the Windows Kernel handles objects in memory.\n\n - An error when Windows Subsystem for Linux improperly handles case sensitivity.\n\n - An error in the Microsoft Server Block Message (SMB) when an attacker sends\n specially crafted requests to the server.\n\n - Microsoft is aware of a denial of service vulnerability (named FragmentSmack\n CVE-2018-5391) affecting Windows systems.\n\n - An error when the Windows font library improperly handles specially crafted\n embedded fonts.\n\n - An error when the Microsoft XML Core Services MSXML parser processes user\n input.\n\n - An error when Windows improperly handles calls to Advanced Local Procedure\n Call (ALPC).\n\n - An error when the Windows GDI component improperly discloses the contents of its\n memory.\n\n - An error when Microsoft Edge improperly handles specific HTML content.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attacker to gain the same user rights as the current user, run processes in\n an elevated context, escape sandbox, access any session, execute arbitrary code,\n conduct a DoS condition, take complete control of an affected system, disclose\n contents of System memory, gain access to sensitive information, bypass security\n restrictions, make an unsigned file appear to be signed and replace or delete\n arbitrary files.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1709 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1709 for 64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4457142\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.16299.0\", test_version2:\"11.0.16299.664\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.16299.0 - 11.0.16299.664\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:05:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8425", "CVE-2018-8354", "CVE-2018-8467", "CVE-2018-8443", "CVE-2018-8410", "CVE-2018-8442", "CVE-2018-8456", "CVE-2018-8419", "CVE-2018-8433", "CVE-2018-8271", "CVE-2018-0965", "CVE-2018-8439", "CVE-2018-8449", "CVE-2018-8465", "CVE-2018-8424", "CVE-2018-8434", "CVE-2018-8466", "CVE-2018-8447", "CVE-2018-8367", "CVE-2018-8452", "CVE-2018-5391", "CVE-2018-8392", "CVE-2018-8440", "CVE-2018-8420", "CVE-2018-8393", "CVE-2018-8332", "CVE-2018-8457", "CVE-2018-8455", "CVE-2018-8438", "CVE-2018-8475", "CVE-2018-8435", "CVE-2018-8446", "CVE-2018-8315", "CVE-2018-8421", "CVE-2018-8462", "CVE-2018-8468", "CVE-2018-8335", "CVE-2018-8470", "CVE-2018-8469", "CVE-2018-8464"], "description": "This host is missing a critical security\n update according to Microsoft KB4457138", "modified": "2020-06-04T00:00:00", "published": "2018-09-12T00:00:00", "id": "OPENVAS:1361412562310814011", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814011", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4457138)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4457138)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814011\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-8443\", \"CVE-2018-8446\", \"CVE-2018-8447\", \"CVE-2018-8449\",\n \"CVE-2018-8452\", \"CVE-2018-5391\", \"CVE-2018-0965\", \"CVE-2018-8271\",\n \"CVE-2018-8315\", \"CVE-2018-8332\", \"CVE-2018-8335\", \"CVE-2018-8354\",\n \"CVE-2018-8367\", \"CVE-2018-8392\", \"CVE-2018-8393\", \"CVE-2018-8410\",\n \"CVE-2018-8419\", \"CVE-2018-8420\", \"CVE-2018-8421\", \"CVE-2018-8424\",\n \"CVE-2018-8425\", \"CVE-2018-8433\", \"CVE-2018-8434\", \"CVE-2018-8435\",\n \"CVE-2018-8438\", \"CVE-2018-8439\", \"CVE-2018-8440\", \"CVE-2018-8442\",\n \"CVE-2018-8455\", \"CVE-2018-8456\", \"CVE-2018-8457\", \"CVE-2018-8462\",\n \"CVE-2018-8464\", \"CVE-2018-8465\", \"CVE-2018-8466\", \"CVE-2018-8467\",\n \"CVE-2018-8468\", \"CVE-2018-8469\", \"CVE-2018-8470\", \"CVE-2018-8475\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-09-12 11:34:21 +0530 (Wed, 12 Sep 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4457138)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4457138\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Denial of service vulnerability (named 'FragmentSmack').\n\n - Hyper-V on a host server fails to properly validate guest operating system\n user input.\n\n - Windows bowser.sys kernel-mode driver fails to properly handle objects in\n memory.\n\n - Browser scripting engine improperly handle object types.\n\n - Windows font library improperly handles specially crafted embedded fonts.\n\n - SMB improperly handles specially crafted client requests.\n\n - Scripting engine improperly handles objects in memory.\n\n - Microsoft JET Database Engine improperly handles objects in memory.\n\n - Windows Kernel API improperly handles registry objects in memory.\n\n - Windows kernel fails to properly initialize a memory address.\n\n - MSXML parser improperly processes user input.\n\n - Microsoft .NET Framework improperly processes untrusted input.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Microsoft Edge improperly handles specific HTML content.\n\n - Windows Graphics component improperly handles objects in memory.\n\n - Windows Hyper-V BIOS loader fails to provide a high-entropy source.\n\n - Windows improperly handles calls to Advanced Local Procedure Call (ALPC).\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to crash the affected system, execute arbitrary code on the host operating system,\n disclose contents of System memory and also read privileged data across trust\n boundaries.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1703 x32/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4457138\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.15063.0\", test_version2:\"11.0.15063.1323\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.15063.0 - 11.0.15063.1323\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:06:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8425", "CVE-2018-8461", "CVE-2018-8463", "CVE-2018-8441", "CVE-2018-8354", "CVE-2018-8467", "CVE-2017-5753", "CVE-2018-8443", "CVE-2017-5754", "CVE-2018-8410", "CVE-2018-8442", "CVE-2018-8456", "CVE-2018-8419", "CVE-2018-8433", "CVE-2018-8271", "CVE-2018-0965", "CVE-2018-8459", "CVE-2018-8436", "CVE-2018-8439", "CVE-2018-8449", "CVE-2018-8465", "CVE-2018-8424", "CVE-2018-8434", "CVE-2018-8437", "CVE-2018-8466", "CVE-2018-8447", "CVE-2018-8367", "CVE-2018-8452", "CVE-2018-5391", "CVE-2017-5715", "CVE-2018-8392", "CVE-2018-8440", "CVE-2018-8420", "CVE-2018-8393", "CVE-2018-8332", "CVE-2018-8457", "CVE-2018-8455", "CVE-2018-8438", "CVE-2018-8475", "CVE-2018-8435", "CVE-2018-8446", "CVE-2018-8366", "CVE-2018-8315", "CVE-2018-8421", "CVE-2018-8462", "CVE-2018-8468", "CVE-2018-8445", "CVE-2018-8335", "CVE-2018-8470", "CVE-2018-8469", "CVE-2018-8464"], "description": "This host is missing a critical security\n update according to Microsoft KB4457128", "modified": "2020-06-04T00:00:00", "published": "2018-09-12T00:00:00", "id": "OPENVAS:1361412562310814014", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814014", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4457128)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4457128)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814014\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-8443\", \"CVE-2018-8445\", \"CVE-2018-8446\", \"CVE-2018-8447\",\n \"CVE-2018-8449\", \"CVE-2018-8452\", \"CVE-2018-0965\", \"CVE-2018-8271\",\n \"CVE-2018-8315\", \"CVE-2018-8332\", \"CVE-2018-8335\", \"CVE-2018-8354\",\n \"CVE-2018-8366\", \"CVE-2018-8367\", \"CVE-2018-8392\", \"CVE-2018-8393\",\n \"CVE-2018-8410\", \"CVE-2018-8419\", \"CVE-2018-8420\", \"CVE-2018-8421\",\n \"CVE-2018-8424\", \"CVE-2018-8425\", \"CVE-2018-8433\", \"CVE-2018-8434\",\n \"CVE-2018-8435\", \"CVE-2018-8436\", \"CVE-2018-8437\", \"CVE-2018-8438\",\n \"CVE-2018-8439\", \"CVE-2018-8440\", \"CVE-2018-8441\", \"CVE-2018-8442\",\n \"CVE-2018-8455\", \"CVE-2018-8456\", \"CVE-2018-8457\", \"CVE-2018-8459\",\n \"CVE-2018-8461\", \"CVE-2018-8462\", \"CVE-2018-8463\", \"CVE-2018-8464\",\n \"CVE-2018-8465\", \"CVE-2018-8466\", \"CVE-2018-8467\", \"CVE-2018-8468\",\n \"CVE-2018-8469\", \"CVE-2018-8470\", \"CVE-2018-8475\", \"CVE-2018-5391\",\n \"CVE-2017-5753\", \"CVE-2017-5715\", \"CVE-2017-5754\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-09-12 12:17:54 +0530 (Wed, 12 Sep 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4457128)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4457128\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Denial of service vulnerability (named 'FragmentSmack').\n\n - Hyper-V on a host server fails to properly validate guest operating system\n user input.\n\n - Windows bowser.sys kernel-mode driver fails to properly handle objects in\n memory.\n\n - Browser scripting engine improperly handle object types.\n\n - Windows font library improperly handles specially crafted embedded fonts.\n\n - SMB improperly handles specially crafted client requests.\n\n - Scripting engine improperly handles objects in memory.\n\n - Microsoft JET Database Engine improperly handles objects in memory.\n\n - Windows Kernel API improperly handles registry objects in memory.\n\n - Windows kernel fails to properly initialize a memory address.\n\n - MSXML parser improperly processes user input.\n\n - Microsoft .NET Framework improperly processes untrusted input.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Microsoft Edge improperly handles specific HTML content.\n\n - Windows Graphics component improperly handles objects in memory.\n\n - An integer overflow in Windows Subsystem for Linux.\n\n - Windows Hyper-V BIOS loader fails to provide a high-entropy source.\n\n - Windows improperly handles calls to Advanced Local Procedure Call (ALPC).\n\n - Speculative execution side-channel vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to crash the affected system, execute arbitrary code on the host operating system,\n disclose contents of System memory and also read privileged data across trust\n boundaries.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1803 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1803 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4457128\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.17134.0\", test_version2:\"11.0.17134.284\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.17134.0 - 11.0.17134.284\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-08-19T05:12:46", "description": "The remote Windows host is missing security update 4048952.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11827,\n CVE-2017-11858)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11837, CVE-2017-11838, CVE-2017-11843,\n CVE-2017-11846)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2017-11830)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11855,\n CVE-2017-11856, CVE-2017-11869)\n\n - An information vulnerability exists when Windows Media\n Player improperly discloses file information. Successful\n exploitation of the vulnerability could allow the\n attacker to test for the presence of files on disk.\n (CVE-2017-11768)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Internet Explorer. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2017-11834)\n\n - A security feature bypass vulnerability exists in\n Microsoft Edge when the Edge Content Security Policy\n (CSP) fails to properly validate certain specially\n crafted documents. An attacker who exploited the bypass\n could trick a user into loading a page containing\n malicious content. (CVE-2017-11863)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11836,\n CVE-2017-11839, CVE-2017-11840, CVE-2017-11841,\n CVE-2017-11866, CVE-2017-11873)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11880)\n\n - A Win32k information disclosure vulnerability exists\n when the Windows GDI component improperly discloses\n kernel memory addresses. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-11851)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Microsoft browsers. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2017-11791)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2017-11847)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles page content, which\n could allow an attacker to detect the navigation of the\n user leaving a maliciously crafted page.\n (CVE-2017-11848)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2017-11831,\n CVE-2017-11842, CVE-2017-11849, CVE-2017-11853)\n\n - A denial of service vulnerability exists when Windows\n Search improperly handles objects in memory. An attacker\n who successfully exploited the vulnerability could cause\n a remote denial of service against a system.\n (CVE-2017-11788)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-11850)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2017-11833)", "edition": 30, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-11-14T00:00:00", "title": "KB4048952: Windows 10 Version 1511 November 2017 Cumulative Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11839", "CVE-2017-11880", "CVE-2017-11851", "CVE-2017-11856", "CVE-2017-11834", "CVE-2017-11848", "CVE-2017-11842", "CVE-2017-11836", "CVE-2017-11840", "CVE-2017-11831", "CVE-2017-11830", "CVE-2017-11873", "CVE-2017-11791", "CVE-2017-11788", "CVE-2017-11837", "CVE-2017-11841", "CVE-2017-11838", "CVE-2017-11827", "CVE-2017-11869", "CVE-2017-11863", "CVE-2017-11833", "CVE-2017-11858", "CVE-2017-11855", "CVE-2017-11849", "CVE-2017-11843", "CVE-2017-11847", "CVE-2017-11853", "CVE-2017-11846", "CVE-2017-11850", "CVE-2017-11768", "CVE-2017-11866"], "modified": "2017-11-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS17_NOV_4048952.NASL", "href": "https://www.tenable.com/plugins/nessus/104548", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104548);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2017-11768\",\n \"CVE-2017-11788\",\n \"CVE-2017-11791\",\n \"CVE-2017-11827\",\n \"CVE-2017-11830\",\n \"CVE-2017-11831\",\n \"CVE-2017-11833\",\n \"CVE-2017-11834\",\n \"CVE-2017-11836\",\n \"CVE-2017-11837\",\n \"CVE-2017-11838\",\n \"CVE-2017-11839\",\n \"CVE-2017-11840\",\n \"CVE-2017-11841\",\n \"CVE-2017-11842\",\n \"CVE-2017-11843\",\n \"CVE-2017-11846\",\n \"CVE-2017-11847\",\n \"CVE-2017-11848\",\n \"CVE-2017-11849\",\n \"CVE-2017-11850\",\n \"CVE-2017-11851\",\n \"CVE-2017-11853\",\n \"CVE-2017-11855\",\n \"CVE-2017-11856\",\n \"CVE-2017-11858\",\n \"CVE-2017-11863\",\n \"CVE-2017-11866\",\n \"CVE-2017-11869\",\n \"CVE-2017-11873\",\n \"CVE-2017-11880\"\n );\n script_bugtraq_id(\n 101703,\n 101705,\n 101706,\n 101709,\n 101711,\n 101714,\n 101715,\n 101716,\n 101719,\n 101721,\n 101722,\n 101725,\n 101727,\n 101728,\n 101729,\n 101732,\n 101733,\n 101734,\n 101735,\n 101737,\n 101738,\n 101740,\n 101741,\n 101742,\n 101748,\n 101751,\n 101753,\n 101755,\n 101762,\n 101763,\n 101764\n );\n script_xref(name:\"MSKB\", value:\"4048952\");\n script_xref(name:\"MSFT\", value:\"MS17-4048952\");\n\n script_name(english:\"KB4048952: Windows 10 Version 1511 November 2017 Cumulative Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4048952.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11827,\n CVE-2017-11858)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11837, CVE-2017-11838, CVE-2017-11843,\n CVE-2017-11846)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2017-11830)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11855,\n CVE-2017-11856, CVE-2017-11869)\n\n - An information vulnerability exists when Windows Media\n Player improperly discloses file information. Successful\n exploitation of the vulnerability could allow the\n attacker to test for the presence of files on disk.\n (CVE-2017-11768)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Internet Explorer. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2017-11834)\n\n - A security feature bypass vulnerability exists in\n Microsoft Edge when the Edge Content Security Policy\n (CSP) fails to properly validate certain specially\n crafted documents. An attacker who exploited the bypass\n could trick a user into loading a page containing\n malicious content. (CVE-2017-11863)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11836,\n CVE-2017-11839, CVE-2017-11840, CVE-2017-11841,\n CVE-2017-11866, CVE-2017-11873)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11880)\n\n - A Win32k information disclosure vulnerability exists\n when the Windows GDI component improperly discloses\n kernel memory addresses. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-11851)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Microsoft browsers. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2017-11791)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2017-11847)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles page content, which\n could allow an attacker to detect the navigation of the\n user leaving a maliciously crafted page.\n (CVE-2017-11848)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2017-11831,\n CVE-2017-11842, CVE-2017-11849, CVE-2017-11853)\n\n - A denial of service vulnerability exists when Windows\n Search improperly handles objects in memory. An attacker\n who successfully exploited the vulnerability could cause\n a remote denial of service against a system.\n (CVE-2017-11788)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-11850)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2017-11833)\");\n # https://support.microsoft.com/en-us/help/4048952/windows-10-update-kb4048952\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?306ca15c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4048952.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-11847\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-11\";\nkbs = make_list('4048952');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\nproduct = get_kb_item_or_exit(\"SMB/ProductName\");\nif(product !~ \"Windows 10 (Eduction|Enterprise)\")\n audit(AUDIT_HOST_NOT, \"Windows 10 Eduction or Enterprise.\");\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10586\",\n rollup_date:\"11_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4048952])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-19T05:12:46", "description": "The remote Windows host is missing security update 4048956.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11827,\n CVE-2017-11858)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11837, CVE-2017-11838, CVE-2017-11843,\n CVE-2017-11846)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2017-11830)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11855,\n CVE-2017-11856, CVE-2017-11869)\n\n - An information vulnerability exists when Windows Media\n Player improperly discloses file information. Successful\n exploitation of the vulnerability could allow the\n attacker to test for the presence of files on disk.\n (CVE-2017-11768)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Internet Explorer. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2017-11834)\n\n - A security feature bypass vulnerability exists in\n Microsoft Edge when the Edge Content Security Policy\n (CSP) fails to properly validate certain specially\n crafted documents. An attacker who exploited the bypass\n could trick a user into loading a page containing\n malicious content. (CVE-2017-11863)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11880)\n\n - A Win32k information disclosure vulnerability exists\n when the Windows GDI component improperly discloses\n kernel memory addresses. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-11851)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Microsoft browsers. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2017-11791)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2017-11847)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles page content, which\n could allow an attacker to detect the navigation of the\n user leaving a maliciously crafted page.\n (CVE-2017-11848)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2017-11831,\n CVE-2017-11842, CVE-2017-11849, CVE-2017-11853)\n\n - A denial of service vulnerability exists when Windows\n Search improperly handles objects in memory. An attacker\n who successfully exploited the vulnerability could cause\n a remote denial of service against a system.\n (CVE-2017-11788)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11836,\n CVE-2017-11839, CVE-2017-11840, CVE-2017-11841,\n CVE-2017-11866)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-11850)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2017-11833)", "edition": 31, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-11-14T00:00:00", "title": "KB4048956: Windows 10 LTSB November 2017 Cumulative Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11839", "CVE-2017-11880", "CVE-2017-11851", "CVE-2017-11856", "CVE-2017-11834", "CVE-2017-11848", "CVE-2017-11842", "CVE-2017-11836", "CVE-2017-11840", "CVE-2017-11831", "CVE-2017-11830", "CVE-2017-11791", "CVE-2017-11788", "CVE-2017-11837", "CVE-2017-11841", "CVE-2017-11838", "CVE-2017-11827", "CVE-2017-11869", "CVE-2017-11863", "CVE-2017-11833", "CVE-2017-11858", "CVE-2017-11855", "CVE-2017-11849", "CVE-2017-11843", "CVE-2017-11847", "CVE-2017-11853", "CVE-2017-11846", "CVE-2017-11850", "CVE-2017-11768", "CVE-2017-11866"], "modified": "2017-11-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS17_NOV_4048956.NASL", "href": "https://www.tenable.com/plugins/nessus/104552", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104552);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2017-11768\",\n \"CVE-2017-11788\",\n \"CVE-2017-11791\",\n \"CVE-2017-11827\",\n \"CVE-2017-11830\",\n \"CVE-2017-11831\",\n \"CVE-2017-11833\",\n \"CVE-2017-11834\",\n \"CVE-2017-11836\",\n \"CVE-2017-11837\",\n \"CVE-2017-11838\",\n \"CVE-2017-11839\",\n \"CVE-2017-11840\",\n \"CVE-2017-11841\",\n \"CVE-2017-11842\",\n \"CVE-2017-11843\",\n \"CVE-2017-11846\",\n \"CVE-2017-11847\",\n \"CVE-2017-11848\",\n \"CVE-2017-11849\",\n \"CVE-2017-11850\",\n \"CVE-2017-11851\",\n \"CVE-2017-11853\",\n \"CVE-2017-11855\",\n \"CVE-2017-11856\",\n \"CVE-2017-11858\",\n \"CVE-2017-11863\",\n \"CVE-2017-11866\",\n \"CVE-2017-11869\",\n \"CVE-2017-11880\"\n );\n script_bugtraq_id(\n 101703,\n 101705,\n 101706,\n 101709,\n 101711,\n 101714,\n 101715,\n 101716,\n 101719,\n 101721,\n 101722,\n 101725,\n 101727,\n 101729,\n 101732,\n 101733,\n 101734,\n 101735,\n 101737,\n 101738,\n 101740,\n 101741,\n 101742,\n 101748,\n 101751,\n 101753,\n 101755,\n 101762,\n 101763,\n 101764\n );\n script_xref(name:\"MSKB\", value:\"4048956\");\n script_xref(name:\"MSFT\", value:\"MS17-4048956\");\n\n script_name(english:\"KB4048956: Windows 10 LTSB November 2017 Cumulative Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4048956.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11827,\n CVE-2017-11858)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11837, CVE-2017-11838, CVE-2017-11843,\n CVE-2017-11846)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2017-11830)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11855,\n CVE-2017-11856, CVE-2017-11869)\n\n - An information vulnerability exists when Windows Media\n Player improperly discloses file information. Successful\n exploitation of the vulnerability could allow the\n attacker to test for the presence of files on disk.\n (CVE-2017-11768)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Internet Explorer. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2017-11834)\n\n - A security feature bypass vulnerability exists in\n Microsoft Edge when the Edge Content Security Policy\n (CSP) fails to properly validate certain specially\n crafted documents. An attacker who exploited the bypass\n could trick a user into loading a page containing\n malicious content. (CVE-2017-11863)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11880)\n\n - A Win32k information disclosure vulnerability exists\n when the Windows GDI component improperly discloses\n kernel memory addresses. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-11851)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Microsoft browsers. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2017-11791)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2017-11847)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles page content, which\n could allow an attacker to detect the navigation of the\n user leaving a maliciously crafted page.\n (CVE-2017-11848)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2017-11831,\n CVE-2017-11842, CVE-2017-11849, CVE-2017-11853)\n\n - A denial of service vulnerability exists when Windows\n Search improperly handles objects in memory. An attacker\n who successfully exploited the vulnerability could cause\n a remote denial of service against a system.\n (CVE-2017-11788)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11836,\n CVE-2017-11839, CVE-2017-11840, CVE-2017-11841,\n CVE-2017-11866)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-11850)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2017-11833)\");\n # https://support.microsoft.com/en-us/help/4048956/windows-10-update-kb4048956\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?60fecb50\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4048956.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-11847\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-11\";\nkbs = make_list('4048956');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\nos_name = get_kb_item_or_exit(\"SMB/ProductName\");\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif(\"LTSB\" >!< os_name) audit(AUDIT_OS_NOT, \"Windows 10 version 1507 LTSB\");\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date:\"11_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4048956])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:30:57", "description": "The remote Windows host is missing security update 4048953.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles redirect requests. The\n vulnerability allows Microsoft Edge to bypass Cross-\n Origin Resource Sharing (CORS) redirect restrictions,\n and to follow redirect requests that should otherwise be\n ignored. An attacker who successfully exploited the\n vulnerability could force the browser to send data that\n would otherwise be restricted to a destination website\n of the attacker's choice. (CVE-2017-11872)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11827,\n CVE-2017-11858)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11837, CVE-2017-11838, CVE-2017-11843,\n CVE-2017-11846)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2017-11830)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Internet Explorer. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2017-11834)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11855,\n CVE-2017-11856, CVE-2017-11869)\n\n - An information vulnerability exists when Windows Media\n Player improperly discloses file information. Successful\n exploitation of the vulnerability could allow the\n attacker to test for the presence of files on disk.\n (CVE-2017-11768)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11880)\n\n - A security feature bypass vulnerability exists in\n Microsoft Edge when the Edge Content Security Policy\n (CSP) fails to properly validate certain specially\n crafted documents. An attacker who exploited the bypass\n could trick a user into loading a page containing\n malicious content. (CVE-2017-11863)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11836,\n CVE-2017-11839, CVE-2017-11840, CVE-2017-11841,\n CVE-2017-11861, CVE-2017-11866, CVE-2017-11873)\n\n - A Win32k information disclosure vulnerability exists\n when the Windows GDI component improperly discloses\n kernel memory addresses. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-11851)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Microsoft browsers. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2017-11791)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2017-11847)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles page content, which\n could allow an attacker to detect the navigation of the\n user leaving a maliciously crafted page.\n (CVE-2017-11848)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2017-11831,\n CVE-2017-11842, CVE-2017-11849, CVE-2017-11853)\n\n - A denial of service vulnerability exists when Windows\n Search improperly handles objects in memory. An attacker\n who successfully exploited the vulnerability could cause\n a remote denial of service against a system.\n (CVE-2017-11788)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-11850)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2017-11833)", "edition": 32, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-11-14T00:00:00", "title": "KB4048953: Windows 10 Version 1607 and Windows Server 2016 November 2017 Cumulative Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11839", "CVE-2017-11880", "CVE-2017-11851", "CVE-2017-11856", "CVE-2017-11834", "CVE-2017-11848", "CVE-2017-11842", "CVE-2017-11836", "CVE-2017-11840", "CVE-2017-11831", "CVE-2017-11830", "CVE-2017-11873", "CVE-2017-11872", "CVE-2017-11791", "CVE-2017-11788", "CVE-2017-11837", "CVE-2017-11841", "CVE-2017-11838", "CVE-2017-11827", "CVE-2017-11869", "CVE-2017-11861", "CVE-2017-11863", "CVE-2017-11833", "CVE-2017-11858", "CVE-2017-11855", "CVE-2017-11849", "CVE-2017-11843", "CVE-2017-11847", "CVE-2017-11853", "CVE-2017-11846", "CVE-2017-11850", "CVE-2017-11768", "CVE-2017-11866"], "modified": "2017-11-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS17_NOV_4048953.NASL", "href": "https://www.tenable.com/plugins/nessus/104549", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104549);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2017-11768\",\n \"CVE-2017-11788\",\n \"CVE-2017-11791\",\n \"CVE-2017-11827\",\n \"CVE-2017-11830\",\n \"CVE-2017-11831\",\n \"CVE-2017-11833\",\n \"CVE-2017-11834\",\n \"CVE-2017-11836\",\n \"CVE-2017-11837\",\n \"CVE-2017-11838\",\n \"CVE-2017-11839\",\n \"CVE-2017-11840\",\n \"CVE-2017-11841\",\n \"CVE-2017-11842\",\n \"CVE-2017-11843\",\n \"CVE-2017-11846\",\n \"CVE-2017-11847\",\n \"CVE-2017-11848\",\n \"CVE-2017-11849\",\n \"CVE-2017-11850\",\n \"CVE-2017-11851\",\n \"CVE-2017-11853\",\n \"CVE-2017-11855\",\n \"CVE-2017-11856\",\n \"CVE-2017-11858\",\n \"CVE-2017-11861\",\n \"CVE-2017-11863\",\n \"CVE-2017-11866\",\n \"CVE-2017-11869\",\n \"CVE-2017-11872\",\n \"CVE-2017-11873\",\n \"CVE-2017-11880\"\n );\n script_bugtraq_id(\n 101703,\n 101705,\n 101706,\n 101709,\n 101711,\n 101714,\n 101715,\n 101716,\n 101719,\n 101721,\n 101722,\n 101723,\n 101725,\n 101727,\n 101728,\n 101729,\n 101732,\n 101733,\n 101734,\n 101735,\n 101737,\n 101738,\n 101740,\n 101741,\n 101742,\n 101748,\n 101749,\n 101751,\n 101753,\n 101755,\n 101762,\n 101763,\n 101764\n );\n script_xref(name:\"MSKB\", value:\"4048953\");\n script_xref(name:\"MSFT\", value:\"MS17-4048953\");\n\n script_name(english:\"KB4048953: Windows 10 Version 1607 and Windows Server 2016 November 2017 Cumulative Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4048953.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles redirect requests. The\n vulnerability allows Microsoft Edge to bypass Cross-\n Origin Resource Sharing (CORS) redirect restrictions,\n and to follow redirect requests that should otherwise be\n ignored. An attacker who successfully exploited the\n vulnerability could force the browser to send data that\n would otherwise be restricted to a destination website\n of the attacker's choice. (CVE-2017-11872)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11827,\n CVE-2017-11858)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11837, CVE-2017-11838, CVE-2017-11843,\n CVE-2017-11846)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2017-11830)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Internet Explorer. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2017-11834)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11855,\n CVE-2017-11856, CVE-2017-11869)\n\n - An information vulnerability exists when Windows Media\n Player improperly discloses file information. Successful\n exploitation of the vulnerability could allow the\n attacker to test for the presence of files on disk.\n (CVE-2017-11768)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11880)\n\n - A security feature bypass vulnerability exists in\n Microsoft Edge when the Edge Content Security Policy\n (CSP) fails to properly validate certain specially\n crafted documents. An attacker who exploited the bypass\n could trick a user into loading a page containing\n malicious content. (CVE-2017-11863)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11836,\n CVE-2017-11839, CVE-2017-11840, CVE-2017-11841,\n CVE-2017-11861, CVE-2017-11866, CVE-2017-11873)\n\n - A Win32k information disclosure vulnerability exists\n when the Windows GDI component improperly discloses\n kernel memory addresses. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-11851)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Microsoft browsers. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2017-11791)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2017-11847)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles page content, which\n could allow an attacker to detect the navigation of the\n user leaving a maliciously crafted page.\n (CVE-2017-11848)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2017-11831,\n CVE-2017-11842, CVE-2017-11849, CVE-2017-11853)\n\n - A denial of service vulnerability exists when Windows\n Search improperly handles objects in memory. An attacker\n who successfully exploited the vulnerability could cause\n a remote denial of service against a system.\n (CVE-2017-11788)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-11850)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2017-11833)\");\n # https://support.microsoft.com/en-us/help/4048953/windows-10-update-kb4048953\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?119c56db\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4048953.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-11847\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-11\";\nkbs = make_list('4048953');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_nano() == 1) audit(AUDIT_OS_NOT, \"a currently supported OS (Windows Nano Server)\");\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date:\"11_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4048953])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-19T05:12:46", "description": "The remote Windows host is missing security update 4048955.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11827,\n CVE-2017-11858)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11837, CVE-2017-11838, CVE-2017-11843,\n CVE-2017-11846)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11803, CVE-2017-11844)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11855,\n CVE-2017-11856, CVE-2017-11869)\n\n - An information vulnerability exists when Windows Media\n Player improperly discloses file information. Successful\n exploitation of the vulnerability could allow the\n attacker to test for the presence of files on disk.\n (CVE-2017-11768)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Internet Explorer. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2017-11834)\n\n - A security feature bypass vulnerability exists in\n Microsoft Edge when the Edge Content Security Policy\n (CSP) fails to properly validate certain specially\n crafted documents. An attacker who exploited the bypass\n could trick a user into loading a page containing\n malicious content. (CVE-2017-11863)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11880)\n\n - A Win32k information disclosure vulnerability exists\n when the Windows GDI component improperly discloses\n kernel memory addresses. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-11851)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11836,\n CVE-2017-11839, CVE-2017-11840, CVE-2017-11841,\n CVE-2017-11861, CVE-2017-11862, CVE-2017-11866,\n CVE-2017-11870, CVE-2017-11871, CVE-2017-11873)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Microsoft browsers. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2017-11791)\n\n - A security feature bypass vulnerability exists in\n Microsoft Edge as a result of how memory is accessed in\n code compiled by the Edge Just-In-Time (JIT) compiler\n that allows Control Flow Guard (CFG) to be bypassed. By\n itself, this CFG bypass vulnerability does not allow\n arbitrary code execution. However, an attacker could use\n the CFG bypass vulnerability in conjunction with another\n vulnerability, such as a remote code execution\n vulnerability, to run arbitrary code on a target system.\n (CVE-2017-11874)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2017-11830)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles page content, which\n could allow an attacker to detect the navigation of the\n user leaving a maliciously crafted page.\n (CVE-2017-11848)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2017-11831,\n CVE-2017-11842, CVE-2017-11849, CVE-2017-11853)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-11850)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2017-11833)", "edition": 29, "cvss3": {"score": 7.5, "vector": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-11-14T00:00:00", "title": "KB4048955: Windows 10 Version 1709 and Windows Server Version 1709 November 2017 Cumulative Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11839", "CVE-2017-11880", "CVE-2017-11851", "CVE-2017-11871", "CVE-2017-11856", "CVE-2017-11862", "CVE-2017-11844", "CVE-2017-11834", "CVE-2017-11848", "CVE-2017-11842", "CVE-2017-11836", "CVE-2017-11870", "CVE-2017-11840", "CVE-2017-11831", "CVE-2017-11830", "CVE-2017-11873", "CVE-2017-11791", "CVE-2017-11837", "CVE-2017-11841", "CVE-2017-11838", "CVE-2017-11827", "CVE-2017-11803", "CVE-2017-11869", "CVE-2017-11861", "CVE-2017-11863", "CVE-2017-11833", "CVE-2017-11858", "CVE-2017-11855", "CVE-2017-11849", "CVE-2017-11843", "CVE-2017-11874", "CVE-2017-11853", "CVE-2017-11846", "CVE-2017-11850", "CVE-2017-11768", "CVE-2017-11866"], "modified": "2017-11-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS17_NOV_4048955.NASL", "href": "https://www.tenable.com/plugins/nessus/104551", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104551);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2017-11768\",\n \"CVE-2017-11791\",\n \"CVE-2017-11803\",\n \"CVE-2017-11827\",\n \"CVE-2017-11830\",\n \"CVE-2017-11831\",\n \"CVE-2017-11833\",\n \"CVE-2017-11834\",\n \"CVE-2017-11836\",\n \"CVE-2017-11837\",\n \"CVE-2017-11838\",\n \"CVE-2017-11839\",\n \"CVE-2017-11840\",\n \"CVE-2017-11841\",\n \"CVE-2017-11842\",\n \"CVE-2017-11843\",\n \"CVE-2017-11844\",\n \"CVE-2017-11846\",\n \"CVE-2017-11848\",\n \"CVE-2017-11849\",\n \"CVE-2017-11850\",\n \"CVE-2017-11851\",\n \"CVE-2017-11853\",\n \"CVE-2017-11855\",\n \"CVE-2017-11856\",\n \"CVE-2017-11858\",\n \"CVE-2017-11861\",\n \"CVE-2017-11862\",\n \"CVE-2017-11863\",\n \"CVE-2017-11866\",\n \"CVE-2017-11869\",\n \"CVE-2017-11870\",\n \"CVE-2017-11871\",\n \"CVE-2017-11873\",\n \"CVE-2017-11874\",\n \"CVE-2017-11880\"\n );\n script_bugtraq_id(\n 101703,\n 101704,\n 101705,\n 101706,\n 101707,\n 101709,\n 101714,\n 101715,\n 101716,\n 101719,\n 101721,\n 101722,\n 101723,\n 101724,\n 101725,\n 101727,\n 101728,\n 101730,\n 101731,\n 101732,\n 101733,\n 101734,\n 101735,\n 101737,\n 101738,\n 101740,\n 101741,\n 101742,\n 101748,\n 101750,\n 101751,\n 101753,\n 101755,\n 101762,\n 101763,\n 101764\n );\n script_xref(name:\"MSKB\", value:\"4048955\");\n script_xref(name:\"MSFT\", value:\"MS17-4048955\");\n\n script_name(english:\"KB4048955: Windows 10 Version 1709 and Windows Server Version 1709 November 2017 Cumulative Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4048955.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11827,\n CVE-2017-11858)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11837, CVE-2017-11838, CVE-2017-11843,\n CVE-2017-11846)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11803, CVE-2017-11844)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11855,\n CVE-2017-11856, CVE-2017-11869)\n\n - An information vulnerability exists when Windows Media\n Player improperly discloses file information. Successful\n exploitation of the vulnerability could allow the\n attacker to test for the presence of files on disk.\n (CVE-2017-11768)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Internet Explorer. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2017-11834)\n\n - A security feature bypass vulnerability exists in\n Microsoft Edge when the Edge Content Security Policy\n (CSP) fails to properly validate certain specially\n crafted documents. An attacker who exploited the bypass\n could trick a user into loading a page containing\n malicious content. (CVE-2017-11863)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11880)\n\n - A Win32k information disclosure vulnerability exists\n when the Windows GDI component improperly discloses\n kernel memory addresses. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-11851)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11836,\n CVE-2017-11839, CVE-2017-11840, CVE-2017-11841,\n CVE-2017-11861, CVE-2017-11862, CVE-2017-11866,\n CVE-2017-11870, CVE-2017-11871, CVE-2017-11873)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Microsoft browsers. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2017-11791)\n\n - A security feature bypass vulnerability exists in\n Microsoft Edge as a result of how memory is accessed in\n code compiled by the Edge Just-In-Time (JIT) compiler\n that allows Control Flow Guard (CFG) to be bypassed. By\n itself, this CFG bypass vulnerability does not allow\n arbitrary code execution. However, an attacker could use\n the CFG bypass vulnerability in conjunction with another\n vulnerability, such as a remote code execution\n vulnerability, to run arbitrary code on a target system.\n (CVE-2017-11874)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2017-11830)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles page content, which\n could allow an attacker to detect the navigation of the\n user leaving a maliciously crafted page.\n (CVE-2017-11848)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2017-11831,\n CVE-2017-11842, CVE-2017-11849, CVE-2017-11853)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-11850)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2017-11833)\");\n # https://support.microsoft.com/en-us/help/4048955/windows-10-update-kb4048955\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?948aaf0e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4048955.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-11827\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-11\";\nkbs = make_list('4048955');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"16299\",\n rollup_date:\"11_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4048955])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:30:57", "description": "The remote Windows host is missing security update 4048954.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles redirect requests. The\n vulnerability allows Microsoft Edge to bypass Cross-\n Origin Resource Sharing (CORS) redirect restrictions,\n and to follow redirect requests that should otherwise be\n ignored. An attacker who successfully exploited the\n vulnerability could force the browser to send data that\n would otherwise be restricted to a destination website\n of the attacker's choice. (CVE-2017-11872)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11836,\n CVE-2017-11839, CVE-2017-11840, CVE-2017-11841,\n CVE-2017-11861, CVE-2017-11866, CVE-2017-11870,\n CVE-2017-11871, CVE-2017-11873)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11837, CVE-2017-11838, CVE-2017-11843,\n CVE-2017-11846)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11803, CVE-2017-11844)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Internet Explorer. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2017-11834)\n\n - A security feature bypass vulnerability exists in\n Microsoft Edge as a result of how memory is accessed in\n code compiled by the Edge Just-In-Time (JIT) compiler\n that allows Control Flow Guard (CFG) to be bypassed. By\n itself, this CFG bypass vulnerability does not allow\n arbitrary code execution. However, an attacker could use\n the CFG bypass vulnerability in conjunction with another\n vulnerability, such as a remote code execution\n vulnerability, to run arbitrary code on a target system.\n (CVE-2017-11874)\n\n - An information vulnerability exists when Windows Media\n Player improperly discloses file information. Successful\n exploitation of the vulnerability could allow the\n attacker to test for the presence of files on disk.\n (CVE-2017-11768)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11827,\n CVE-2017-11858)\n\n - A security feature bypass vulnerability exists in\n Microsoft Edge when the Edge Content Security Policy\n (CSP) fails to properly validate certain specially\n crafted documents. An attacker who exploited the bypass\n could trick a user into loading a page containing\n malicious content. (CVE-2017-11863)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11855,\n CVE-2017-11856, CVE-2017-11869)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11880)\n\n - A Win32k information disclosure vulnerability exists\n when the Windows GDI component improperly discloses\n kernel memory addresses. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-11851)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Microsoft browsers. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2017-11791)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2017-11847)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2017-11830)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11845)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2017-11831,\n CVE-2017-11842, CVE-2017-11849, CVE-2017-11853)\n\n - A denial of service vulnerability exists when Windows\n Search improperly handles objects in memory. An attacker\n who successfully exploited the vulnerability could cause\n a remote denial of service against a system.\n (CVE-2017-11788)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-11850)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2017-11833)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles page content, which\n could allow an attacker to detect the navigation of the\n user leaving a maliciously crafted page.\n (CVE-2017-11848)", "edition": 31, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-11-14T00:00:00", "title": "KB4048954: Windows 10 Version 1703 November 2017 Cumulative Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11839", "CVE-2017-11880", "CVE-2017-11851", "CVE-2017-11871", "CVE-2017-11856", "CVE-2017-11844", "CVE-2017-11834", "CVE-2017-11848", "CVE-2017-11842", "CVE-2017-11836", "CVE-2017-11870", "CVE-2017-11840", "CVE-2017-11831", "CVE-2017-11830", "CVE-2017-11873", "CVE-2017-11872", "CVE-2017-11791", "CVE-2017-11788", "CVE-2017-11837", "CVE-2017-11841", "CVE-2017-11838", "CVE-2017-11827", "CVE-2017-11845", "CVE-2017-11803", "CVE-2017-11869", "CVE-2017-11861", "CVE-2017-11863", "CVE-2017-11833", "CVE-2017-11858", "CVE-2017-11855", "CVE-2017-11849", "CVE-2017-11843", "CVE-2017-11847", "CVE-2017-11874", "CVE-2017-11853", "CVE-2017-11846", "CVE-2017-11850", "CVE-2017-11768", "CVE-2017-11866"], "modified": "2017-11-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS17_NOV_4048954.NASL", "href": "https://www.tenable.com/plugins/nessus/104550", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104550);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2017-11768\",\n \"CVE-2017-11788\",\n \"CVE-2017-11791\",\n \"CVE-2017-11803\",\n \"CVE-2017-11827\",\n \"CVE-2017-11830\",\n \"CVE-2017-11831\",\n \"CVE-2017-11833\",\n \"CVE-2017-11834\",\n \"CVE-2017-11836\",\n \"CVE-2017-11837\",\n \"CVE-2017-11838\",\n \"CVE-2017-11839\",\n \"CVE-2017-11840\",\n \"CVE-2017-11841\",\n \"CVE-2017-11842\",\n \"CVE-2017-11843\",\n \"CVE-2017-11844\",\n \"CVE-2017-11845\",\n \"CVE-2017-11846\",\n \"CVE-2017-11847\",\n \"CVE-2017-11848\",\n \"CVE-2017-11849\",\n \"CVE-2017-11850\",\n \"CVE-2017-11851\",\n \"CVE-2017-11853\",\n \"CVE-2017-11855\",\n \"CVE-2017-11856\",\n \"CVE-2017-11858\",\n \"CVE-2017-11861\",\n \"CVE-2017-11863\",\n \"CVE-2017-11866\",\n \"CVE-2017-11869\",\n \"CVE-2017-11870\",\n \"CVE-2017-11871\",\n \"CVE-2017-11872\",\n \"CVE-2017-11873\",\n \"CVE-2017-11874\",\n \"CVE-2017-11880\"\n );\n script_bugtraq_id(\n 101703,\n 101704,\n 101705,\n 101706,\n 101707,\n 101708,\n 101709,\n 101711,\n 101714,\n 101715,\n 101716,\n 101719,\n 101721,\n 101722,\n 101723,\n 101725,\n 101727,\n 101728,\n 101729,\n 101730,\n 101731,\n 101732,\n 101733,\n 101734,\n 101735,\n 101737,\n 101738,\n 101740,\n 101741,\n 101742,\n 101748,\n 101749,\n 101750,\n 101751,\n 101753,\n 101755,\n 101762,\n 101763,\n 101764\n );\n script_xref(name:\"MSKB\", value:\"4048954\");\n script_xref(name:\"MSFT\", value:\"MS17-4048954\");\n\n script_name(english:\"KB4048954: Windows 10 Version 1703 November 2017 Cumulative Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4048954.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles redirect requests. The\n vulnerability allows Microsoft Edge to bypass Cross-\n Origin Resource Sharing (CORS) redirect restrictions,\n and to follow redirect requests that should otherwise be\n ignored. An attacker who successfully exploited the\n vulnerability could force the browser to send data that\n would otherwise be restricted to a destination website\n of the attacker's choice. (CVE-2017-11872)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11836,\n CVE-2017-11839, CVE-2017-11840, CVE-2017-11841,\n CVE-2017-11861, CVE-2017-11866, CVE-2017-11870,\n CVE-2017-11871, CVE-2017-11873)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11837, CVE-2017-11838, CVE-2017-11843,\n CVE-2017-11846)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11803, CVE-2017-11844)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Internet Explorer. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2017-11834)\n\n - A security feature bypass vulnerability exists in\n Microsoft Edge as a result of how memory is accessed in\n code compiled by the Edge Just-In-Time (JIT) compiler\n that allows Control Flow Guard (CFG) to be bypassed. By\n itself, this CFG bypass vulnerability does not allow\n arbitrary code execution. However, an attacker could use\n the CFG bypass vulnerability in conjunction with another\n vulnerability, such as a remote code execution\n vulnerability, to run arbitrary code on a target system.\n (CVE-2017-11874)\n\n - An information vulnerability exists when Windows Media\n Player improperly discloses file information. Successful\n exploitation of the vulnerability could allow the\n attacker to test for the presence of files on disk.\n (CVE-2017-11768)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11827,\n CVE-2017-11858)\n\n - A security feature bypass vulnerability exists in\n Microsoft Edge when the Edge Content Security Policy\n (CSP) fails to properly validate certain specially\n crafted documents. An attacker who exploited the bypass\n could trick a user into loading a page containing\n malicious content. (CVE-2017-11863)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11855,\n CVE-2017-11856, CVE-2017-11869)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11880)\n\n - A Win32k information disclosure vulnerability exists\n when the Windows GDI component improperly discloses\n kernel memory addresses. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-11851)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Microsoft browsers. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2017-11791)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2017-11847)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2017-11830)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11845)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2017-11831,\n CVE-2017-11842, CVE-2017-11849, CVE-2017-11853)\n\n - A denial of service vulnerability exists when Windows\n Search improperly handles objects in memory. An attacker\n who successfully exploited the vulnerability could cause\n a remote denial of service against a system.\n (CVE-2017-11788)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-11850)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2017-11833)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles page content, which\n could allow an attacker to detect the navigation of the\n user leaving a maliciously crafted page.\n (CVE-2017-11848)\");\n # https://support.microsoft.com/en-us/help/4048954/windows-10-update-kb4048954\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2be2679f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4048954.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-11847\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-11\";\nkbs = make_list('4048954');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"15063\",\n rollup_date:\"11_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4048954])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-19T05:13:24", "description": "The remote Windows host is missing security update 4457132.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8457)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8424)\n\n - An elevation of privilege vulnerability exists in\n Windows that allows a sandbox escape. An attacker who\n successfully exploited the vulnerability could use the\n sandbox escape to elevate privileges on an affected\n system. This vulnerability by itself does not allow\n arbitrary code execution. However, the vulnerability\n could allow arbitrary code to run if an attacker uses it\n in combination with another vulnerability, such as a\n remote code execution vulnerability or another elevation\n of privilege vulnerability, that can leverage the\n elevated privileges when code execution is attempted.\n The security update addresses the vulnerability by\n correcting how Windows parses files. (CVE-2018-8468)\n\n - A remote code execution vulnerability exists when\n Windows does not properly handle specially crafted image\n files. An attacker who successfully exploited the\n vulnerability could execute arbitrary code.\n (CVE-2018-8475)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2018-8440)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge that could allow an attacker to escape\n from the AppContainer sandbox in the browser. An\n attacker who successfully exploited this vulnerability\n could gain elevated privileges and break out of the Edge\n AppContainer sandbox. The vulnerability by itself does\n not allow arbitrary code to run. However, this\n vulnerability could be used in conjunction with one or\n more vulnerabilities (for example a remote code\n execution vulnerability and another elevation of\n privilege vulnerability) to take advantage of the\n elevated privileges when running. The security update\n addresses the vulnerability by modifying how Microsoft\n Edge handles sandboxing. (CVE-2018-8469)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how the Windows kernel handles objects in\n memory. (CVE-2018-8442, CVE-2018-8443)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2018-8439)\n\n - An elevation of privilege vulnerability exists when the\n Windows Kernel API improperly handles registry objects\n in memory. An attacker who successfully exploited the\n vulnerability could gain elevated privileges on a\n targeted system. A locally authenticated attacker could\n exploit this vulnerability by running a specially\n crafted application. The security update addresses the\n vulnerability by helping to ensure that the Windows\n Kernel API properly handles objects in memory.\n (CVE-2018-8410)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8462)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8446)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8367, CVE-2018-8466,\n CVE-2018-8467)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2018-8438)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2018-8434)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8332)\n\n - An information disclosure vulnerability exists when the\n browser scripting engine improperly handle object types.\n An attacker who has successfully exploited this\n vulnerability might be able to read privileged data\n across trust boundaries. In browsing scenarios, an\n attacker could convince a user to visit a malicious site\n and leverage the vulnerability to obtain privileged\n information from the browser process, such as sensitive\n data from other opened tabs. An attacker could also\n inject malicious code into advertising networks used by\n trusted sites or embed malicious code on a compromised,\n but trusted, site. The security update addresses the\n vulnerability by correcting how the browser scripting\n engine handles object types. (CVE-2018-8315)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-8392,\n CVE-2018-8393)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2018-8335)\n\n - An information disclosure vulnerability exists in the\n way that the Microsoft Server Message Block 2.0 (SMBv2)\n server handles certain requests. An attacker who\n successfully exploited this vulnerability could craft a\n special packet, which could lead to information\n disclosure from the server. (CVE-2018-8444)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8447)\n\n - An information disclosure vulnerability exists in\n Windows when the Windows bowser.sys kernel-mode driver\n fails to properly handle objects in memory. An attacker\n who successfully exploited the vulnerability could\n potentially disclose contents of System memory.\n (CVE-2018-8271)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-8419)\n\n - An remote code execution vulnerability exists when\n Microsoft Edge PDF Reader improperly handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. If the current\n user is logged on with administrative user rights, an\n attacker could take control of an affected system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2018-8464)\n\n - A remote code execution vulnerability exists when\n Microsoft .NET Framework processes input. An attacker\n who successfully exploited this vulnerability could take\n control of an affected system. (CVE-2018-8421)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2018-8420)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Microsoft browsers. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2018-8452)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2018-8449)\n\n - An information disclosure vulnerability exists when the\n Windows Graphics component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An authenticated attacker\n could exploit this vulnerability by running a specially\n crafted application. The update addresses the\n vulnerability by correcting how the Windows Graphics\n Component handles objects in memory. (CVE-2018-8433)\n\n - A security feature bypass vulnerability exists when\n Windows Hyper-V BIOS loader fails to provide a high-\n entropy source. (CVE-2018-8435)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8354)\n\n - A security feature bypass vulnerability exists in\n Internet Explorer due to how scripts are handled that\n allows a universal cross-site scripting (UXSS)\n condition. An attacker could use the UXSS vulnerability\n to access any session belonging to web pages currently\n opened (or cached) by the browser at the time the attack\n is triggered. (CVE-2018-8470)\n\n - A spoofing vulnerability exists when Microsoft Edge\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was on a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services.\n (CVE-2018-8425)", "edition": 24, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-09-11T00:00:00", "title": "KB4457132: Windows 10 September 2018 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8425", "CVE-2018-8354", "CVE-2018-8467", "CVE-2018-8443", "CVE-2018-8410", "CVE-2018-8442", "CVE-2018-8419", "CVE-2018-8433", "CVE-2018-8271", "CVE-2018-8439", "CVE-2018-8449", "CVE-2018-8424", "CVE-2018-8434", "CVE-2018-8466", "CVE-2018-8447", "CVE-2018-8367", "CVE-2018-8452", "CVE-2018-8392", "CVE-2018-8440", "CVE-2018-8420", "CVE-2018-8393", "CVE-2018-8332", "CVE-2018-8457", "CVE-2018-8438", "CVE-2018-8475", "CVE-2018-8435", "CVE-2018-8446", "CVE-2018-8444", "CVE-2018-8315", "CVE-2018-8421", "CVE-2018-8462", "CVE-2018-8468", "CVE-2018-8335", "CVE-2018-8470", "CVE-2018-8469", "CVE-2018-8464"], "modified": "2018-09-11T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS18_SEP_4457132.NASL", "href": "https://www.tenable.com/plugins/nessus/117414", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117414);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2018-8271\",\n \"CVE-2018-8315\",\n \"CVE-2018-8332\",\n \"CVE-2018-8335\",\n \"CVE-2018-8354\",\n \"CVE-2018-8367\",\n \"CVE-2018-8392\",\n \"CVE-2018-8393\",\n \"CVE-2018-8410\",\n \"CVE-2018-8419\",\n \"CVE-2018-8420\",\n \"CVE-2018-8421\",\n \"CVE-2018-8424\",\n \"CVE-2018-8425\",\n \"CVE-2018-8433\",\n \"CVE-2018-8434\",\n \"CVE-2018-8435\",\n \"CVE-2018-8438\",\n \"CVE-2018-8439\",\n \"CVE-2018-8440\",\n \"CVE-2018-8442\",\n \"CVE-2018-8443\",\n \"CVE-2018-8444\",\n \"CVE-2018-8446\",\n \"CVE-2018-8447\",\n \"CVE-2018-8449\",\n \"CVE-2018-8452\",\n \"CVE-2018-8457\",\n \"CVE-2018-8462\",\n \"CVE-2018-8464\",\n \"CVE-2018-8466\",\n \"CVE-2018-8467\",\n \"CVE-2018-8468\",\n \"CVE-2018-8469\",\n \"CVE-2018-8470\",\n \"CVE-2018-8475\"\n );\n script_xref(name:\"MSKB\", value:\"4457132\");\n script_xref(name:\"MSFT\", value:\"MS18-4457132\");\n\n script_name(english:\"KB4457132: Windows 10 September 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4457132.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8457)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8424)\n\n - An elevation of privilege vulnerability exists in\n Windows that allows a sandbox escape. An attacker who\n successfully exploited the vulnerability could use the\n sandbox escape to elevate privileges on an affected\n system. This vulnerability by itself does not allow\n arbitrary code execution. However, the vulnerability\n could allow arbitrary code to run if an attacker uses it\n in combination with another vulnerability, such as a\n remote code execution vulnerability or another elevation\n of privilege vulnerability, that can leverage the\n elevated privileges when code execution is attempted.\n The security update addresses the vulnerability by\n correcting how Windows parses files. (CVE-2018-8468)\n\n - A remote code execution vulnerability exists when\n Windows does not properly handle specially crafted image\n files. An attacker who successfully exploited the\n vulnerability could execute arbitrary code.\n (CVE-2018-8475)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2018-8440)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge that could allow an attacker to escape\n from the AppContainer sandbox in the browser. An\n attacker who successfully exploited this vulnerability\n could gain elevated privileges and break out of the Edge\n AppContainer sandbox. The vulnerability by itself does\n not allow arbitrary code to run. However, this\n vulnerability could be used in conjunction with one or\n more vulnerabilities (for example a remote code\n execution vulnerability and another elevation of\n privilege vulnerability) to take advantage of the\n elevated privileges when running. The security update\n addresses the vulnerability by modifying how Microsoft\n Edge handles sandboxing. (CVE-2018-8469)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how the Windows kernel handles objects in\n memory. (CVE-2018-8442, CVE-2018-8443)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2018-8439)\n\n - An elevation of privilege vulnerability exists when the\n Windows Kernel API improperly handles registry objects\n in memory. An attacker who successfully exploited the\n vulnerability could gain elevated privileges on a\n targeted system. A locally authenticated attacker could\n exploit this vulnerability by running a specially\n crafted application. The security update addresses the\n vulnerability by helping to ensure that the Windows\n Kernel API properly handles objects in memory.\n (CVE-2018-8410)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8462)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8446)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8367, CVE-2018-8466,\n CVE-2018-8467)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2018-8438)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2018-8434)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8332)\n\n - An information disclosure vulnerability exists when the\n browser scripting engine improperly handle object types.\n An attacker who has successfully exploited this\n vulnerability might be able to read privileged data\n across trust boundaries. In browsing scenarios, an\n attacker could convince a user to visit a malicious site\n and leverage the vulnerability to obtain privileged\n information from the browser process, such as sensitive\n data from other opened tabs. An attacker could also\n inject malicious code into advertising networks used by\n trusted sites or embed malicious code on a compromised,\n but trusted, site. The security update addresses the\n vulnerability by correcting how the browser scripting\n engine handles object types. (CVE-2018-8315)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-8392,\n CVE-2018-8393)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2018-8335)\n\n - An information disclosure vulnerability exists in the\n way that the Microsoft Server Message Block 2.0 (SMBv2)\n server handles certain requests. An attacker who\n successfully exploited this vulnerability could craft a\n special packet, which could lead to information\n disclosure from the server. (CVE-2018-8444)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8447)\n\n - An information disclosure vulnerability exists in\n Windows when the Windows bowser.sys kernel-mode driver\n fails to properly handle objects in memory. An attacker\n who successfully exploited the vulnerability could\n potentially disclose contents of System memory.\n (CVE-2018-8271)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-8419)\n\n - An remote code execution vulnerability exists when\n Microsoft Edge PDF Reader improperly handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. If the current\n user is logged on with administrative user rights, an\n attacker could take control of an affected system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2018-8464)\n\n - A remote code execution vulnerability exists when\n Microsoft .NET Framework processes input. An attacker\n who successfully exploited this vulnerability could take\n control of an affected system. (CVE-2018-8421)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2018-8420)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Microsoft browsers. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2018-8452)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2018-8449)\n\n - An information disclosure vulnerability exists when the\n Windows Graphics component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An authenticated attacker\n could exploit this vulnerability by running a specially\n crafted application. The update addresses the\n vulnerability by correcting how the Windows Graphics\n Component handles objects in memory. (CVE-2018-8433)\n\n - A security feature bypass vulnerability exists when\n Windows Hyper-V BIOS loader fails to provide a high-\n entropy source. (CVE-2018-8435)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8354)\n\n - A security feature bypass vulnerability exists in\n Internet Explorer due to how scripts are handled that\n allows a universal cross-site scripting (UXSS)\n condition. An attacker could use the UXSS vulnerability\n to access any session belonging to web pages currently\n opened (or cached) by the browser at the time the attack\n is triggered. (CVE-2018-8470)\n\n - A spoofing vulnerability exists when Microsoft Edge\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was on a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services.\n (CVE-2018-8425)\");\n # https://support.microsoft.com/en-us/help/4457132/windows-10-update-kb4457132\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8e9df1b4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4457132.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8421\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Windows ALPC Task Scheduler Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/09/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-09\";\nkbs = make_list('4457132');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date:\"09_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4457132])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-19T05:13:24", "description": "The remote Windows host is missing security update 4457142.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8457)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8424)\n\n - An elevation of privilege vulnerability exists in\n Windows that allows a sandbox escape. An attacker who\n successfully exploited the vulnerability could use the\n sandbox escape to elevate privileges on an affected\n system. This vulnerability by itself does not allow\n arbitrary code execution. However, the vulnerability\n could allow arbitrary code to run if an attacker uses it\n in combination with another vulnerability, such as a\n remote code execution vulnerability or another elevation\n of privilege vulnerability, that can leverage the\n elevated privileges when code execution is attempted.\n The security update addresses the vulnerability by\n correcting how Windows parses files. (CVE-2018-8468)\n\n - A remote code execution vulnerability exists when\n Windows does not properly handle specially crafted image\n files. An attacker who successfully exploited the\n vulnerability could execute arbitrary code.\n (CVE-2018-8475)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2018-8440)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge that could allow an attacker to escape\n from the AppContainer sandbox in the browser. An\n attacker who successfully exploited this vulnerability\n could gain elevated privileges and break out of the Edge\n AppContainer sandbox. The vulnerability by itself does\n not allow arbitrary code to run. However, this\n vulnerability could be used in conjunction with one or\n more vulnerabilities (for example a remote code\n execution vulnerability and another elevation of\n privilege vulnerability) to take advantage of the\n elevated privileges when running. The security update\n addresses the vulnerability by modifying how Microsoft\n Edge handles sandboxing. (CVE-2018-8469)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how the Windows kernel handles objects in\n memory. (CVE-2018-8442, CVE-2018-8443)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2018-8439)\n\n - An elevation of privilege vulnerability exists when the\n Windows Kernel API improperly handles registry objects\n in memory. An attacker who successfully exploited the\n vulnerability could gain elevated privileges on a\n targeted system. A locally authenticated attacker could\n exploit this vulnerability by running a specially\n crafted application. The security update addresses the\n vulnerability by helping to ensure that the Windows\n Kernel API properly handles objects in memory.\n (CVE-2018-8410)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8462)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8446)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2018-8420)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2018-8438)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8456)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2018-8434)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8332)\n\n - An information disclosure vulnerability exists when the\n browser scripting engine improperly handle object types.\n An attacker who has successfully exploited this\n vulnerability might be able to read privileged data\n across trust boundaries. In browsing scenarios, an\n attacker could convince a user to visit a malicious site\n and leverage the vulnerability to obtain privileged\n information from the browser process, such as sensitive\n data from other opened tabs. An attacker could also\n inject malicious code into advertising networks used by\n trusted sites or embed malicious code on a compromised,\n but trusted, site. The security update addresses the\n vulnerability by correcting how the browser scripting\n engine handles object types. (CVE-2018-8315)\n\n - A security feature bypass vulnerability exists when\n Windows Subsystem for Linux improperly handles case\n sensitivity. An attacker who successfully exploited this\n vulnerability could replace or delete arbitrary files as\n a low privilege user. A attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how Windows Subsystem for Linux handles case\n sensitivity. (CVE-2018-8337)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8447,\n CVE-2018-8461)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-8392,\n CVE-2018-8393)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2018-8335)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-8455)\n\n - An information disclosure vulnerability exists in\n Windows when the Windows bowser.sys kernel-mode driver\n fails to properly handle objects in memory. An attacker\n who successfully exploited the vulnerability could\n potentially disclose contents of System memory.\n (CVE-2018-8271)\n\n - An remote code execution vulnerability exists when\n Microsoft Edge PDF Reader improperly handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. If the current\n user is logged on with administrative user rights, an\n attacker could take control of an affected system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2018-8464)\n\n - A remote code execution vulnerability exists when\n Microsoft .NET Framework processes input. An attacker\n who successfully exploited this vulnerability could take\n control of an affected system. (CVE-2018-8421)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8367, CVE-2018-8465,\n CVE-2018-8466, CVE-2018-8467)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Microsoft browsers. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2018-8452)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2018-8449)\n\n - An information disclosure vulnerability exists when the\n Windows Graphics component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An authenticated attacker\n could exploit this vulnerability by running a specially\n crafted application. The update addresses the\n vulnerability by correcting how the Windows Graphics\n Component handles objects in memory. (CVE-2018-8433)\n\n - A security feature bypass vulnerability exists when\n Windows Hyper-V BIOS loader fails to provide a high-\n entropy source. (CVE-2018-8435)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8354)\n\n - A security feature bypass vulnerability exists in\n Internet Explorer due to how scripts are handled that\n allows a universal cross-site scripting (UXSS)\n condition. An attacker could use the UXSS vulnerability\n to access any session belonging to web pages currently\n opened (or cached) by the browser at the time the attack\n is triggered. (CVE-2018-8470)\n\n - A spoofing vulnerability exists when Microsoft Edge\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was on a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services.\n (CVE-2018-8425)", "edition": 25, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-09-11T00:00:00", "title": "KB4457142: Windows 10 Version 1709 and Windows Server Version 1709 September 2018 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8425", "CVE-2018-8461", "CVE-2018-8354", "CVE-2018-8467", "CVE-2018-8443", "CVE-2018-8410", "CVE-2018-8442", "CVE-2018-8456", "CVE-2018-8433", "CVE-2018-8271", "CVE-2018-8439", "CVE-2018-8449", "CVE-2018-8465", "CVE-2018-8424", "CVE-2018-8434", "CVE-2018-8466", "CVE-2018-8337", "CVE-2018-8447", "CVE-2018-8367", "CVE-2018-8452", "CVE-2018-8392", "CVE-2018-8440", "CVE-2018-8420", "CVE-2018-8393", "CVE-2018-8332", "CVE-2018-8457", "CVE-2018-8455", "CVE-2018-8438", "CVE-2018-8475", "CVE-2018-8435", "CVE-2018-8446", "CVE-2018-8315", "CVE-2018-8421", "CVE-2018-8462", "CVE-2018-8468", "CVE-2018-8335", "CVE-2018-8470", "CVE-2018-8469", "CVE-2018-8464"], "modified": "2018-09-11T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS18_SEP_4457142.NASL", "href": "https://www.tenable.com/plugins/nessus/117417", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117417);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2018-8271\",\n \"CVE-2018-8315\",\n \"CVE-2018-8332\",\n \"CVE-2018-8335\",\n \"CVE-2018-8337\",\n \"CVE-2018-8354\",\n \"CVE-2018-8367\",\n \"CVE-2018-8392\",\n \"CVE-2018-8393\",\n \"CVE-2018-8410\",\n \"CVE-2018-8420\",\n \"CVE-2018-8421\",\n \"CVE-2018-8424\",\n \"CVE-2018-8425\",\n \"CVE-2018-8433\",\n \"CVE-2018-8434\",\n \"CVE-2018-8435\",\n \"CVE-2018-8438\",\n \"CVE-2018-8439\",\n \"CVE-2018-8440\",\n \"CVE-2018-8442\",\n \"CVE-2018-8443\",\n \"CVE-2018-8446\",\n \"CVE-2018-8447\",\n \"CVE-2018-8449\",\n \"CVE-2018-8452\",\n \"CVE-2018-8455\",\n \"CVE-2018-8456\",\n \"CVE-2018-8457\",\n \"CVE-2018-8461\",\n \"CVE-2018-8462\",\n \"CVE-2018-8464\",\n \"CVE-2018-8465\",\n \"CVE-2018-8466\",\n \"CVE-2018-8467\",\n \"CVE-2018-8468\",\n \"CVE-2018-8469\",\n \"CVE-2018-8470\",\n \"CVE-2018-8475\"\n );\n script_xref(name:\"MSKB\", value:\"4457142\");\n script_xref(name:\"MSFT\", value:\"MS18-4457142\");\n\n script_name(english:\"KB4457142: Windows 10 Version 1709 and Windows Server Version 1709 September 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4457142.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8457)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8424)\n\n - An elevation of privilege vulnerability exists in\n Windows that allows a sandbox escape. An attacker who\n successfully exploited the vulnerability could use the\n sandbox escape to elevate privileges on an affected\n system. This vulnerability by itself does not allow\n arbitrary code execution. However, the vulnerability\n could allow arbitrary code to run if an attacker uses it\n in combination with another vulnerability, such as a\n remote code execution vulnerability or another elevation\n of privilege vulnerability, that can leverage the\n elevated privileges when code execution is attempted.\n The security update addresses the vulnerability by\n correcting how Windows parses files. (CVE-2018-8468)\n\n - A remote code execution vulnerability exists when\n Windows does not properly handle specially crafted image\n files. An attacker who successfully exploited the\n vulnerability could execute arbitrary code.\n (CVE-2018-8475)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2018-8440)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge that could allow an attacker to escape\n from the AppContainer sandbox in the browser. An\n attacker who successfully exploited this vulnerability\n could gain elevated privileges and break out of the Edge\n AppContainer sandbox. The vulnerability by itself does\n not allow arbitrary code to run. However, this\n vulnerability could be used in conjunction with one or\n more vulnerabilities (for example a remote code\n execution vulnerability and another elevation of\n privilege vulnerability) to take advantage of the\n elevated privileges when running. The security update\n addresses the vulnerability by modifying how Microsoft\n Edge handles sandboxing. (CVE-2018-8469)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how the Windows kernel handles objects in\n memory. (CVE-2018-8442, CVE-2018-8443)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2018-8439)\n\n - An elevation of privilege vulnerability exists when the\n Windows Kernel API improperly handles registry objects\n in memory. An attacker who successfully exploited the\n vulnerability could gain elevated privileges on a\n targeted system. A locally authenticated attacker could\n exploit this vulnerability by running a specially\n crafted application. The security update addresses the\n vulnerability by helping to ensure that the Windows\n Kernel API properly handles objects in memory.\n (CVE-2018-8410)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8462)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8446)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2018-8420)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2018-8438)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8456)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2018-8434)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8332)\n\n - An information disclosure vulnerability exists when the\n browser scripting engine improperly handle object types.\n An attacker who has successfully exploited this\n vulnerability might be able to read privileged data\n across trust boundaries. In browsing scenarios, an\n attacker could convince a user to visit a malicious site\n and leverage the vulnerability to obtain privileged\n information from the browser process, such as sensitive\n data from other opened tabs. An attacker could also\n inject malicious code into advertising networks used by\n trusted sites or embed malicious code on a compromised,\n but trusted, site. The security update addresses the\n vulnerability by correcting how the browser scripting\n engine handles object types. (CVE-2018-8315)\n\n - A security feature bypass vulnerability exists when\n Windows Subsystem for Linux improperly handles case\n sensitivity. An attacker who successfully exploited this\n vulnerability could replace or delete arbitrary files as\n a low privilege user. A attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how Windows Subsystem for Linux handles case\n sensitivity. (CVE-2018-8337)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8447,\n CVE-2018-8461)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-8392,\n CVE-2018-8393)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2018-8335)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-8455)\n\n - An information disclosure vulnerability exists in\n Windows when the Windows bowser.sys kernel-mode driver\n fails to properly handle objects in memory. An attacker\n who successfully exploited the vulnerability could\n potentially disclose contents of System memory.\n (CVE-2018-8271)\n\n - An remote code execution vulnerability exists when\n Microsoft Edge PDF Reader improperly handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. If the current\n user is logged on with administrative user rights, an\n attacker could take control of an affected system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2018-8464)\n\n - A remote code execution vulnerability exists when\n Microsoft .NET Framework processes input. An attacker\n who successfully exploited this vulnerability could take\n control of an affected system. (CVE-2018-8421)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8367, CVE-2018-8465,\n CVE-2018-8466, CVE-2018-8467)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Microsoft browsers. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2018-8452)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2018-8449)\n\n - An information disclosure vulnerability exists when the\n Windows Graphics component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An authenticated attacker\n could exploit this vulnerability by running a specially\n crafted application. The update addresses the\n vulnerability by correcting how the Windows Graphics\n Component handles objects in memory. (CVE-2018-8433)\n\n - A security feature bypass vulnerability exists when\n Windows Hyper-V BIOS loader fails to provide a high-\n entropy source. (CVE-2018-8435)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8354)\n\n - A security feature bypass vulnerability exists in\n Internet Explorer due to how scripts are handled that\n allows a universal cross-site scripting (UXSS)\n condition. An attacker could use the UXSS vulnerability\n to access any session belonging to web pages currently\n opened (or cached) by the browser at the time the attack\n is triggered. (CVE-2018-8470)\n\n - A spoofing vulnerability exists when Microsoft Edge\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was on a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services.\n (CVE-2018-8425)\");\n # https://support.microsoft.com/en-us/help/4457142/windows-10-update-kb4457142\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?13887e06\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4457142.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8421\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Windows ALPC Task Scheduler Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/09/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-09\";\nkbs = make_list('4457142');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"16299\",\n rollup_date:\"09_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4457142])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-19T05:13:24", "description": "The remote Windows host is missing security update 4457138.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8457)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8424)\n\n - An elevation of privilege vulnerability exists in\n Windows that allows a sandbox escape. An attacker who\n successfully exploited the vulnerability could use the\n sandbox escape to elevate privileges on an affected\n system. This vulnerability by itself does not allow\n arbitrary code execution. However, the vulnerability\n could allow arbitrary code to run if an attacker uses it\n in combination with another vulnerability, such as a\n remote code execution vulnerability or another elevation\n of privilege vulnerability, that can leverage the\n elevated privileges when code execution is attempted.\n The security update addresses the vulnerability by\n correcting how Windows parses files. (CVE-2018-8468)\n\n - A remote code execution vulnerability exists when\n Windows does not properly handle specially crafted image\n files. An attacker who successfully exploited the\n vulnerability could execute arbitrary code.\n (CVE-2018-8475)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2018-8440)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge that could allow an attacker to escape\n from the AppContainer sandbox in the browser. An\n attacker who successfully exploited this vulnerability\n could gain elevated privileges and break out of the Edge\n AppContainer sandbox. The vulnerability by itself does\n not allow arbitrary code to run. However, this\n vulnerability could be used in conjunction with one or\n more vulnerabilities (for example a remote code\n execution vulnerability and another elevation of\n privilege vulnerability) to take advantage of the\n elevated privileges when running. The security update\n addresses the vulnerability by modifying how Microsoft\n Edge handles sandboxing. (CVE-2018-8469)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how the Windows kernel handles objects in\n memory. (CVE-2018-8442, CVE-2018-8443)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-8419)\n\n - An elevation of privilege vulnerability exists when the\n Windows Kernel API improperly handles registry objects\n in memory. An attacker who successfully exploited the\n vulnerability could gain elevated privileges on a\n targeted system. A locally authenticated attacker could\n exploit this vulnerability by running a specially\n crafted application. The security update addresses the\n vulnerability by helping to ensure that the Windows\n Kernel API properly handles objects in memory.\n (CVE-2018-8410)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8462)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8446)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2018-8420)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2018-8438)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8456)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2018-8434)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8332)\n\n - An information disclosure vulnerability exists when the\n browser scripting engine improperly handle object types.\n An attacker who has successfully exploited this\n vulnerability might be able to read privileged data\n across trust boundaries. In browsing scenarios, an\n attacker could convince a user to visit a malicious site\n and leverage the vulnerability to obtain privileged\n information from the browser process, such as sensitive\n data from other opened tabs. An attacker could also\n inject malicious code into advertising networks used by\n trusted sites or embed malicious code on a compromised,\n but trusted, site. The security update addresses the\n vulnerability by correcting how the browser scripting\n engine handles object types. (CVE-2018-8315)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-8392,\n CVE-2018-8393)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2018-8335)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-8455)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8447)\n\n - An information disclosure vulnerability exists in\n Windows when the Windows bowser.sys kernel-mode driver\n fails to properly handle objects in memory. An attacker\n who successfully exploited the vulnerability could\n potentially disclose contents of System memory.\n (CVE-2018-8271)\n\n - An remote code execution vulnerability exists when\n Microsoft Edge PDF Reader improperly handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. If the current\n user is logged on with administrative user rights, an\n attacker could take control of an affected system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2018-8464)\n\n - A remote code execution vulnerability exists when\n Microsoft .NET Framework processes input. An attacker\n who successfully exploited this vulnerability could take\n control of an affected system. (CVE-2018-8421)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8367, CVE-2018-8465,\n CVE-2018-8466, CVE-2018-8467)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Microsoft browsers. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2018-8452)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2018-8449)\n\n - An information disclosure vulnerability exists when the\n Windows Graphics component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An authenticated attacker\n could exploit this vulnerability by running a specially\n crafted application. The update addresses the\n vulnerability by correcting how the Windows Graphics\n Component handles objects in memory. (CVE-2018-8433)\n\n - A security feature bypass vulnerability exists when\n Windows Hyper-V BIOS loader fails to provide a high-\n entropy source. (CVE-2018-8435)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8354)\n\n - A security feature bypass vulnerability exists in\n Internet Explorer due to how scripts are handled that\n allows a universal cross-site scripting (UXSS)\n condition. An attacker could use the UXSS vulnerability\n to access any session belonging to web pages currently\n opened (or cached) by the browser at the time the attack\n is triggered. (CVE-2018-8470)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2018-0965, CVE-2018-8439)\n\n - A spoofing vulnerability exists when Microsoft Edge\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was on a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services.\n (CVE-2018-8425)", "edition": 24, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-09-11T00:00:00", "title": "KB4457138: Windows 10 Version 1703 September 2018 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8425", "CVE-2018-8354", "CVE-2018-8467", "CVE-2018-8443", "CVE-2018-8410", "CVE-2018-8442", "CVE-2018-8456", "CVE-2018-8419", "CVE-2018-8433", "CVE-2018-8271", "CVE-2018-0965", "CVE-2018-8439", "CVE-2018-8449", "CVE-2018-8465", "CVE-2018-8424", "CVE-2018-8434", "CVE-2018-8466", "CVE-2018-8447", "CVE-2018-8367", "CVE-2018-8452", "CVE-2018-8392", "CVE-2018-8440", "CVE-2018-8420", "CVE-2018-8393", "CVE-2018-8332", "CVE-2018-8457", "CVE-2018-8455", "CVE-2018-8438", "CVE-2018-8475", "CVE-2018-8435", "CVE-2018-8446", "CVE-2018-8315", "CVE-2018-8421", "CVE-2018-8462", "CVE-2018-8468", "CVE-2018-8335", "CVE-2018-8470", "CVE-2018-8469", "CVE-2018-8464"], "modified": "2018-09-11T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS18_SEP_4457138.NASL", "href": "https://www.tenable.com/plugins/nessus/117416", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117416);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2018-0965\",\n \"CVE-2018-8271\",\n \"CVE-2018-8315\",\n \"CVE-2018-8332\",\n \"CVE-2018-8335\",\n \"CVE-2018-8354\",\n \"CVE-2018-8367\",\n \"CVE-2018-8392\",\n \"CVE-2018-8393\",\n \"CVE-2018-8410\",\n \"CVE-2018-8419\",\n \"CVE-2018-8420\",\n \"CVE-2018-8421\",\n \"CVE-2018-8424\",\n \"CVE-2018-8425\",\n \"CVE-2018-8433\",\n \"CVE-2018-8434\",\n \"CVE-2018-8435\",\n \"CVE-2018-8438\",\n \"CVE-2018-8439\",\n \"CVE-2018-8440\",\n \"CVE-2018-8442\",\n \"CVE-2018-8443\",\n \"CVE-2018-8446\",\n \"CVE-2018-8447\",\n \"CVE-2018-8449\",\n \"CVE-2018-8452\",\n \"CVE-2018-8455\",\n \"CVE-2018-8456\",\n \"CVE-2018-8457\",\n \"CVE-2018-8462\",\n \"CVE-2018-8464\",\n \"CVE-2018-8465\",\n \"CVE-2018-8466\",\n \"CVE-2018-8467\",\n \"CVE-2018-8468\",\n \"CVE-2018-8469\",\n \"CVE-2018-8470\",\n \"CVE-2018-8475\"\n );\n script_xref(name:\"MSKB\", value:\"4457138\");\n script_xref(name:\"MSFT\", value:\"MS18-4457138\");\n\n script_name(english:\"KB4457138: Windows 10 Version 1703 September 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4457138.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8457)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8424)\n\n - An elevation of privilege vulnerability exists in\n Windows that allows a sandbox escape. An attacker who\n successfully exploited the vulnerability could use the\n sandbox escape to elevate privileges on an affected\n system. This vulnerability by itself does not allow\n arbitrary code execution. However, the vulnerability\n could allow arbitrary code to run if an attacker uses it\n in combination with another vulnerability, such as a\n remote code execution vulnerability or another elevation\n of privilege vulnerability, that can leverage the\n elevated privileges when code execution is attempted.\n The security update addresses the vulnerability by\n correcting how Windows parses files. (CVE-2018-8468)\n\n - A remote code execution vulnerability exists when\n Windows does not properly handle specially crafted image\n files. An attacker who successfully exploited the\n vulnerability could execute arbitrary code.\n (CVE-2018-8475)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2018-8440)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge that could allow an attacker to escape\n from the AppContainer sandbox in the browser. An\n attacker who successfully exploited this vulnerability\n could gain elevated privileges and break out of the Edge\n AppContainer sandbox. The vulnerability by itself does\n not allow arbitrary code to run. However, this\n vulnerability could be used in conjunction with one or\n more vulnerabilities (for example a remote code\n execution vulnerability and another elevation of\n privilege vulnerability) to take advantage of the\n elevated privileges when running. The security update\n addresses the vulnerability by modifying how Microsoft\n Edge handles sandboxing. (CVE-2018-8469)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how the Windows kernel handles objects in\n memory. (CVE-2018-8442, CVE-2018-8443)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-8419)\n\n - An elevation of privilege vulnerability exists when the\n Windows Kernel API improperly handles registry objects\n in memory. An attacker who successfully exploited the\n vulnerability could gain elevated privileges on a\n targeted system. A locally authenticated attacker could\n exploit this vulnerability by running a specially\n crafted application. The security update addresses the\n vulnerability by helping to ensure that the Windows\n Kernel API properly handles objects in memory.\n (CVE-2018-8410)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8462)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8446)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2018-8420)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2018-8438)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8456)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2018-8434)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8332)\n\n - An information disclosure vulnerability exists when the\n browser scripting engine improperly handle object types.\n An attacker who has successfully exploited this\n vulnerability might be able to read privileged data\n across trust boundaries. In browsing scenarios, an\n attacker could convince a user to visit a malicious site\n and leverage the vulnerability to obtain privileged\n information from the browser process, such as sensitive\n data from other opened tabs. An attacker could also\n inject malicious code into advertising networks used by\n trusted sites or embed malicious code on a compromised,\n but trusted, site. The security update addresses the\n vulnerability by correcting how the browser scripting\n engine handles object types. (CVE-2018-8315)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-8392,\n CVE-2018-8393)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2018-8335)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-8455)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8447)\n\n - An information disclosure vulnerability exists in\n Windows when the Windows bowser.sys kernel-mode driver\n fails to properly handle objects in memory. An attacker\n who successfully exploited the vulnerability could\n potentially disclose contents of System memory.\n (CVE-2018-8271)\n\n - An remote code execution vulnerability exists when\n Microsoft Edge PDF Reader improperly handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. If the current\n user is logged on with administrative user rights, an\n attacker could take control of an affected system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2018-8464)\n\n - A remote code execution vulnerability exists when\n Microsoft .NET Framework processes input. An attacker\n who successfully exploited this vulnerability could take\n control of an affected system. (CVE-2018-8421)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8367, CVE-2018-8465,\n CVE-2018-8466, CVE-2018-8467)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Microsoft browsers. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2018-8452)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2018-8449)\n\n - An information disclosure vulnerability exists when the\n Windows Graphics component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An authenticated attacker\n could exploit this vulnerability by running a specially\n crafted application. The update addresses the\n vulnerability by correcting how the Windows Graphics\n Component handles objects in memory. (CVE-2018-8433)\n\n - A security feature bypass vulnerability exists when\n Windows Hyper-V BIOS loader fails to provide a high-\n entropy source. (CVE-2018-8435)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8354)\n\n - A security feature bypass vulnerability exists in\n Internet Explorer due to how scripts are handled that\n allows a universal cross-site scripting (UXSS)\n condition. An attacker could use the UXSS vulnerability\n to access any session belonging to web pages currently\n opened (or cached) by the browser at the time the attack\n is triggered. (CVE-2018-8470)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2018-0965, CVE-2018-8439)\n\n - A spoofing vulnerability exists when Microsoft Edge\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was on a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services.\n (CVE-2018-8425)\");\n # https://support.microsoft.com/en-us/help/4457138/windows-10-update-kb4457138\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?625cb458\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4457138.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8421\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Windows ALPC Task Scheduler Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/09/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-09\";\nkbs = make_list('4457138');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"15063\",\n rollup_date:\"09_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4457138])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-19T05:13:24", "description": "The remote Windows host is missing security update 4457131.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8457)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8424)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2018-0965, CVE-2018-8439)\n\n - A remote code execution vulnerability exists when\n Windows does not properly handle specially crafted image\n files. An attacker who successfully exploited the\n vulnerability could execute arbitrary code.\n (CVE-2018-8475)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2018-8440)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge that could allow an attacker to escape\n from the AppContainer sandbox in the browser. An\n attacker who successfully exploited this vulnerability\n could gain elevated privileges and break out of the Edge\n AppContainer sandbox. The vulnerability by itself does\n not allow arbitrary code to run. However, this\n vulnerability could be used in conjunction with one or\n more vulnerabilities (for example a remote code\n execution vulnerability and another elevation of\n privilege vulnerability) to take advantage of the\n elevated privileges when running. The security update\n addresses the vulnerability by modifying how Microsoft\n Edge handles sandboxing. (CVE-2018-8469)\n\n - An elevation of privilege vulnerability exists in\n Windows that allows a sandbox escape. An attacker who\n successfully exploited the vulnerability could use the\n sandbox escape to elevate privileges on an affected\n system. This vulnerability by itself does not allow\n arbitrary code execution. However, the vulnerability\n could allow arbitrary code to run if an attacker uses it\n in combination with another vulnerability, such as a\n remote code execution vulnerability or another elevation\n of privilege vulnerability, that can leverage the\n elevated privileges when code execution is attempted.\n The security update addresses the vulnerability by\n correcting how Windows parses files. (CVE-2018-8468)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how the Windows kernel handles objects in\n memory. (CVE-2018-8442, CVE-2018-8443)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-8419)\n\n - An elevation of privilege vulnerability exists when the\n Windows Kernel API improperly handles registry objects\n in memory. An attacker who successfully exploited the\n vulnerability could gain elevated privileges on a\n targeted system. A locally authenticated attacker could\n exploit this vulnerability by running a specially\n crafted application. The security update addresses the\n vulnerability by helping to ensure that the Windows\n Kernel API properly handles objects in memory.\n (CVE-2018-8410)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8462)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8446)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2018-8420)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2018-8438)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2018-8434)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8332)\n\n - An information disclosure vulnerability exists when the\n browser scripting engine improperly handle object types.\n An attacker who has successfully exploited this\n vulnerability might be able to read privileged data\n across trust boundaries. In browsing scenarios, an\n attacker could convince a user to visit a malicious site\n and leverage the vulnerability to obtain privileged\n information from the browser process, such as sensitive\n data from other opened tabs. An attacker could also\n inject malicious code into advertising networks used by\n trusted sites or embed malicious code on a compromised,\n but trusted, site. The security update addresses the\n vulnerability by correcting how the browser scripting\n engine handles object types. (CVE-2018-8315)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-8392,\n CVE-2018-8393)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2018-8335)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-8455)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8447)\n\n - An information disclosure vulnerability exists in\n Windows when the Windows bowser.sys kernel-mode driver\n fails to properly handle objects in memory. An attacker\n who successfully exploited the vulnerability could\n potentially disclose contents of System memory.\n (CVE-2018-8271)\n\n - An remote code execution vulnerability exists when\n Microsoft Edge PDF Reader improperly handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. If the current\n user is logged on with administrative user rights, an\n attacker could take control of an affected system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2018-8464)\n\n - A remote code execution vulnerability exists when\n Microsoft .NET Framework processes input. An attacker\n who successfully exploited this vulnerability could take\n control of an affected system. (CVE-2018-8421)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8367, CVE-2018-8465,\n CVE-2018-8466, CVE-2018-8467)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Microsoft browsers. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2018-8452)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2018-8449)\n\n - An information disclosure vulnerability exists when the\n Windows Graphics component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An authenticated attacker\n could exploit this vulnerability by running a specially\n crafted application. The update addresses the\n vulnerability by correcting how the Windows Graphics\n Component handles objects in memory. (CVE-2018-8433)\n\n - A security feature bypass vulnerability exists when\n Windows Hyper-V BIOS loader fails to provide a high-\n entropy source. (CVE-2018-8435)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8354)\n\n - A security feature bypass vulnerability exists in\n Internet Explorer due to how scripts are handled that\n allows a universal cross-site scripting (UXSS)\n condition. An attacker could use the UXSS vulnerability\n to access any session belonging to web pages currently\n opened (or cached) by the browser at the time the attack\n is triggered. (CVE-2018-8470)\n\n - A spoofing vulnerability exists when Microsoft Edge\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was on a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services.\n (CVE-2018-8425)", "edition": 24, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-09-11T00:00:00", "title": "KB4457131: Windows 10 Version 1607 and Windows Server 2016 September 2018 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8425", "CVE-2018-8354", "CVE-2018-8467", "CVE-2018-8443", "CVE-2018-8410", "CVE-2018-8442", "CVE-2018-8419", "CVE-2018-8433", "CVE-2018-8271", "CVE-2018-0965", "CVE-2018-8439", "CVE-2018-8449", "CVE-2018-8465", "CVE-2018-8424", "CVE-2018-8434", "CVE-2018-8466", "CVE-2018-8447", "CVE-2018-8367", "CVE-2018-8452", "CVE-2018-8392", "CVE-2018-8440", "CVE-2018-8420", "CVE-2018-8393", "CVE-2018-8332", "CVE-2018-8457", "CVE-2018-8455", "CVE-2018-8438", "CVE-2018-8475", "CVE-2018-8435", "CVE-2018-8446", "CVE-2018-8315", "CVE-2018-8421", "CVE-2018-8462", "CVE-2018-8468", "CVE-2018-8335", "CVE-2018-8470", "CVE-2018-8469", "CVE-2018-8464"], "modified": "2018-09-11T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS18_SEP_4457131.NASL", "href": "https://www.tenable.com/plugins/nessus/117413", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117413);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2018-0965\",\n \"CVE-2018-8271\",\n \"CVE-2018-8315\",\n \"CVE-2018-8332\",\n \"CVE-2018-8335\",\n \"CVE-2018-8354\",\n \"CVE-2018-8367\",\n \"CVE-2018-8392\",\n \"CVE-2018-8393\",\n \"CVE-2018-8410\",\n \"CVE-2018-8419\",\n \"CVE-2018-8420\",\n \"CVE-2018-8421\",\n \"CVE-2018-8424\",\n \"CVE-2018-8425\",\n \"CVE-2018-8433\",\n \"CVE-2018-8434\",\n \"CVE-2018-8435\",\n \"CVE-2018-8438\",\n \"CVE-2018-8439\",\n \"CVE-2018-8440\",\n \"CVE-2018-8442\",\n \"CVE-2018-8443\",\n \"CVE-2018-8446\",\n \"CVE-2018-8447\",\n \"CVE-2018-8449\",\n \"CVE-2018-8452\",\n \"CVE-2018-8455\",\n \"CVE-2018-8457\",\n \"CVE-2018-8462\",\n \"CVE-2018-8464\",\n \"CVE-2018-8465\",\n \"CVE-2018-8466\",\n \"CVE-2018-8467\",\n \"CVE-2018-8468\",\n \"CVE-2018-8469\",\n \"CVE-2018-8470\",\n \"CVE-2018-8475\"\n );\n script_xref(name:\"MSKB\", value:\"4457131\");\n script_xref(name:\"MSFT\", value:\"MS18-4457131\");\n\n script_name(english:\"KB4457131: Windows 10 Version 1607 and Windows Server 2016 September 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4457131.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8457)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8424)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2018-0965, CVE-2018-8439)\n\n - A remote code execution vulnerability exists when\n Windows does not properly handle specially crafted image\n files. An attacker who successfully exploited the\n vulnerability could execute arbitrary code.\n (CVE-2018-8475)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2018-8440)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge that could allow an attacker to escape\n from the AppContainer sandbox in the browser. An\n attacker who successfully exploited this vulnerability\n could gain elevated privileges and break out of the Edge\n AppContainer sandbox. The vulnerability by itself does\n not allow arbitrary code to run. However, this\n vulnerability could be used in conjunction with one or\n more vulnerabilities (for example a remote code\n execution vulnerability and another elevation of\n privilege vulnerability) to take advantage of the\n elevated privileges when running. The security update\n addresses the vulnerability by modifying how Microsoft\n Edge handles sandboxing. (CVE-2018-8469)\n\n - An elevation of privilege vulnerability exists in\n Windows that allows a sandbox escape. An attacker who\n successfully exploited the vulnerability could use the\n sandbox escape to elevate privileges on an affected\n system. This vulnerability by itself does not allow\n arbitrary code execution. However, the vulnerability\n could allow arbitrary code to run if an attacker uses it\n in combination with another vulnerability, such as a\n remote code execution vulnerability or another elevation\n of privilege vulnerability, that can leverage the\n elevated privileges when code execution is attempted.\n The security update addresses the vulnerability by\n correcting how Windows parses files. (CVE-2018-8468)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how the Windows kernel handles objects in\n memory. (CVE-2018-8442, CVE-2018-8443)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-8419)\n\n - An elevation of privilege vulnerability exists when the\n Windows Kernel API improperly handles registry objects\n in memory. An attacker who successfully exploited the\n vulnerability could gain elevated privileges on a\n targeted system. A locally authenticated attacker could\n exploit this vulnerability by running a specially\n crafted application. The security update addresses the\n vulnerability by helping to ensure that the Windows\n Kernel API properly handles objects in memory.\n (CVE-2018-8410)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8462)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8446)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2018-8420)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2018-8438)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2018-8434)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8332)\n\n - An information disclosure vulnerability exists when the\n browser scripting engine improperly handle object types.\n An attacker who has successfully exploited this\n vulnerability might be able to read privileged data\n across trust boundaries. In browsing scenarios, an\n attacker could convince a user to visit a malicious site\n and leverage the vulnerability to obtain privileged\n information from the browser process, such as sensitive\n data from other opened tabs. An attacker could also\n inject malicious code into advertising networks used by\n trusted sites or embed malicious code on a compromised,\n but trusted, site. The security update addresses the\n vulnerability by correcting how the browser scripting\n engine handles object types. (CVE-2018-8315)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-8392,\n CVE-2018-8393)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2018-8335)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-8455)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8447)\n\n - An information disclosure vulnerability exists in\n Windows when the Windows bowser.sys kernel-mode driver\n fails to properly handle objects in memory. An attacker\n who successfully exploited the vulnerability could\n potentially disclose contents of System memory.\n (CVE-2018-8271)\n\n - An remote code execution vulnerability exists when\n Microsoft Edge PDF Reader improperly handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. If the current\n user is logged on with administrative user rights, an\n attacker could take control of an affected system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2018-8464)\n\n - A remote code execution vulnerability exists when\n Microsoft .NET Framework processes input. An attacker\n who successfully exploited this vulnerability could take\n control of an affected system. (CVE-2018-8421)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8367, CVE-2018-8465,\n CVE-2018-8466, CVE-2018-8467)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Microsoft browsers. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2018-8452)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2018-8449)\n\n - An information disclosure vulnerability exists when the\n Windows Graphics component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An authenticated attacker\n could exploit this vulnerability by running a specially\n crafted application. The update addresses the\n vulnerability by correcting how the Windows Graphics\n Component handles objects in memory. (CVE-2018-8433)\n\n - A security feature bypass vulnerability exists when\n Windows Hyper-V BIOS loader fails to provide a high-\n entropy source. (CVE-2018-8435)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8354)\n\n - A security feature bypass vulnerability exists in\n Internet Explorer due to how scripts are handled that\n allows a universal cross-site scripting (UXSS)\n condition. An attacker could use the UXSS vulnerability\n to access any session belonging to web pages currently\n opened (or cached) by the browser at the time the attack\n is triggered. (CVE-2018-8470)\n\n - A spoofing vulnerability exists when Microsoft Edge\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was on a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services.\n (CVE-2018-8425)\");\n # https://support.microsoft.com/en-us/help/4457131/windows-10-update-kb4457131\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?db9cdb46\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4457131.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8421\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Windows ALPC Task Scheduler Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/09/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-09\";\nkbs = make_list('4457131');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date:\"09_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4457131])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-19T05:13:24", "description": "The remote Windows host is missing security update 4457128.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8457)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8424)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2018-0965, CVE-2018-8439)\n\n - A remote code execution vulnerability exists when\n Windows does not properly handle specially crafted image\n files. An attacker who successfully exploited the\n vulnerability could execute arbitrary code.\n (CVE-2018-8475)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2018-8440)\n\n - An elevation of privilege vulnerability exists in\n Windows that allows a sandbox escape. An attacker who\n successfully exploited the vulnerability could use the\n sandbox escape to elevate privileges on an affected\n system. This vulnerability by itself does not allow\n arbitrary code execution. However, the vulnerability\n could allow arbitrary code to run if an attacker uses it\n in combination with another vulnerability, such as a\n remote code execution vulnerability or another elevation\n of privilege vulnerability, that can leverage the\n elevated privileges when code execution is attempted.\n The security update addresses the vulnerability by\n correcting how Windows parses files. (CVE-2018-8468)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-8419)\n\n - An elevation of privilege vulnerability exists when the\n Windows Kernel API improperly handles registry objects\n in memory. An attacker who successfully exploited the\n vulnerability could gain elevated privileges on a\n targeted system. A locally authenticated attacker could\n exploit this vulnerability by running a specially\n crafted application. The security update addresses the\n vulnerability by helping to ensure that the Windows\n Kernel API properly handles objects in memory.\n (CVE-2018-8410)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8462)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8446)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge that could allow an attacker to escape\n from the AppContainer sandbox in the browser. An\n attacker who successfully exploited this vulnerability\n could gain elevated privileges and break out of the Edge\n AppContainer sandbox. The vulnerability by itself does\n not allow arbitrary code to run. However, this\n vulnerability could be used in conjunction with one or\n more vulnerabilities (for example a remote code\n execution vulnerability and another elevation of\n privilege vulnerability) to take advantage of the\n elevated privileges when running. The security update\n addresses the vulnerability by modifying how Microsoft\n Edge handles sandboxing. (CVE-2018-8463, CVE-2018-8469)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2018-8420)\n\n - An information disclosure vulnerability exists when the\n Windows Graphics component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An authenticated attacker\n could exploit this vulnerability by running a specially\n crafted application. The update addresses the\n vulnerability by correcting how the Windows Graphics\n Component handles objects in memory. (CVE-2018-8433)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2018-8434)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8332)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how the Windows kernel handles objects in\n memory. (CVE-2018-8442, CVE-2018-8443, CVE-2018-8445)\n\n - An information disclosure vulnerability exists when the\n browser scripting engine improperly handle object types.\n An attacker who has successfully exploited this\n vulnerability might be able to read privileged data\n across trust boundaries. In browsing scenarios, an\n attacker could convince a user to visit a malicious site\n and leverage the vulnerability to obtain privileged\n information from the browser process, such as sensitive\n data from other opened tabs. An attacker could also\n inject malicious code into advertising networks used by\n trusted sites or embed malicious code on a compromised,\n but trusted, site. The security update addresses the\n vulnerability by correcting how the browser scripting\n engine handles object types. (CVE-2018-8315)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8447,\n CVE-2018-8461)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-8392,\n CVE-2018-8393)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2018-8335)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2018-8436, CVE-2018-8437, CVE-2018-8438)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-8455)\n\n - An elevation of privilege vulnerability exists due to an\n integer overflow in Windows Subsystem for Linux. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-8441)\n\n - An information disclosure vulnerability exists in\n Windows when the Windows bowser.sys kernel-mode driver\n fails to properly handle objects in memory. An attacker\n who successfully exploited the vulnerability could\n potentially disclose contents of System memory.\n (CVE-2018-8271)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8456,\n CVE-2018-8459)\n\n - An remote code execution vulnerability exists when\n Microsoft Edge PDF Reader improperly handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. If the current\n user is logged on with administrative user rights, an\n attacker could take control of an affected system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2018-8464)\n\n - An information disclosure vulnerability exists when the\n Microsoft Edge Fetch API incorrectly handles a filtered\n response type. An attacker could use the vulnerability\n to read the URL of a cross-origin request. Websites that\n that do not securely populate the URL with confidential\n information could allow information to be disclosed to\n an attacker. (CVE-2018-8366)\n\n - A remote code execution vulnerability exists when\n Microsoft .NET Framework processes input. An attacker\n who successfully exploited this vulnerability could take\n control of an affected system. (CVE-2018-8421)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8367, CVE-2018-8465,\n CVE-2018-8466, CVE-2018-8467)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Microsoft browsers. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2018-8452)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2018-8449)\n\n - A security feature bypass vulnerability exists when\n Windows Hyper-V BIOS loader fails to provide a high-\n entropy source. (CVE-2018-8435)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8354)\n\n - A security feature bypass vulnerability exists in\n Internet Explorer due to how scripts are handled that\n allows a universal cross-site scripting (UXSS)\n condition. An attacker could use the UXSS vulnerability\n to access any session belonging to web pages currently\n opened (or cached) by the browser at the time the attack\n is triggered. (CVE-2018-8470)\n\n - A spoofing vulnerability exists when Microsoft Edge\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was on a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services.\n (CVE-2018-8425)", "edition": 25, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-09-11T00:00:00", "title": "KB4457128: Windows 10 Version 1803 and Windows Server Version 1803 September 2018 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8425", "CVE-2018-8461", "CVE-2018-8463", "CVE-2018-8441", "CVE-2018-8354", "CVE-2018-8467", "CVE-2018-8443", "CVE-2018-8410", "CVE-2018-8442", "CVE-2018-8456", "CVE-2018-8419", "CVE-2018-8433", "CVE-2018-8271", "CVE-2018-0965", "CVE-2018-8459", "CVE-2018-8436", "CVE-2018-8439", "CVE-2018-8449", "CVE-2018-8465", "CVE-2018-8424", "CVE-2018-8434", "CVE-2018-8437", "CVE-2018-8466", "CVE-2018-8447", "CVE-2018-8367", "CVE-2018-8452", "CVE-2018-8392", "CVE-2018-8440", "CVE-2018-8420", "CVE-2018-8393", "CVE-2018-8332", "CVE-2018-8457", "CVE-2018-8455", "CVE-2018-8438", "CVE-2018-8475", "CVE-2018-8435", "CVE-2018-8446", "CVE-2018-8366", "CVE-2018-8315", "CVE-2018-8421", "CVE-2018-8462", "CVE-2018-8468", "CVE-2018-8445", "CVE-2018-8335", "CVE-2018-8470", "CVE-2018-8469", "CVE-2018-8464"], "modified": "2018-09-11T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS18_SEP_4457128.NASL", "href": "https://www.tenable.com/plugins/nessus/117411", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117411);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2018-0965\",\n \"CVE-2018-8271\",\n \"CVE-2018-8315\",\n \"CVE-2018-8332\",\n \"CVE-2018-8335\",\n \"CVE-2018-8354\",\n \"CVE-2018-8366\",\n \"CVE-2018-8367\",\n \"CVE-2018-8392\",\n \"CVE-2018-8393\",\n \"CVE-2018-8410\",\n \"CVE-2018-8419\",\n \"CVE-2018-8420\",\n \"CVE-2018-8421\",\n \"CVE-2018-8424\",\n \"CVE-2018-8425\",\n \"CVE-2018-8433\",\n \"CVE-2018-8434\",\n \"CVE-2018-8435\",\n \"CVE-2018-8436\",\n \"CVE-2018-8437\",\n \"CVE-2018-8438\",\n \"CVE-2018-8439\",\n \"CVE-2018-8440\",\n \"CVE-2018-8441\",\n \"CVE-2018-8442\",\n \"CVE-2018-8443\",\n \"CVE-2018-8445\",\n \"CVE-2018-8446\",\n \"CVE-2018-8447\",\n \"CVE-2018-8449\",\n \"CVE-2018-8452\",\n \"CVE-2018-8455\",\n \"CVE-2018-8456\",\n \"CVE-2018-8457\",\n \"CVE-2018-8459\",\n \"CVE-2018-8461\",\n \"CVE-2018-8462\",\n \"CVE-2018-8463\",\n \"CVE-2018-8464\",\n \"CVE-2018-8465\",\n \"CVE-2018-8466\",\n \"CVE-2018-8467\",\n \"CVE-2018-8468\",\n \"CVE-2018-8469\",\n \"CVE-2018-8470\",\n \"CVE-2018-8475\"\n );\n script_xref(name:\"MSKB\", value:\"4457128\");\n script_xref(name:\"MSFT\", value:\"MS18-4457128\");\n\n script_name(english:\"KB4457128: Windows 10 Version 1803 and Windows Server Version 1803 September 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4457128.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8457)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8424)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2018-0965, CVE-2018-8439)\n\n - A remote code execution vulnerability exists when\n Windows does not properly handle specially crafted image\n files. An attacker who successfully exploited the\n vulnerability could execute arbitrary code.\n (CVE-2018-8475)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2018-8440)\n\n - An elevation of privilege vulnerability exists in\n Windows that allows a sandbox escape. An attacker who\n successfully exploited the vulnerability could use the\n sandbox escape to elevate privileges on an affected\n system. This vulnerability by itself does not allow\n arbitrary code execution. However, the vulnerability\n could allow arbitrary code to run if an attacker uses it\n in combination with another vulnerability, such as a\n remote code execution vulnerability or another elevation\n of privilege vulnerability, that can leverage the\n elevated privileges when code execution is attempted.\n The security update addresses the vulnerability by\n correcting how Windows parses files. (CVE-2018-8468)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-8419)\n\n - An elevation of privilege vulnerability exists when the\n Windows Kernel API improperly handles registry objects\n in memory. An attacker who successfully exploited the\n vulnerability could gain elevated privileges on a\n targeted system. A locally authenticated attacker could\n exploit this vulnerability by running a specially\n crafted application. The security update addresses the\n vulnerability by helping to ensure that the Windows\n Kernel API properly handles objects in memory.\n (CVE-2018-8410)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8462)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8446)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge that could allow an attacker to escape\n from the AppContainer sandbox in the browser. An\n attacker who successfully exploited this vulnerability\n could gain elevated privileges and break out of the Edge\n AppContainer sandbox. The vulnerability by itself does\n not allow arbitrary code to run. However, this\n vulnerability could be used in conjunction with one or\n more vulnerabilities (for example a remote code\n execution vulnerability and another elevation of\n privilege vulnerability) to take advantage of the\n elevated privileges when running. The security update\n addresses the vulnerability by modifying how Microsoft\n Edge handles sandboxing. (CVE-2018-8463, CVE-2018-8469)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2018-8420)\n\n - An information disclosure vulnerability exists when the\n Windows Graphics component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An authenticated attacker\n could exploit this vulnerability by running a specially\n crafted application. The update addresses the\n vulnerability by correcting how the Windows Graphics\n Component handles objects in memory. (CVE-2018-8433)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2018-8434)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8332)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how the Windows kernel handles objects in\n memory. (CVE-2018-8442, CVE-2018-8443, CVE-2018-8445)\n\n - An information disclosure vulnerability exists when the\n browser scripting engine improperly handle object types.\n An attacker who has successfully exploited this\n vulnerability might be able to read privileged data\n across trust boundaries. In browsing scenarios, an\n attacker could convince a user to visit a malicious site\n and leverage the vulnerability to obtain privileged\n information from the browser process, such as sensitive\n data from other opened tabs. An attacker could also\n inject malicious code into advertising networks used by\n trusted sites or embed malicious code on a compromised,\n but trusted, site. The security update addresses the\n vulnerability by correcting how the browser scripting\n engine handles object types. (CVE-2018-8315)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8447,\n CVE-2018-8461)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-8392,\n CVE-2018-8393)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2018-8335)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2018-8436, CVE-2018-8437, CVE-2018-8438)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-8455)\n\n - An elevation of privilege vulnerability exists due to an\n integer overflow in Windows Subsystem for Linux. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-8441)\n\n - An information disclosure vulnerability exists in\n Windows when the Windows bowser.sys kernel-mode driver\n fails to properly handle objects in memory. An attacker\n who successfully exploited the vulnerability could\n potentially disclose contents of System memory.\n (CVE-2018-8271)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8456,\n CVE-2018-8459)\n\n - An remote code execution vulnerability exists when\n Microsoft Edge PDF Reader improperly handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. If the current\n user is logged on with administrative user rights, an\n attacker could take control of an affected system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2018-8464)\n\n - An information disclosure vulnerability exists when the\n Microsoft Edge Fetch API incorrectly handles a filtered\n response type. An attacker could use the vulnerability\n to read the URL of a cross-origin request. Websites that\n that do not securely populate the URL with confidential\n information could allow information to be disclosed to\n an attacker. (CVE-2018-8366)\n\n - A remote code execution vulnerability exists when\n Microsoft .NET Framework processes input. An attacker\n who successfully exploited this vulnerability could take\n control of an affected system. (CVE-2018-8421)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8367, CVE-2018-8465,\n CVE-2018-8466, CVE-2018-8467)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Microsoft browsers. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2018-8452)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2018-8449)\n\n - A security feature bypass vulnerability exists when\n Windows Hyper-V BIOS loader fails to provide a high-\n entropy source. (CVE-2018-8435)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8354)\n\n - A security feature bypass vulnerability exists in\n Internet Explorer due to how scripts are handled that\n allows a universal cross-site scripting (UXSS)\n condition. An attacker could use the UXSS vulnerability\n to access any session belonging to web pages currently\n opened (or cached) by the browser at the time the attack\n is triggered. (CVE-2018-8470)\n\n - A spoofing vulnerability exists when Microsoft Edge\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was on a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services.\n (CVE-2018-8425)\");\n # https://support.microsoft.com/en-us/help/4457128/windows-10-update-kb4457128\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dee71c23\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4457128.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8421\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Windows ALPC Task Scheduler Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/09/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-09\";\nkbs = make_list('4457128');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"17134\",\n rollup_date:\"09_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4457128])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2017-12-25T19:52:52", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11768", "CVE-2017-11770", "CVE-2017-11788", "CVE-2017-11791", "CVE-2017-11803", "CVE-2017-11827", "CVE-2017-11830", "CVE-2017-11831", "CVE-2017-11832", "CVE-2017-11833", "CVE-2017-11834", "CVE-2017-11835", "CVE-2017-11836", "CVE-2017-11837", "CVE-2017-11838", "CVE-2017-11839", "CVE-2017-11840", "CVE-2017-11841", "CVE-2017-11842", "CVE-2017-11843", "CVE-2017-11844", "CVE-2017-11845", "CVE-2017-11846", "CVE-2017-11847", "CVE-2017-11848", "CVE-2017-11849", "CVE-2017-11850", "CVE-2017-11851", "CVE-2017-11852", "CVE-2017-11853", "CVE-2017-11854", "CVE-2017-11855", "CVE-2017-11856", "CVE-2017-11858", "CVE-2017-11861", "CVE-2017-11862", "CVE-2017-11863", "CVE-2017-11866", "CVE-2017-11869", "CVE-2017-11870", "CVE-2017-11871", "CVE-2017-11872", "CVE-2017-11873", "CVE-2017-11874", "CVE-2017-11876", "CVE-2017-11877", "CVE-2017-11878", "CVE-2017-11879", "CVE-2017-11880", "CVE-2017-11882", "CVE-2017-11883", "CVE-2017-11884", "CVE-2017-16367", "CVE-2017-8700"], "description": "Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 53 new vulnerabilities with 19 of them rated critical, 31 of them rated important and 3 of them rated moderate. These vulnerabilities impact Microsoft Edge, Internet Explorer, Microsoft Scripting Engine, and more.<br /><br />In addition, an update for Adobe Reader was released which addresses CVE-2017-16367 / TALOS-2017-0356 - Adobe Acrobat Reader DC PDF Structured Hierarchy ActualText Structure Element Code Execution Vulnerability which was discovered by Aleksandar Nikolic of Cisco Talos. This vulnerability manifests as a type confusion vulnerability in the PDF parsing functionality for documents containing marked structure elements. A specifically crafted PDF document designed to trigger the vulnerability could cause an out-of-bounds access on the heap, potentially leading to arbitrary code execution. More details regarding this vulnerability are available <a href=\"https://talosintelligence.com/vulnerability_reports/TALOS-2017-0356\">here</a>.<br /><br /><a name='more'></a><h2 id=\"h.zgfs4ty8epb8\">Vulnerabilities Rated Critical</h2><br />The following vulnerabilities are rated \"Critical\" by Microsoft:<br /><br /><ul><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11836\">CVE-2017-11836 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11837\">CVE-2017-11837 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11838\">CVE-2017-11838 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11839\">CVE-2017-11839 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11840\">CVE-2017-11840 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11841\">CVE-2017-11841 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11843\">CVE-2017-11843 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11845\">CVE-2017-11845 - Microsoft Edge Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11846\">CVE-2017-11846 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11855\">CVE-2017-11855 - Internet Explorer Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11856\">CVE-2017-11856 - Internet Explorer Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11858\">CVE-2017-11858 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11861\">CVE-2017-11861 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11862\">CVE-2017-11862 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11866\">CVE-2017-11866 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11869\">CVE-2017-11869 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11870\">CVE-2017-11870 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11871\">CVE-2017-11871 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11873\">CVE-2017-11873 - Scripting Engine Memory Corruption Vulnerability</a></li></ul><br /><h3 id=\"h.pmrxkbmph7q8\">Multiple CVEs - Scripting Engine Memory Corruption Vulnerability</h3><br />Multiple vulnerabilities have been identified in the scripting engine of Microsoft Edge that could allow an attacker to execute arbitrary code. These vulnerabilities manifest due to Microsoft Edge improperly handling objects in memory. Scenarios where these vulnerabilities would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit these vulnerabilities. Successful exploitation of these vulnerabilities could allow an attacker to execute code within the context of the current user.<br /><br />The following is a list of CVEs related to these vulnerabilities:<br /><ul><li>CVE-2017-11836</li><li>CVE-2017-11839</li><li>CVE-2017-11840</li><li>CVE-2017-11841</li><li>CVE-2017-11861</li><li>CVE-2017-11862</li><li>CVE-2017-11866</li><li>CVE-2017-11870</li><li>CVE-2017-11871</li><li>CVE-2017-11873</li></ul><h3 id=\"h.9bhb21vu9pw3\">Multiple CVEs - Scripting Engine Memory Corruption Vulnerability</h3><br />Multiple remote code execution vulnerabilities have been identified affecting the scripting engine in Microsoft browsers. These vulnerabilities manifest due to the scripting engine improperly handling objects in memory. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code within the context of the current user. Scenarios where these vulnerabilities would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit these vulnerabilities or, in some cases, opens a Microsoft Office document containing an embedded ActiveX control marked \"safe for initialization.\"<br /><br />The following is a list of CVEs related to these vulnerabilities.<br /><ul><li>CVE-2017-11837 </li><li>CVE-2017-11838</li><li>CVE-2017-11843</li><li>CVE-2017-11846</li><li>CVE-2017-11858 </li></ul><h3 id=\"h.l4j3cblo56e5\">CVE-2017-11845 - Microsoft Edge Memory Corruption Vulnerability</h3><br />A remote code vulnerability has been identified that affects Microsoft Edge. The vulnerability is related to the way Microsoft Edge accesses objects in memory. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code with the same access rights as the current user. Scenarios where this vulnerability would likely be exploited include web-based attacks where a user navigates to a malicious webpage designed to exploit this vulnerability, or via the use of a malicious email attachment that the user is convinced to open. <br /><br /><h3 id=\"h.kwuhvlxn2rdl\">Multiple CVEs - Internet Explorer Memory Corruption Vulnerability</h3><br />Two remote code vulnerabilities have been discovered that affect Internet Explorer. These vulnerabilities are related to the way Internet Explorer accesses objects in memory. Successful exploitation of these vulnerabilities could result in the execution of arbitrary code with the same access rights as the current user. Scenarios where these vulnerabilities would likely be exploited include web-based attacks where a user navigates to a malicious webpage designed to exploit this vulnerability, or via the use of a malicious email attachment that the user is convinced to open.<br /><br />The following is a list of CVEs related to these vulnerabilities:<br /><ul><li>CVE-2017-11855</li><li>CVE-2017-11856 </li></ul><h3 id=\"h.25ulimn27xx4\">CVE-2017-11869 - Scripting Engine Memory Corruption Vulnerability</h3><br />A vulnerability has been identified in the scripting engine of Internet Explorer that could allow an attacker to execute arbitrary code. These vulnerability manifest due to Internet Explorer improperly accessing objects in memory. Scenarios where these vulnerabilities would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit these vulnerabilities. Successful exploitation of these vulnerabilities could allow an attacker to execute code within the context of the current user.<br /><br /><h2 id=\"h.ftn8wufn5bzc\">Vulnerabilities Rated Important</h2><br />The following vulnerabilities are rated \"Important\" by Microsoft:<br /><ul><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11768\">CVE-2017-11768 - Windows Media Player Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11770\">CVE-2017-11770 - ASP.NET Core Denial Of Service Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11788\">CVE-2017-11788 - Windows Search Denial of Service Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11791\">CVE-2017-11791 - Scripting Engine Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11803\">CVE-2017-11803 - Microsoft Edge Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11827\">CVE-2017-11827 - Microsoft Browser Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11830\">CVE-2017-11830 - Device Guard Security Feature Bypass Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11831\">CVE-2017-11831 - Windows Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11832\">CVE-2017-11832 - Windows EOT Font Engine Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11833\">CVE-2017-11833 - Microsoft Edge Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11834\">CVE-2017-11834 - Scripting Engine Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11835\">CVE-2017-11835 - Windows EOT Font Engine Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11842\">CVE-2017-11842 - Windows Kernel Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11844\">CVE-2017-11844 - Microsoft Edge Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11847\">CVE-2017-11847 - Windows Kernel Elevation of Privilege Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11849\">CVE-2017-11849 - Windows Kernel Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11850\">CVE-2017-11850 - Microsoft Graphics Component Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11851\">CVE-2017-11851 - Windows Kernel Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11852\">CVE-2017-11852 - Windows GDI Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11853\">CVE-2017-11853 - Windows Kernel Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11854\">CVE-2017-11854 - Microsoft Word Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11863\">CVE-2017-11863 - Microsoft Edge Security Feature Bypass Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11872\">CVE-2017-11872 - Microsoft Edge Security Feature Bypass Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11874\">CVE-2017-11874 - Microsoft Edge Security Feature Bypass Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11877\">CVE-2017-11877 - Microsoft Excel Security Feature Bypass Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11878\">CVE-2017-11878 - Microsoft Excel Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11879\">CVE-2017-11879 - ASP.NET Core Elevation Of Privilege Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11880\">CVE-2017-11880 - Windows Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882\">CVE-2017-11882 - Microsoft Office Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11884\">CVE-2017-11884 - Microsoft Office Memory Corruption Vulnerability</a></li></ul><h3 id=\"h.bdoa4s47wkbw\">CVE-2017-11768 - Windows Media Player Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified that affects Windows Media Player. This vulnerability manifests due to Windows Media Player improperly disclosing file information. In order to exploit this vulnerability an attacker would need to authenticate to an affected system and execute a program designed to exploit this vulnerability. Successful exploitation of this vulnerability would allow an attacker to enumerate the existence of files stored on an affected system.<br /><br /><h3 id=\"h.q5rd6srfdkn8\">Multiple CVEs - ASP.NET Core Denial Of Service Vulnerability</h3><br />Multiple denial of service vulnerabilities have been identified that affect ASP.NET Core. These vulnerabilities manifest due to .NET Core improperly handling web requests. These vulnerabilities could be exploited remotely by an unauthenticated attacker. Successful exploitation could result in a denial of service condition. <br /><br />The following CVEs are related to these vulnerabilities:<br /><ul><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11770\">CVE-2017-11770 - ASP.NET Core Denial Of Service Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11883\">CVE-2017-11883 - ASP.NET Core Denial Of Service Vulnerability</a></li></ul><h3 id=\"h.38zj0t9asa7l\">CVE-2017-11788 - Windows Search Denial of Service Vulnerability</h3><br />A denial of service vulnerability has been identified that affects Windows Search. This vulnerability manifests due to Windows Search improperly handling objects in memory. This vulnerability could be exploited by sending specially crafted messages to the Windows Search service. Additionally this vulnerability could be exploited by an unauthenticated remote attacker via Server Message Block (SMB). Successful exploitation of this vulnerability could result in a denial of service condition on affected systems.<br /><br /><h3 id=\"h.n7xhfhgh78f0\">CVE-2017-11791 - Scripting Engine Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified that affects Microsoft browsers. This vulnerability manifests due to Microsoft browsers improperly handling objects in memory. This vulnerability could be leveraged by an attacker to obtain information that could be used for subsequent attacks against an affected system. Scenarios where this vulnerability would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit of this vulnerability.<br /><br /><h3 id=\"h.su1nmhb9yrz2\">Multiple CVEs - Microsoft Edge Information Disclosure Vulnerability</h3><br />Two information disclosure vulnerabilities have been identified that affect Microsoft Edge. These vulnerabilities manifest due to Microsoft Edge improperly handling objects in memory. These vulnerabilities could be leveraged by an attacker to obtain information that could be used for subsequent attacks against an affected system. Scenarios where these vulnerabilities would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit of this vulnerability.<br /><br />The following is a list of CVEs related to these vulnerabilities:<br /><ul><li>CVE-2017-11803</li><li>CVE-2017-11844</li></ul><h3 id=\"h.eak31u2c41u2\">CVE-2017-11827 - Microsoft Browser Memory Corruption Vulnerability</h3><br />A remote code execution vulnerability has been identified that affects Microsoft browsers. This vulnerability manifests due to the way in which Microsoft browsers access objects in memory. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code with the same privileges as the current user. Scenarios where this vulnerability would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit of this vulnerability or convincing a user to open a malicious email attachment.<br /><br /><h3 id=\"h.fn76sfmfrnf3\">CVE-2017-11830 - Device Guard Security Feature Bypass Vulnerability</h3><br />A security feature bypass vulnerability has been identified that affects Device Guard. This vulnerability manifests due to the way in which Device Guard incorrectly validates untrusted files. Successful exploitation of this vulnerability could allow an attacker to make an unsigned file appear as if it is signed, allowing an attacker to execute malicious files on affected systems.<br /><br /><h3 id=\"h.y3wb9e2yktsf\">Multiple CVEs - Windows Information Disclosure Vulnerability</h3><br />Multiple information disclosure vulnerabilities have been identified that affect the Windows kernel. These vulnerabilities manifest due to the Windows kernel failing to properly initialize memory addresses. These vulnerabilities could be leveraged by an attacker to obtain information that could be used for subsequent attacks against an affected system. Exploiting these vulnerabilities would require an attacker to authenticate to an affected device and execute an application designed to exploit this vulnerability.<br /><br />The following is a list of CVEs related to these vulnerabilities:<br /><ul><li>CVE-2017-11831</li><li>CVE-2017-11880</li></ul><h3 id=\"h.btsw9vna5f30\">Multiple CVEs - Windows EOT Font Engine Information Disclosure Vulnerability</h3><br />Two information disclosure vulnerabilities have been identified that affect Microsoft Windows Embedded OpenType (EOT). These vulnerabilities manifest due to the way in which the font engine parses embedded fonts. Successful exploitation of these vulnerabilities could allow an attacker to obtain information that could be used for subsequent attacks against an affected system. <br /><br />The following is a list of CVEs related to these vulnerabilities:<br /><ul><li>CVE-2017-11832</li><li>CVE-2017-11835</li></ul><h3 id=\"h.hzfeoreuofyd\">CVE-2017-11833 - Microsoft Edge Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified that affects Microsoft Edge. This vulnerability manifests due to the way in which Microsoft Edge handles cross-origin requests. This vulnerability could be leveraged by an attacker to determine the origin of webpages within an affected browser. Scenarios where this vulnerability would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit of this vulnerability. <br /><br /><h3 id=\"h.3e1zkv9m7hzg\">CVE-2017-11834 - Scripting Engine Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability was identified that affects Internet Explorer. This vulnerability manifests due to the scripting engine in Internet Explorer not properly handling objects in memory. This vulnerability could be leveraged by an attacker to obtain information that could be used in additional attacks. Scenarios where this vulnerability would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit of this vulnerability. <br /><br /><h3 id=\"h.yv8u67oyrby6\">Multiple CVEs - Windows Kernel Information Disclosure Vulnerability</h3><br />Multiple information disclosure vulnerabilities were identified that affect the Windows Kernel-Mode Drivers. These vulnerabilities manifest due to the Windows Kernel failing to properly initialize memory addresses. These vulnerabilities could be leveraged by an attacker to obtain information that could be used in subsequent attacks to further compromise an affected system. Exploitation of these vulnerabilities would require an attacker to log in and execute a program specifically designed to exploit them.<br /><br />The following is a list of CVEs related to these vulnerabilities:<br /><ul><li>CVE-2017-11842</li><li>CVE-2017-11849</li><li>CVE-2017-11853</li></ul><h3 id=\"h.ispynop4ff07\">CVE-2017-11847 - Windows Kernel Elevation of Privilege Vulnerability</h3><br />A privilege escalation vulnerability has been identified that affects the Windows Kernel. This vulnerability manifests due to the Windows Kernel failing to properly handle objects in memory. Successful exploitation of this vulnerability would require an attacker to log on to a system and execute a program specifically designed to exploit this vulnerability and could allow an attacker to run arbitrary code in kernel memory.<br /><br /><h3 id=\"h.596vig5drvj1\">CVE-2017-11850 - Microsoft Graphics Component Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified that affects the Microsoft Graphics Component. This vulnerability manifests due to the Windows GDI component disclosing kernel memory addresses. An attacker could leverage this vulnerability to obtain information that could be used for additional attacks against an affected system. Successful exploitation of this vulnerability would require an attacker to log on to a system and execute a program specifically designed to exploit this vulnerability.<br /><br /><h3 id=\"h.t8ap458u96px\">CVE-2017-11851 - Windows Kernel Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified that affects the Microsoft Graphics Component. This vulnerability manifests due to the Windows GDI component disclosing kernel memory addresses. An attacker could leverage this vulnerability to obtain information that could be used for additional attacks against an affected system. Successful exploitation of this vulnerability would require an attacker to log on to a system and execute a program specifically designed to exploit this vulnerability.<br /><br /><h3 id=\"h.kti9vg98v2si\">CVE-2017-11852 - Windows GDI Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified that affects the Microsoft Graphics Component. This vulnerability manifests due to the Windows GDI component disclosing kernel memory addresses. An attacker could leverage this vulnerability to obtain information that could be used for additional attacks against an affected system. Successful exploitation of this vulnerability would require an attacker to log on to a system and execute a program specifically designed to exploit this vulnerability.<br /><br /><h3 id=\"h.btbv13lo447t\">CVE-2017-11854 - Microsoft Word Memory Corruption Vulnerability</h3><br />A remote code execution vulnerability has been identified that affects Microsoft Office. This vulnerability manifests due to Microsoft Office improperly handling objects in memory. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code within the context of the current user. In order to exploit this vulnerability, an attacker would need to create a specially crafted file and convince a user to open it within an affected version of Microsoft Office.<br /><br /><h3 id=\"h.vfhxvo8e1vuz\">CVE-2017-11863 - Microsoft Edge Security Feature Bypass Vulnerability</h3><br />A security feature bypass has been identified in Microsoft Edge that could allow an attacker to load a page containing malicious content without the user's knowledge or consent. This vulnerability manifests in the Edge Content Security Policy where certain specially crafted documents are improperly validated. An attacker could exploit this vulnerability by convincing a user to navigate to a malicious page or by injecting malicious content into page, such as an advertisement, thereby bypassing the Content Security Policy.<br /><br /><h3 id=\"h.9suck7nnkgfu\">CVE-2017-11872 - Microsoft Edge Security Feature Bypass Vulnerability</h3><br />A security feature bypass vulnerability has been identified in Microsoft Edge that could allow an attacker to bypass Cross-Origin Resource Sharing restrictions. This vulnerability manifests as a result of Edge improperly handling redirect requests and following redirect requests that should otherwise be ignored. An attacker could exploit this vulnerability by creating a specially crafted web page designed to exploit this vulnerability and convincing a user to visit the web page. Attackers could also leverage vulnerable or compromised web pages exploit this vulnerability.<br /><br /><h3 id=\"h.9qx8ma9p7xwo\">CVE-2017-11874 - Microsoft Edge Security Feature Bypass Vulnerability</h3><br />A security feature bypass vulnerability has been identified in Microsoft Edge that could allow an attacker to bypass the Control Flow Guard. This vulnerability manifests as a result of the Edge Just-In-Time compiler incorrectly handling memory operations in compiled code. An attacker could exploit this vulnerability by creating a specially crafted web page designed to exploit this vulnerability and convincing a user to visit the web page.<br /><br /><h3 id=\"h.p53pt1akjudq\">CVE-2017-11877 - Microsoft Excel Security Feature Bypass Vulnerability</h3><br />A security feature bypass vulnerability has been identified that affects Microsoft Office. The vulnerability is related to Microsoft Office failing to enforce macro settings on Excel documents. Exploitation of this vulnerability does not result in code execution and requires an attacker to create a specially crafted file that is opened in an affected version of Microsoft Excel.<br /><br /><h3 id=\"h.recfefvinm40\">CVE-2017-11878 - Microsoft Excel Memory Corruption Vulnerability</h3><br />A remote code execution vulnerability has been identified that affects Microsoft Office. The vulnerability is related to Microsoft Office not properly handling objects in memory. Successful exploitation of this vulnerability could result in an attacker gaining the ability to execute arbitrary code within the context of the current user. Exploitation of this vulnerability requires an attacker to create a specially crafted file that is opened in an affected version of Microsoft Office. <br /><br /><h3 id=\"h.hyk2905styk6\">CVE-2017-11879 - ASP.NET Core Elevation Of Privilege Vulnerability</h3><br />An open redirect vulnerability has been identified at affects ASP.NET Core. Exploitation of this vulnerability could result in privilege escalation. In order to exploit this vulnerability an attacker would need to create a specially crafted URL which could be used to redirect the victim's browser session to a malicious site and obtain login session information.<br /><br /><h3 id=\"h.6020jwogk4nx\">Multiple CVEs - Microsoft Office Memory Corruption Vulnerability</h3><br />Multiple remote code execution vulnerabilities have been identified that affect Microsoft Office. These vulnerabilities are related to Microsoft Office not properly handling objects in memory. Successful exploitation of these vulnerabilities could result in an attacker gaining the ability to execute arbitrary code within the context of the current user. Exploitation of this vulnerability requires an attacker to create a specially crafted file that is opened in an affected version of Microsoft Office. <br /><br />The following is a list of CVEs related to these vulnerabilities:<br /><ul><li>CVE-2017-11882</li><li>CVE-2017-11884</li></ul><br /><h2 id=\"h.9bugt6nqiqht\">Vulnerabilities Rated Moderate</h2><br />The following vulnerabilities are rated \"Moderate\" by Microsoft:<br /><ul><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11848\">CVE-2017-11848 - Internet Explorer Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11876\">CVE-2017-11876 - Microsoft Project Server Elevation of Privilege Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8700\">CVE-2017-8700 - ASP.NET Core Information Disclosure Vulnerability</a></li></ul><h3 id=\"h.wfk7ipeakm4m\">CVE-2017-11848 - Internet Explorer Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified that affects Internet Explorer. This vulnerability manifests due to the way in which Internet Explorer handles page contents. Scenarios where this vulnerability would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit of this vulnerability. Successful exploitation of this vulnerability could allow an attacker to detect navigation of a user leaving a malicious web page. <br /><br /><h3 id=\"h.1fxj2jwk3xet\">CVE-2017-11876 - Microsoft Project Server Elevation of Privilege Vulnerability</h3><br />A privilege escalation vulnerability has been discovered affecting Microsoft Project. It is related to the way in which Microsoft Project Server improperly manages user sessions. The victim must be logged in to the target site in order for this vulnerability to be exploited. Scenarios where this vulnerability would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit of this vulnerability. Successful exploitation of this vulnerability could allow an attacker to access content that the attacker is not authorized to access or impersonate the user within the web application. It could also enable the attacker to inject malicious contents into the victim's browser.<br /><br /><h3 id=\"h.wd4h9qqis9cx\">CVE-2017-8700 - ASP.NET Core Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified that affects ASP.net Core. This vulnerability could enable an attacker to bypass Cross-Origin Resource Sharing (CORS) configurations. Successful exploitation of this vulnerability could allow an attacker to access content that they are not authorized to access from within a web application.<br /><br /><h2 id=\"h.bipt9xzi68fa\">Coverage</h2><br />In response to these vulnerability disclosures, Talos is releasing the following Snort rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.<br /><br />Snort Rules:<br /><ul><li>43120-43121</li><li>44809-44834</li><li>44838-44839</li><li>44843-44846</li></ul>For other vulnerabilities Talos has disclosed, please refer to our Vulnerability Report Portal:<a href=\"http://www.talosintelligence.com/vulnerability-reports/\"> </a><a href=\"http://www.talosintelligence.com/vulnerability-reports/\">http://www.talosintelligence.com/vulnerability-reports/</a><br /><br /><a href=\"http://www.talosintelligence.com/vulnerability-reports/\"></a><br /><br />To review our Vulnerability Disclosure Policy, please visit this site:<br /><br /><a href=\"http://www.cisco.com/c/en/us/about/security-center/vendor-vulnerability-policy.html\">http://www.cisco.com/c/en/us/about/security-center/vendor-vulnerability-policy.html</a><br /><br /><a href=\"http://www.cisco.com/c/en/us/about/security-center/vendor-vulnerability-policy.html\"></a><br /><br /><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=gKTSu-yN4pM:3HD9OhLzN18:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/gKTSu-yN4pM\" height=\"1\" width=\"1\" alt=\"\"/>", "modified": "2017-11-14T19:54:05", "published": "2017-11-14T11:54:00", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/gKTSu-yN4pM/ms-tuesday.html", "id": "TALOSBLOG:A69C35FFFCE6FA744216C7784C7D2148", "type": "talosblog", "title": "Microsoft Patch Tuesday - November 2017", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-17T17:31:06", "bulletinFamily": "blog", "cvelist": ["CVE-2018-0965", "CVE-2018-8271", "CVE-2018-8315", "CVE-2018-8331", "CVE-2018-8332", "CVE-2018-8335", "CVE-2018-8336", "CVE-2018-8337", "CVE-2018-8354", "CVE-2018-8366", "CVE-2018-8367", "CVE-2018-8391", "CVE-2018-8392", "CVE-2018-8393", "CVE-2018-8409", "CVE-2018-8410", "CVE-2018-8420", "CVE-2018-8421", "CVE-2018-8424", "CVE-2018-8425", "CVE-2018-8426", "CVE-2018-8428", "CVE-2018-8429", "CVE-2018-8430", "CVE-2018-8431", "CVE-2018-8433", "CVE-2018-8434", "CVE-2018-8435", "CVE-2018-8436", "CVE-2018-8437", "CVE-2018-8438", "CVE-2018-8439", "CVE-2018-8440", "CVE-2018-8441", "CVE-2018-8442", "CVE-2018-8443", "CVE-2018-8444", "CVE-2018-8445", "CVE-2018-8446", "CVE-2018-8447", "CVE-2018-8449", "CVE-2018-8452", "CVE-2018-8455", "CVE-2018-8456", "CVE-2018-8457", "CVE-2018-8459", "CVE-2018-8461", "CVE-2018-8462", "CVE-2018-8463", "CVE-2018-8464", "CVE-2018-8465", "CVE-2018-8466", "CVE-2018-8467", "CVE-2018-8468", "CVE-2018-8469", "CVE-2018-8470", "CVE-2018-8475"], "description": "Microsoft released its monthly set of security updates today for a variety of its products that address a variety of bugs. The latest Patch Tuesday covers 61 vulnerabilities, 17 of which are rated \"critical,\" 43 that are rated \"important\" and one that is considered to have \"moderate\" severity. \n \nThe advisories cover bugs in the Internet Explorer web browser, Jet Database Engine and the Chakra scripting engine, among other products and software. \n \nThis update also includes two critical advisories, one of which covers security updates to Adobe Flash, and another that deals with a denial-of-service vulnerability in the Microsoft Windows operating system. \n \n \n \n\n\n## Critical vulnerabilities\n\n \nMicrosoft released coverage for 17 critical bugs. Cisco Talos believes 16 of these are of special importance and need to be addressed by users immediately. \n \n[CVE-2018-0965](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0965>) is a remote code execution vulnerability in the Windows Hyper-V hypervisor. An attacker can exploit this vulnerability by running a specially crafted application on a guest system that would cause the system operating Hyper-V to execute arbitrary code. The flaw lies in the way that Hyper-V validates inputs from an authenticated user on a guest OS. \n \n[CVE-2018-8367](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8367>) is a remote code execution vulnerability in the Chakra scripting engine. The engine improperly handles objects in memory in the Microsoft Edge web browser that could allow an attacker to corrupt the system's memory and execute arbitrary code with the user's credentials. \n \n[CVE-2018-8420](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8420>) is a remote code execution vulnerability in Microsoft XML Core Services MSXML. An attacker could trick the user into visiting a specially crafted, malicious website designed to invoke MSXML through a web browser, allowing the attacker to eventually run code and take control of the user's system. \n \n[CVE-2018-8461](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8461>) is a remote code execution vulnerability in Internet Explorer that exists when the web browser improperly accesses objects in memory. This bug could corrupt memory in a way that an attacker could execute arbitrary code with the same rights as the current user. A user would need to visit a specially crafted, malicious website to trigger this vulnerability. \n \n[CVE-2018-8475](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8475>) is a remote code execution vulnerability in Windows OS, which exists due to the image-loading functionality improperly handling malformed image files. An attacker could exploit this bug by convincing a user to load a malformed image file from either a web page, email or other method. \n \n[CVE-2018-8332](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8332>) is a remote code execution vulnerability in the Windows font library. There are multiple ways in which an attacker could exploit this flaw, including convincing the user to click on a malicious web page or providing the user with a specially crafted, malicious document. \n \n[CVE-2018-8391](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8391>) is a remote code execution vulnerability in the Chakra scripting engine. An attacker can exploit this flaw if a user is logged on with an administrative account. \n \n[CVE-2018-8439](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8439>) is a remote code execution vulnerability in the Windows Hyper-V hypervisor. The bug exists in Hyper-V's validation on a host server. An attacker can exploit this flaw by running a specially crafted application on a guest operating system that could lead to the machine running Hyper-V executing arbitrary code. \n \n[CVE-2018-8447](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8447>) is a remote code execution vulnerability in Internet Explorer. An attacker could exploit this vulnerability by tricking a user into visiting a specially crafted web page while using the Internet Explorer browser, or by taking advantage of a compromised website through advertisements or attachments that the user would have to click on. \n \n[CVE-2018-8456](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8456>) and [CVE-2018-](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8459>)[8459](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8459>) are remote code execution vulnerabilities that exist in the Chakra scripting engine's handling of objects in memory. This bug could corrupt memory in a way that an attacker could execute arbitrary code with the same rights as the current user. \n \n[CVE-2018-8457](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8457>) is a remote code execution vulnerability that exists in the way Microsoft web browsers' scripting engines handle objects in memory. An attacker could host a specially crafted website to exploit this vulnerability, and then convince the user to visit the website while using a Microsoft web browser, or they could embed an ActiveX control that is marked \"safe for initialization\" in a Microsoft Office file or an application that hosts the browser's rendering engine. \n \n[CVE-2018-8464](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8464>) is a remote code execution vulnerability in Microsoft Edge's PDF reader that exists in the way the reader handles objects in memory. An attacker could exploit this bug by convincing a user to click on a web page that contains a malicious PDF, or by hosting the PDF on websites that host user-provided content. \n \n[CVE-2018-8465](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8465>), [CVE-2018-8466](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8466>) and [CVE-2018-8467](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8467>) are remote code execution vulnerabilities in the Chakra scripting engine that lie in the way it handles objects in memory in the Microsoft Edge web browser. An attacker can exploit these bugs by tricking the user into opening a malicious web page, or an advertisement that is hosted on a website that allows user-provided content. \n \nThe other critical vulnerability is: \n\n\n * [CVE-2018-8421 \u2014 .NET Framework Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8421>)\n \n\n\n## Important vulnerabilities\n\n \nThere is also coverage for 43 important vulnerabilities, 11 of which we wish to highlight. \n \n[CVE-2018-8354](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8354>) is a remote code execution vulnerability that exists in the way the scripting engine handles objects in memory in the Microsoft Edge web browser. A user would need to visit a specially crafted, malicious website in order to trigger this vulnerability. \n \n[CVE-2018-8392](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8392>) and [CVE-2018-8393](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8393>) are buffer overflow vulnerabilities in the Microsoft Jet Database Engine. To exploit these bugs, a user must open a specially crafted Excel file while using an at-risk version of Windows. An attacker could exploit these vulnerabilities to execute code on the victim's machine at an administrator's level. \n \n[CVE-2018-8430](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8430>) is a remote code execution vulnerability in Microsoft Word 2013 and 2016. An attacker can exploit this by tricking a user into opening a specially crafted, malicious PDF. \n \n[CVE-2018-8447](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8447>) is an elevation of privilege vulnerability that lies in the way Windows processes calls to Advanced Local Procedure Call (ALPC). An attacker would need to log onto the system directly in order to exploit this vulnerability, and then run a specially crafted application. \n \n[CVE-2018-8331](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8331>) is a remote code execution vulnerability in Microsoft Excel that exists when the software fails to correctly handle objects in memory. A user could trigger this bug by opening a specially crafted, malicious file in an email or on a web page. \n \n[CVE-2018-8315](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8315>) is an information disclosure vulnerability in Microsoft's scripting engine that could expose uninitialized memory if exploited. An attacker could access this information by convincing a user to visit a malicious website and then leveraging the vulnerability to obtain privileged data from the browser process. \n \n[CVE-2018-8335](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8335>) is a denial-of-service vulnerability in the Microsoft Server Block Message (SMB). An attacker can send a specially crafted request to the server to trigger this vulnerability. \n \n[CVE-2018-8425](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8425>) is a spoofing vulnerability in the Microsoft Edge web browser. The bug lies in the way the browser handles specific HTML content. If an attacker correctly exploits this bug, a user could be tricked into thinking they are visiting a legitimate website when they are actually on a malicious page. \n \n[CVE-2018-8440](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8440>) is an elevation of privilege vulnerability that occurs when Windows incorrectly handles calls to Advanced Local Procedure Call (APLC). An attacker needs to log onto the system directly to exploit this vulnerability, and then run a specially crafted application to take over the system. This vulnerability has been spotted in the wild as part of several pieces of malware. \n \nThe other vulnerabilities that are rated \"important\" are: \n \n\n\n * [CVE-2018-8271 \u2014 Windows Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8271>)\n * [CVE-2018-8336 \u2014 Windows Kernel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8336>)\n * [CVE-2018-8337 \u2014 Windows Subsystem for Linux Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8337>)\n * [CVE-2018-8366 \u2014 Microsoft Edge Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8366>)\n * [CVE-2018-8409 \u2014 ASP.NET Core Denial of Service](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8409>)\n * [CVE-2018-8410 \u2014 Windows Registry Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8410>)\n * [CVE-2018-8424 \u2014 Windows GDI Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8424>)\n * [CVE-2018-8426 \u2014 Microsoft Office SharePoint XSS Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8426>)\n * [CVE-2018-8428 \u2014 Microsoft SharePoint Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8428>)\n * [CVE-2018-8429 \u2014 Microsoft Excel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8429>)\n * [CVE-2018-8431 \u2014 Microsoft SharePoint Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8431>)\n * [CVE-2018-8433 \u2014 Microsoft Graphics Component Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8433>)\n * [CVE-2018-8434 \u2014 Windows Hyper-V Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8434>)\n * [CVE-2018-8435 \u2014 Windows Hyper-V Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8435>)\n * [CVE-2018-8436 \u2014 Windows Hyper-V Denial of Service Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8436>)\n * [CVE-2018-8437 \u2014 Windows Hyper-V Denial of Service Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8437>)\n * [CVE-2018-8438 \u2014 Windows Denial of Service Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8438>)\n * [CVE-2018-8441 \u2014 Windows ALPC Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8441>)\n * [CVE-2018-8442 \u2014 Windows Kernel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8442>)\n * [CVE-2018-8443 \u2014 Windows Kernel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8443>)\n * [CVE-2018-8444 \u2014 Windows SMB Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8444>)\n * [CVE-2018-8445 \u2014 Windows Kernel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8445>)\n * [CVE-2018-8446 \u2014 Windows Kernel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8446>)\n * [CVE-2018-8449 \u2014 Device Guard Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8449>)\n * [CVE-2018-8452 \u2014 Scripting Engine Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8452>)\n * [CVE-2018-8455 \u2014 Windows Kernel Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8455>)\n * [CVE-2018-8462 \u2014 DirectX Graphics Kernel Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8462>)\n * [CVE-2018-8463 \u2014 Microsoft Edge Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8463>)\n * [CVE-2018-8468 \u2014 Windows Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8468>)\n * [CVE-2018-8469 \u2014 Microsoft Edge Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8469>)\n * [CVE-2018-8470 \u2014 Internet Explorer Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8470>)\n \n\n\n## Coverage\n\n \nIn response to these vulnerability disclosures, Talos is releasing the following Snort rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org. \n \n**Snort Rules:** 45142-45143, 47702-47703, 47717-47718, 47730-47741, 47745-47748 \n \n \n\n\n", "modified": "2018-09-12T17:20:48", "published": "2018-09-11T11:56:00", "id": "TALOSBLOG:116422E24074F675755331EBA739BEB9", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/78jpAdLIztI/ms-tuesday.html", "type": "talosblog", "title": "Microsoft Patch Tuesday - September 2018", "cvss": {"score": 0.0, "vector": "NONE"}}], "trendmicroblog": [{"lastseen": "2017-11-26T20:03:00", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11768", "CVE-2017-11770", "CVE-2017-11788", "CVE-2017-11791", "CVE-2017-11803", "CVE-2017-11827", "CVE-2017-11830", "CVE-2017-11831", "CVE-2017-11832", "CVE-2017-11833", "CVE-2017-11834", "CVE-2017-11835", "CVE-2017-11836", "CVE-2017-11837", "CVE-2017-11838", "CVE-2017-11839", "CVE-2017-11840", "CVE-2017-11841", "CVE-2017-11842", "CVE-2017-11843", "CVE-2017-11844", "CVE-2017-11845", "CVE-2017-11846", "CVE-2017-11847", "CVE-2017-11848", "CVE-2017-11849", "CVE-2017-11850", "CVE-2017-11851", "CVE-2017-11852", "CVE-2017-11853", "CVE-2017-11854", "CVE-2017-11855", "CVE-2017-11856", "CVE-2017-11858", "CVE-2017-11861", "CVE-2017-11862", "CVE-2017-11863", "CVE-2017-11866", "CVE-2017-11867", "CVE-2017-11869", "CVE-2017-11870", "CVE-2017-11871", "CVE-2017-11872", "CVE-2017-11873", "CVE-2017-11874", "CVE-2017-11876", "CVE-2017-11877", "CVE-2017-11878", "CVE-2017-11879", "CVE-2017-11880", "CVE-2017-11882", "CVE-2017-11883", "CVE-2017-8700"], "description": "\n\nThe dreaded white, blank screen in Microsoft Word is taunting me, with its blinking cursor asking for words to be written. Just when I thought I wouldn\u2019t get any inspiration for this week\u2019s blog, inspiration came to me from beyond through our late CTO Raimund Genes. Earlier this week, the third annual Trend Micro Capture the Flag (CTF), now known as the Raimund Genes Cup, competition was held in Tokyo, giving IT and security professionals the opportunity to expand their skill sets. A total of 10 teams participated in multiple challenges in categories including targeted attacks, Internet of Things (IoT), Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA). Team Egrf33ks won this year\u2019s competition and now qualifies for HITCON 2017. For the full results of this year\u2019s CTF, click [here](<https://www.trendmicro.com/en_us/campaigns/capture-the-flag.html>).\n\n**Microsoft Update**\n\nThis week\u2019s Digital Vaccine\u00ae (DV) package includes coverage for Microsoft updates released on or before November 14, 2017. It was another big month with 53 security patches covering Internet Explorer (IE), Microsoft Edge, Microsoft Windows, Microsoft Office, ASP.NET Core and .NET Core, and Chakra Core. 20 of the patches are listed as Critical and 31 are rated Important. Six of the Microsoft CVEs came through the Zero Day Initiative program. The following table maps Digital Vaccine filters to the Microsoft updates. Filters marked with an asterisk (*) shipped prior to this DV package, providing preemptive zero-day protection for customers. You can get more detailed information on this month\u2019s security updates from Dustin Childs\u2019 [November 2017 Security Update Review](<https://www.zerodayinitiative.com/blog/2017/11/14/the-november-2017-security-update-review>) from the Zero Day Initiative:\n\n**CVE #** | **Digital Vaccine Filter #** | **Status** \n---|---|--- \nCVE-2017-11768 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11770 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11788 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11791 | 29921 | \nCVE-2017-11803 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11827 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11830 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11831 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11832 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11833 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11834 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11835 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11836 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11837 | 29923 | \nCVE-2017-11838 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11839 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11840 | 29926 | \nCVE-2017-11841 | 29933 | \nCVE-2017-11842 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11843 | 29931 | \nCVE-2017-11844 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11845 | 29930 | \nCVE-2017-11846 | 29932 | \nCVE-2017-11847 | 29924 | \nCVE-2017-11848 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11849 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11850 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11851 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11852 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11853 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11854 | 29929 | \nCVE-2017-11855 | 29918 | \nCVE-2017-11856 | *29744 | \nCVE-2017-11858 | *29832 | \nCVE-2017-11861 | 29925 | \nCVE-2017-11862 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11863 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11866 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11867 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11869 | *29794 | \nCVE-2017-11870 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11871 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11872 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11873 | 29927 | \nCVE-2017-11874 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11876 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11877 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11878 | *29784 | \nCVE-2017-11879 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11880 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11882 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11883 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-8700 | | Vendor Deemed Reproducibility or Exploitation Unlikely \n \n \n\n**Zero-Day Filters**\n\nThere are 6 new zero-day filters covering one vendor in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website. You can also follow the Zero Day Initiative on Twitter [@thezdi](<https://twitter.com/thezdi>) and on their [blog](<https://www.zerodayinitiative.com/blog>).\n\n**_Adobe (6)_**\n\n| \n\n * 29934: ZDI-CAN-5140: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 29935: ZDI-CAN-5141: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 29936: ZDI-CAN-5142: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 29937: ZDI-CAN-5143: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 29938: ZDI-CAN-5144: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 29939: ZDI-CAN-5145: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC) \n---|--- \n| \n \n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-november-6-2017/>).", "modified": "2017-11-17T16:46:19", "published": "2017-11-17T16:46:19", "href": "https://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-november-13-2017/", "id": "TRENDMICROBLOG:3D0DF0AC0B5B6A3B4D80A495AF488F03", "type": "trendmicroblog", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of November 13, 2017", "cvss": {"score": 0.0, "vector": "NONE"}}]}
